{ "id": "06ffedd8-e0a6-447e-a51c-65b6b822b030", "created_at": "2026-04-06T00:10:19.486885Z", "updated_at": "2026-04-10T13:12:59.147944Z", "deleted_at": null, "sha1_hash": "914ba81df8bdb706c4700abe6d62c42bca5327d0", "title": "Viasat confirms satellite modems were wiped with AcidRain malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2177506, "plain_text": "Viasat confirms satellite modems were wiped with AcidRain malware\r\nBy Sergiu Gatlan\r\nPublished: 2022-03-31 · Archived: 2026-04-05 16:38:09 UTC\r\nA newly discovered data wiper malware that wipes routers and modems has been deployed in the cyberattack that targeted\r\nthe KA-SAT satellite broadband service to wipe SATCOM modems on February 24, affecting thousands in Ukraine and tens\r\nof thousands more across Europe.\r\nThe malware, dubbed AcidRain by researchers at SentinelOne, is designed to brute-force device file names and wipe every\r\nfile it can find, making it easy to redeploy in future attacks.\r\nSentinelOne says this might hint at the attackers' lack of familiarity with the targeted devices' filesystem and firmware or\r\ntheir intent to develop a reusable tool.\r\nhttps://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAcidRain was first spotted on March 15 after its upload onto the VirusTotal malware analysis platform from an IP address in\r\nItaly as a 32-bit MIPS ELF binary using the \"ukrop\" filename.\r\nOnce deployed, it goes through the compromised router or modem's entire filesystem. It also wipes flash memory, SD/MMC\r\ncards, and any virtual block devices it can find, using all possible device identifiers.\r\n\"The binary performs an in-depth wipe of the filesystem and various known storage device files. If the code is running as\r\nroot, AcidRain performs an initial recursive overwrite and delete of non-standard files in the filesystem,\" SentinelOne threat\r\nresearchers Juan Andres Guerrero-Saade and Max van Amerongen explained.\r\nTo destroy data on compromised devices, the wiper overwrites file contents with up to 0x40000 bytes of data or uses\r\nMEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) system calls.\r\nAfter AcidRain's data wiping processes are completed, the malware reboots the device, rendering it unusable.\r\nUsed to wipe satellite communication modems in Ukraine\r\nBased on the name of the AcidRain binary uploaded to VirusTotal, which could be an abbreviation of \"Ukraine Operation,\"\r\nSentinelOne said the malware might have been developed explicitly for an operation against Ukraine and likely used to wipe\r\nmodems in the KA-SAT cyberattack.\r\n\"The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems\r\nand routers,\" SentinelOne hypothesized.\r\n\"A wiper for this kind of device would overwrite key data in the modem's flash memory, rendering it inoperable and in need\r\nof reflashing or replacing.\"\r\nThis directly contradicts a Viasat incident report on the KA-SAT incident saying it found \"no evidence of any compromise or\r\ntampering with Viasat modem software or firmware images and no evidence of any supply-chain interference.\"\r\nHowever, Viasat confirmed SentinelOne's hypothesis, saying the data destroying malware was deployed on modems using\r\n\"legitimate management\" commands.\r\n\"The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report - specifically,\r\nSentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as\r\nViasat previously described,\" a Viasat spokesperson told BleepingComputer.\r\n\"We expect we can provide additional forensic details when this investigation is complete.\"\r\nThe use of AcidRain to wipe modems was also confirmed by security researcher Ruben Santamarta who dumped the flash\r\nmemory of a SATCOM modem corrupted in the attack against KA-SAT.\r\nAs SentinelOne says, the destructive pattern observed by Santamarta matches the output of AcidRain's overwriting wiper\r\nmethod.\r\nThe fact that Viasat shipped almost 30,000 modems since the February 2022 attack to bring customers back online and\r\ncontinues to even more to expedite service restoration also hints that SentinelOne's supply-chain attack theory holds water.\r\nAs a side note, the IOCTLs used by this malware also match the ones used by the VPNFilter malware 'dstr' wiper plugin, a\r\nmalicious tool attributed to Russian GRU hackers (Fancy Bear or Sandworm).\r\nSeventh data wiper deployed against Ukraine this year\r\nAcidRain is the seventh data wiper malware deployed in attacks against Ukraine, with six others having been used to target\r\nthe country since the start of the year.\r\nThe Computer Emergency Response Team of Ukraine recently reported that a data wiper it tracks as DoubleZero has been\r\ndeployed in attacks targeting Ukrainian enterprises.\r\nhttps://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/\r\nPage 3 of 5\n\nOne day before the Russian invasion of Ukraine started, ESET spotted a data-wiping malware now known as\r\nHermeticWiper, that was used against organizations in Ukraine together with ransomware decoys.\r\nThe day Russia invaded Ukraine, they also discovered a data wiper dubbed IsaacWiper and a new worm named\r\nHermeticWizard used to drop HermeticWiper payloads.\r\nESET also spotted a fourth data-destroying malware strain they dubbed CaddyWiper, a wiper that deletes user data and\r\npartition information from attached drivers and also wipes data across Windows domains it's deployed on.\r\nA fifth wiper malware, tracked as WhisperKill, was spotted by Ukraine's State Service for Communications and Information\r\nProtection (CIP), who said it reused 80% of the Encrpt3d Ransomware's code (also known as WhiteBlackCrypt\r\nRansomware).\r\nIn mid-January, Microsoft found a sixth wiper now tracked as WhisperGate, used in data-wiping attacks against Ukraine,\r\ndisguised as ransomware.\r\nUpdate: A Viasat spokesperson sent the following statement after the story was published:\r\nThe facts provided in the Viasat Incident Report yesterday are accurate. The analysis in the SentinelLabs report\r\nregarding the ukrop binary is consistent with the facts in our report - specifically, SentinelLabs identifies the\r\ndestructive executable that was run on the modems using a legitimate management command as Viasat previously\r\ndescribed.\r\nAs noted in our report: \"the attacker moved laterally through this trusted management network to a specific\r\nnetwork segment used to manage and operate the network, and then used this network access to execute\r\nlegitimate, targeted management commands on a large number of residential modems simultaneously.\"\r\nAdditionally, we don’t view this as a supply chain attack or vulnerability. As we noted, \"Viasat has no evidence\r\nthat standard modem software or firmware distribution or update processes involved in normal network\r\noperations were used or compromised in the attack.\" Further, \"there is no evidence that any end-user data was\r\naccessed or compromised.\"\r\nDue to the ongoing investigation and to ensure the security of our systems from ongoing attack, we cannot\r\npublicly share all forensic details of the event.  Through this process, we have been, and continue to cooperate\r\nwith various law enforcement and government agencies around the world, who've had access to details of the\r\nevent.\r\nWe expect we can provide additional forensic details when this investigation is complete.\r\nhttps://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/\r\nhttps://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware/" ], "report_names": [ "viasat-confirms-satellite-modems-were-wiped-with-acidrain-malware" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434219, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/914ba81df8bdb706c4700abe6d62c42bca5327d0.pdf", "text": "https://archive.orkl.eu/914ba81df8bdb706c4700abe6d62c42bca5327d0.txt", "img": "https://archive.orkl.eu/914ba81df8bdb706c4700abe6d62c42bca5327d0.jpg" } }