{ "id": "bcdebba5-2490-460d-af05-a4b418e64edc", "created_at": "2026-04-06T00:09:38.282516Z", "updated_at": "2026-04-10T03:24:29.241358Z", "deleted_at": null, "sha1_hash": "88dba01ff3b61132e9331478fcdb9186de006ca5", "title": "Threat Advisory: DoubleZero", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 215806, "plain_text": "Threat Advisory: DoubleZero\r\nBy Asheer Malhotra\r\nPublished: 2022-03-24 · Archived: 2026-04-05 13:58:11 UTC\r\nThursday, March 24, 2022 12:57\r\nThis post is also available in:\r\nУкраїнська (Ukrainian)\r\nOverview\r\nThe Computer Emergency Response Team of Ukraine released an advisory on March 22, 2022 disclosing another\r\nwiper dubbed \"DoubleZero\" targeting Ukrainian enterprises during Russia's invasion of the country. This wiper\r\nwas detected as early as March 17, 2022. DoubleZero is yet another wiper discovered in addition to previously\r\ndisclosed attacks we've seen in Ukraine over the past two months, such as \"CaddyWiper\" \"HermeticWiper\" and\r\n\"WhisperGate.\"\r\nDoubleZero is a .NET-based implant that destroys files, registry keys and trees on the infected endpoint.\r\nCisco Talos is actively conducting analysis to confirm the details included in these reports.\r\nWiper analysis\r\nThe malware first checks if the current endpoint is one of the domain's controllers. If the endpoint's name is found,\r\nthe wiper simply stops executing.\r\nThe wiper begins by obtaining the following privileges on the endpoint:\r\nSeTakeOwnershipPrivilege\r\nSeRestorePrivilege\r\nSeBackupPrivilege\r\nSeShutdownPrivilege\r\nIt aims to overwrite all files in all drives by destroying all files in all drives except for a specific list of the\r\nlocations hardcoded in the wiper. The malware intends to destroy non-system files first, then system-related files.\r\nDestroying system related files while the overwriting of other files is pending can create instability and may lead\r\nto bricking the system before the complete destruction of the user's files is completed. In such cases, it may be\r\npossible to recover the files from the disk that haven't been overwritten yet.\r\nThe system folders reserved for destruction *after* all other files have been destroyed:\r\n\u003cRoot_drive\u003e\\Windows\\Microsoft.NET\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html\r\nPage 1 of 5\n\n\u003cRoot_drive\u003e\\Windows\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\Local Settings.*\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Application Data.*\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\Start Menu.*\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\Application Data.*\r\n\u003cRoot_drive\u003e\\\\ProgramData\\\\\\\\Microsoft.*\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft.*\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft.*\r\n\u003cRoot_drive\u003e\\Documents and Settings\r\n\u003cRoot_drive\u003e\\ProgramData\\Application Data\r\n\u003cRoot_drive\u003e\\Users\\All Users\r\n\u003cRoot_drive\u003e\\Users\\Default User\r\n\u003cRoot_drive\u003e\\system\\drivers\r\n\u003cRoot_drive\u003e\\Windows\\NTDS\r\nThe wiper will enumerate all file paths and decide if the file is \"safe\" to destroy immediately i.e., not a system file.\r\nFor each file that is deemed \"safe\" to destroy (i.e., not in the exclusions listed above), the wiper will:\r\nChange the access control of files by giving the Local System Account\r\n(WellKnownSidType.LocalSystemSid) full control of the file.\r\nUse one of the two wiper functions to destroy the files.\r\nWiper function No. 1\r\nThis routine will use APIs such as NtfsControlFile with a control code of FSCTL_SET_ZERO_DATA (0x980C8)\r\nto fill up the file with all zero bytes.\r\nNtfsControlFile used against a file to zero it out.\r\nWiper function No. 2\r\nThe second routine used to overwrite the files is relatively simpler. It opens the target file as a  FileStream and\r\nsimply overwrites it with an array containing all zeros.\r\nFile being overwritten by an array containing all zeros.\r\nThen the wiper moves on to the destruction of system files which is also carried out by the two wiper functions\r\nillustrated above. The order of destruction of the system files is:\r\nFirst:\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html\r\nPage 2 of 5\n\n\u003cRoot_drive\u003e\\system\\drivers\r\nSecond:\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\Local Settings.*\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Application Data.*\r\n\u003cRoot_drive\u003e\\Windows\\NTDS\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Microsoft.*\r\n\u003cRoot_drive\u003e\\\\Users\\\\\\\\.*?\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft.*\r\nThird:\r\n\u003cRoot_drive\u003e\\Windows\r\nThe wiper then proceeds to destroy entries in the registry hives:\r\nHKLM\r\nHKCU\r\nHKU\r\nIt will first kill all processes on the system named \" lsass \". Then, it will set the current user as the owner of the\r\nregistry keys under these hives, change the access rights to get full control of the reg keys and then overwrite the\r\nvalues. The wiper will also delete subkey trees recursively.\r\nWiper creating a rule to obtain full access to registry keys\r\nWiper deleting subkey trees in registry.\r\nOnce all the destructive activity has been completed, the wiper will then shutdown the system using the\r\nExitWindowsEx API call.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html\r\nPage 3 of 5\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Firepower\r\nThreat Defense (FTD), Firepower Device Manager (FDM), Threat Defense Virtual, Adaptive Security Appliance\r\ncan detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all\r\nCisco Secure products.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html\r\nPage 4 of 5\n\nFor guidance on using Cisco Secure Analytics to respond to this threat, please click here.\r\nMeraki MX appliances can detect malicious activity associated with this threat.\r\nUmbrella, Secure Internet Gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nThe following ClamAV signatures available for protection against this threat:\r\nWin.Malware.DoubleZeroWiper-9942171-0\r\nIOCs\r\nd897f07ae6f42de8f35e2b05f5ef5733d7ec599d5e786d3225e66ca605a48f53\r\n8dd8b9bd94de1e72f0c400c5f32dcefc114cc0a5bf14b74ba6edc19fd4aeb2a5\r\n3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe\r\n30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a\r\nSource: https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html" ], "report_names": [ "threat-advisory-doublezero.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434178, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88dba01ff3b61132e9331478fcdb9186de006ca5.pdf", "text": "https://archive.orkl.eu/88dba01ff3b61132e9331478fcdb9186de006ca5.txt", "img": "https://archive.orkl.eu/88dba01ff3b61132e9331478fcdb9186de006ca5.jpg" } }