{ "id": "ba259eb4-971e-48b9-addf-ced24f00afd8", "created_at": "2026-04-06T00:07:07.800656Z", "updated_at": "2026-04-10T03:30:30.876232Z", "deleted_at": null, "sha1_hash": "7536dff22fdcc49216f41052a3e7457349d86d20", "title": "AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6002636, "plain_text": "AcidPour | New Embedded Wiper Variant of AcidRain Appears in\r\nUkraine\r\nBy Juan Andrés Guerrero-Saade \u0026 Tom Hegel\r\nPublished: 2024-03-21 · Archived: 2026-04-05 17:38:59 UTC\r\nExecutive Summary\r\nSentinelLABS has discovered a novel malware variant of AcidRain, a wiper that rendered Eutelsat KA-SAT modems inoperative in Ukraine and caused additional disruptions throughout Europe at the onset of\r\nthe Russian invasion.\r\nThe new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential\r\nto now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID\r\narrays and large storage devices.\r\nOur analysis confirms the connection between AcidRain and AcidPour, effectively connecting it to threat\r\nclusters previously publicly attributed to Russian military intelligence. CERT-UA has also attributed this\r\nactivity to a Sandworm subcluster.\r\nSpecific targets of AcidPour have yet to be conclusively verified; however, the discovery coincides with\r\nthe enduring disruption of multiple Ukrainian telecommunication networks, reportedly offline since March\r\n13th.\r\nThe ISP attacks are being publicly claimed by a GRU-operated hacktivist persona via Telegram.\r\nOn March 16th, 2024, we identified a suspicious Linux binary uploaded from Ukraine. Initial analysis showed\r\nsurface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start\r\nof the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer). Since our initial finding,\r\nno similar samples or variants have been detected or publicly reported until now. This new sample is a confirmed\r\nvariant we refer to as ‘AcidPour’, a wiper with similar and expanded capabilities.\r\nThis is a threat to watch. My concern is elevated because this variant is a more powerful AcidRain\r\nvariant, covering more hardware and operating system types. https://t.co/h0s6pJGuzv\r\n— Rob Joyce (@NSA_CSDirector) March 19, 2024\r\nOur technical analysis suggests that AcidPour’s expanded capabilities would enable it to better disable embedded\r\ndevices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86\r\ndistributions.\r\nFollowing our initial reporting on Twitter, CyberScoop reported a claim from the Ukrainian SSCIP attributing our\r\nfindings to UAC-0165, clustered as a subgroup under the outdated ‘Sandworm’ threat actor construct. We reported\r\nour initial findings to partners on Saturday, followed by the public analysis thread on Twitter. Our analysis is\r\nongoing.\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 1 of 12\n\nAcidRain Context\r\nOn February 24th, 2022, a cyber attack rendered Eutelsat KA-SAT modems inoperable in Ukraine. Spillover from\r\nthis attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or\r\ncontrol and reportedly affected vital services across Europe.\r\nOn March 30th, 2022, we identified a wiper component which we dubbed ‘AcidRain’ as a part of the attack chain\r\nthat caused this disruption by rendering Surfbeam2 modems inoperable in an attempt to disable vital Ukrainian\r\nmilitary communications at the start of the Russian invasion.\r\nDuring our original analysis of AcidRain, we assessed with medium-confidence that there are developmental\r\nsimilarities between AcidRain and a VPNFilter stage 3 destructive plugin named ‘dstr’. In 2018, the FBI and\r\nDepartment of Justice attributed the VPNFilter campaign to the Russian government.\r\nOn May 10th, 2022, the European Union and its Member States issued an official condemnation of this activity,\r\nholding the Russian government responsible. Despite an abundance of wipers and cyber operations against\r\nUkrainian targets in the subsequent months and years, we had not seen any further uses of AcidRain or similar\r\ncomponents.\r\nEnter AcidPour\r\nOn March 16th, 2024, we observed a new Linux wiper we are naming ‘AcidPour’. We alerted relevant partners\r\nimmediately to stem the potential for any additional significant regional impact, followed by public dissemination\r\nof technical indicators and early analysis to alert the research community and encourage vigilance and\r\ncontributions.\r\nOur initial finding centered on surface similarities with AcidRain, so we placed a large emphasis on ascertaining\r\nwhether a more conclusive relationship could be established between the two components at a technical level, as\r\nwell as an understanding of its capabilities.\r\nTechnical Analysis\r\nWhere AcidRain is a Linux wiper compiled for MIPS architecture for compatibility with the devices targeted,\r\nAcidPour is compiled for x86 architecture. Despite both targeting Linux systems, the architecture mismatch\r\nsomewhat limits our ability to compare the compiled codebases.\r\nNotably, AcidRain was a hamfisted wiper rather than a specifically tailored solution. It operates by iterating over\r\nall possible devices in hardcoded paths, wiping each, before wiping essential directories. Its lack of specificity\r\nsuggests a lack of familiarity (or time) to adapt to the specifics of the Surfbeam2 targets. However, that also means\r\nthat AcidRain can serve as a more generic tool able to disable a wider swath of devices reliant on embedded Linux\r\ndistributions.\r\nMD5 1bde1e4ecc8a85cffef1cd4e5379aa44\r\nSHA1 b5de486086eb2579097c141199d13b0838e7b631\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 2 of 12\n\nSHA256 6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728\r\nSize 17,388 bytes\r\nType ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped\r\nFilename ‘tmphluyl8zn’\r\nFirst Submitted 2024-03-16 14:42:53 UTC, Ukraine\r\nThe AcidPour variant is an ELF binary compiled for x86 (not MIPS), and while it refers to similar devices, the\r\ncodebase has been modified and expanded to include additional capabilities. Our best automated attempts to\r\ncompare across different architectures only yields a low confidence \u003c 30% similarity.\r\nBinDiff output comparing AcidRain (MIPS) and AcidPour (x86)\r\nWe took that as a base measurement and proceeded to conduct a deep-dive analysis of the new binary with a focus\r\non testing the hypothesis that the two are related variants, as well as detailing any net new capabilities.\r\nNotable similarities include the use of the same reboot mechanism, the exact logic of the recursive directory\r\nwiping, and most importantly the use of the same IOCTL-based wiping mechanism used by both AcidRain and\r\nthe VPNFilter plugin ‘dstr’.\r\nShared Reboot Mechanism\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 3 of 12\n\nRecursive Directory Processing\r\nWiping Mechanisms\r\nAt the time of discovery, we noted the similarities between AcidRain’s IOCTLs-based device-wiping mechanism\r\nand the VPNFilter plugin ‘dstr’, pictured below:\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 4 of 12\n\nAcidPour relies on the same device wiping mechanism:\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 5 of 12\n\nAcidPour’s IOCTL-based wiping mechanism\r\nAcidPour’s Net New Functionality\r\nAcidPour expands upon AcidRain’s targeted linux devices to include Unsorted Block Image (UBI) and Device\r\nMapper (DM) logic.\r\nAcidRain’s supported devices:\r\n/dev/sd* A generic block device\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 6 of 12\n\n/dev/mtdblock* Flash memory (common in routers and IoT devices)\r\n/dev/block/mtdblock* Another potential way of accessing flash memory\r\n/dev/mtd* The device file for flash memory that supports fileops\r\n/dev/mmcblk* For SD/MMC cards\r\n/dev/block/mmcblk* Another potential way of accessing SD/MMC cards\r\n/dev/loop* Virtual block devices\r\nAcidRain targeted flash chips via MTD for raw access to flash memory in the form of /dev/mtdXX device paths.\r\nThis capability is expanded in AcidPour to include /dev/ubiXX paths. UBI is an interface built on top of MTD to\r\nact as a wear-leveling and volume management system for flash memory. These devices are common in embedded\r\nsystems dependent on flash memory like handhelds, IoT, networking, or in some cases ICS devices.\r\nBlock string array of device paths\r\nAcidPour also adds logic for handling /dev/dm-XX paths to access mapped devices. The device mapper\r\nframework enables logical volume management (LVM), abstracts physical storage into logical volumes for easier\r\nresizing, manipulation, and maintenance.\r\nThese devices act as virtual layers of block devices, enabling features like logical volumes, software RAID, and\r\ndisk encryption. This would put devices like Storage Area Networks (SANs), Network Attached Storage (NASes),\r\nand dedicated RAID arrays in scope for AcidPour’s effects.\r\nAll Local, No imports\r\nOne of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper\r\nbroadly utilized against Ukrainian targets alongside notable malware like Industroyer 2.\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 7 of 12\n\nAcidPour is programmed in C without relying on statically-compiled libraries or imports. Most functionality is\r\nimplemented via direct syscalls, many called through the use of inline assembly and opcodes.\r\nExample of a direct syscall implementation\r\nThis forces some unusual seemingly-archaic approaches to simple operations like storing and modifying format\r\nstrings for device paths as needed in the course of their operations.\r\nSelf-Delete\r\nPerhaps as a response to the discovery of AcidRain, this new version now kicks off with a self-delete function. It\r\nmaps the original file into memory, then overwrites it with a sequence of bytes ranging from 0-255 followed by a\r\npolite Ok .\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 8 of 12\n\nAcidPour overwrites itself on disk at the beginning of its execution\r\nAlternate Device Wiping Mechanism\r\nAt the time of our discovery of AcidRain, there was some confusion about the involvement of a wiper in taking\r\ndown the Surfbeam2 modems. As we reverse engineered the malware, we found a second wiping mechanism that\r\ndidn’t rely on IOCTLs. This alternate mechanism filled a buffer with the highest byte value (0xFFFFFFFF) and\r\nproceeded to decrement by 1, overwriting its target with the result. That allowed us to connect AcidRain’s\r\nexpected output with dumps of the affected devices.\r\nViasat incident\r\nI managed to dump the flash of two Surfbeam2 modems: 'attacked1.bin' belongs to a targeted modem\r\nduring the attack, 'fw_fixed.bin' is a clean one.\r\nA destructive attack. pic.twitter.com/0QuTrLFR2A\r\n— reversemode (@reversemode) March 31, 2022\r\nWith this crucial detail in mind, we were curious as to whether AcidPour implements an analogous alternate\r\nwiping mechanism.\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 9 of 12\n\nDepending on the device type, a different wiping mechanism is engaged, overwriting the device repeatedly with\r\nthe contents of a 256kb buffer. The specifics of this alternate mechanism require further analysis.\r\nAttribution\r\nEarlier this week, CERT-UA confirmed our findings and publicly attributed the activity to UAC-0165, considered\r\na subgroup of the outdated Sandworm APT. UAC-0165 targets are commonly observed in Ukrainian critical\r\ninfrastructure, including telecommunications, energy, and government services.\r\nIn September 2023, Ukraine SSSCIP publicly released a report on their latest findings of Russian linked threat\r\nactivity. Notably, their section on UAC-0165 points to the continued use of GRU-linked, fake hacktivist personas\r\nas a medium for publicly announcing major intrusions and the leak of stolen data from Ukrainian victims.\r\nOn March 13th, the SolntsepekZ persona publicly claimed the intrusion into Ukrainian telecommunication\r\norganizations, three days prior to our discovery of AcidPour.\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 10 of 12\n\nIn addition to their Telegram presence, SolntsepekZ makes use of multiple domains under this persona. On\r\nTelegram, visitors are currently linked to solntsepek[.]com , which is associated with the hosting IP\r\n185.61.137.155 , of BlazingFast Hosting in Kiev. This hosting IP has previously hosted solntsepek[.]info as\r\nwell as being related to solntsepek[.]org and similar to solntsepek[.]ru .\r\nReview of the current state of these alleged target organizations indicates the impact is still ongoing. Below is an\r\nexample notice currently on display from Triangulum, a group of companies providing telephone and Internet\r\nservices under the Triacom brand, and Misto TV. Industry colleagues with Kentik are also observing this activity\r\nand have shared observations of the impact starting on March 13th as well.\r\nTriacom (Translated)\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 11 of 12\n\nMisto-TV (Translated)\r\nAt this time, we cannot confirm that AcidPour was used to disrupt these ISPs. The longevity of the disruption\r\nsuggests a more complex attack than a simple DDoS or nuisance disruption. AcidPour, uploaded 3 days after this\r\ndisruption started, would fit the bill for the requisite toolkit. If that’s the case, it could serve as another link\r\nbetween this hacktivist persona and specific GRU operations.\r\nConclusion\r\nThe discovery of AcidPour in-the-wild serves as a stark reminder that cyber support for this hot conflict continues\r\nto evolve two years after AcidRain. The threat actors involved are adept at orchestrating wide-ranging disruptions\r\nand have demonstrated their unwavering intent to do so by a variety of means.\r\nThe transition from AcidRain to AcidPour, with its expanded capabilities, underscores the strategic intent to inflict\r\nsignificant operational impact. This progression reveals not only a refinement in the technical capabilities of these\r\nthreat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical\r\ninfrastructure and communications.\r\nWe continue to monitor these activities and hope the broader research community will continue to support this\r\ntracking with additional telemetry and analysis.\r\nSource: https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nhttps://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/" ], "report_names": [ "acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine" ], "threat_actors": [ { "id": "2b45a355-6d1d-44d8-8bc3-20c17e30757d", "created_at": "2023-12-21T02:00:06.092349Z", "updated_at": "2026-04-10T02:00:03.501337Z", "deleted_at": null, "main_name": "Solntsepek", "aliases": [], "source_name": "MISPGALAXY:Solntsepek", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434027, "ts_updated_at": 1775791830, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7536dff22fdcc49216f41052a3e7457349d86d20.pdf", "text": "https://archive.orkl.eu/7536dff22fdcc49216f41052a3e7457349d86d20.txt", "img": "https://archive.orkl.eu/7536dff22fdcc49216f41052a3e7457349d86d20.jpg" } }