{
	"id": "d2a1d347-7a17-41b7-b470-5f24f47dfbb0",
	"created_at": "2026-04-06T00:18:12.515529Z",
	"updated_at": "2026-04-10T03:20:51.69291Z",
	"deleted_at": null,
	"sha1_hash": "99c352f4af3768a6e13cc8bbbce087c9f2b0bf79",
	"title": "eSentire Threat Intelligence Malware Analysis: CaddyWiper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2633807,
	"plain_text": "eSentire Threat Intelligence Malware Analysis: CaddyWiper\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 18:49:56 UTC\r\nFirst discovered by ESET researchers in March 2022, CaddyWiper malware is a new type of wiper malware used\r\nby Russian threat actors to target Ukrainian organizations, and the fourth wiper identified since the invasion of the\r\nUkraine. Unlike ransomware, the only objective of using wiper malware is to damage files, data, hard drives, or\r\nentire programs and cause as much destruction as possible in the targeted organization’s endpoints and network.\r\neSentire’s Threat Intelligence (TI) team assesses with high confidence that as the hybrid war between Russia and\r\nUkraine continues, threat actors will continue developing more destructive malware with the goal to disrupt the\r\noperations in Ukrainian infrastructure since the wiping malware does not need to be sophisticated to perform the\r\nbasic wiping capabilities.\r\nKey Takeaways\r\neSentire TI assesses that CaddyWiper has a low level of sophistication compared to the other wipers\r\nobserved targeting Ukrainian organizations (HermeticWiper).\r\nCaddyWiper specifically doesn’t target Domain Controllers to keep the foothold on the victim’s network to\r\nbe able to obtain credentials, move laterally and infect more machines.\r\neSentire TI assesses that it’s probable that this is done to keep the foothold on the Domain Controller and\r\ngain access to other machines on the network.\r\neSentire’s Threat Response Unit (TRU) is currently implementing the detections developed to identify\r\nCaddyWiper malware activities across MDR for Endpoint, performing global threat hunts against the IOCs\r\nassociated with the CaddyWiper malware, and actively monitoring for any signs of compromise.\r\nCase Study\r\nThe destructive malware named CaddyWiper was first reported by ESET Researchers on March 14, 2022. The\r\nmalware was first detected at 11:38 a.m. local time (5:38 a.m. EST) targeting organizations in Ukraine. According\r\nto ESET, the infection mechanism is similar to the HermeticWiper malware in that it operates via Default Domain\r\nPolicy.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 1 of 11\n\nExhibit 1: First CaddyWiper detection by ESET\r\nTechnical Analysis on CaddyWiper\r\neSentire TI has observed 4 CaddyWiper samples targeting Ukrainian organizations in the wild including a UPX\r\npacked version. CaddyWiper is the fourth wiper observed targeting Ukrainian organizations since January 2022.\r\nCaddyWiper is a PE32 (32-bit) executable written in C++ programming language with a file size of 9.00 KB\r\n(9,216 bytes). The compilation timestamp for all the wiper samples dates to March 14, 2022 (on the same day\r\nwhen the first attacks were observed).\r\nThe malware samples do not appear to be digitally signed except for one sample (SHA-256:\r\n1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176). The file is signed by TrustAsia\r\n(Exhibit 2).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 2 of 11\n\nExhibit 2: Digital Signature details\r\nThe wiper uses stackstrings, which is the technique used by malware developers to “conceal” the strings from an\r\nanalyst (Exhibit 3).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 3 of 11\n\nExhibit 3: Stackstrings used in CaddyWiper\r\nThe wiper checks if the infected machine is a Domain Controller via the\r\nDsRoleGetPrimaryDomainInformation API. The API gets state data for the computer, which includes the state\r\nof the directory service installation and domain data. If the infected machine is not a Domain Controller, the\r\nmalware recursively wipes the files in C:\\Users and D:\\ directories. Additionally, CaddyWiper attempts to wipe\r\nthe files in the driver letters alphabetically starting from D:\\ drive until it reaches Z:\\ drive (Exhibit 4).\r\nWhile running the sample on the sandbox machine, the malware did not wipe all the files completely in the\r\nmentioned folders, except for shortcut files. The sample also skips wiping the files under C:\\ drive.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 4 of 11\n\nExhibit 4: CaddyWiper wipes the drives from D to Z letters\r\nIf the infected machine is the Domain Controller, the wiper will exit (Exhibit 5).\r\nExhibit 5: The malware doesn't proceed with executing the wiping instructions on a Domain\r\nController\r\nThe jump to the function responsible for wiping the files is not taken. Instead, it will exit via the\r\nRtlExitUserThread command (Exhibit 6).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 5 of 11\n\nThe jump to the function responsible for wiping the files is not taken. Instead, it will exit via the\r\nRtlExitUserThread command (Exhibit 6).\r\nThe wiper enumerates through the files, takes ownership of the files overrides File Permissions with\r\nSeTakeOwnershipPrivilege and AdjustTokenPrivileges APIs and overwrites 10485760 bytes of data with\r\nzeroes (Exhibit 7).\r\nExhibit 7: The wiper is overwriting 10485760 bytes of data with 0's\r\nAfter the malware finishes overwriting the files, it uses the DeviceIoControl API with the control code\r\nIOCTL_DISK_SET_DRIVE_LAYOUT_EX to access the extended information about the drive's partitions\r\n(decrements from Physical Drive 9 to Physical Drive 0). Specifically, it accesses the data on the Master Boot\r\nRecord (MBR) and GUID Partition Table (GPT) partitions of the hard drives to proceed with the wiping process.\r\nExhibit 8: Decrementing loop (the wiper decrements the drives from 9 to 0)\r\nWe assess that the wiper sample does not have any similarities with the previous wipers (WhisperGate,\r\nHermeticWiper, IsaacWiper) that were used to target Ukrainian organizations. The only distinctive characteristic\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 6 of 11\n\nof CaddyWiper is that it does not target Domain Controllers. We believe it’s probable that this is done to keep the\r\nfoothold on the Domain Controller to gain access to other machines on the network and that CaddyWiper was\r\ndeveloped within one month or less.\r\nWhat eSentire is doing about it\r\nOur Threat Response Unit (TRU) combines threat intelligence gleaned from research, security incidents, and the\r\nexternal threat landscape to create actionable outcomes for our customers. We are taking a holistic response\r\napproach to combat all malware by deploying countermeasures, such as:\r\nImplementing the detections to identify CaddyWiper malware activities across eSentire MDR for Endpoint\r\nsolutions.\r\nPerforming global threat hunts against the IOCs associated with the CaddyWiper malware\r\nActively monitoring for any signs of compromise.\r\nOur detection content is backed by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to\r\nany intrusion attempts. In addition, our Threat Response Unit closely monitors the threat landscape and addresses\r\ncapability gaps and conducts retroactive threat hunts to assess customer impact.\r\nRecommendations from eSentire’s Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against the CaddyWiper\r\nmalware:\r\nAddress security issues in Active Directory: thoroughly reviewing and securing SYSVOL permissions,\r\npatching any known vulnerabilities, implementing Least-Privilege Administrative Models.\r\nIf working with organizations based in Ukraine, perform access control review on the traffic.\r\nConfirm that all the devices are protected with Endpoint Detection and Response (EDR) solutions.\r\nWhile the Tactics, Techniques, and Procedures (TTPs) used by adversaries grow in sophistication, they lead to a\r\nlimited set of choke points at which critical business decisions must be made. Intercepting the various attack paths\r\nutilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying\r\nendpoint detection, and the ability to investigate logs \u0026 network data during active intrusions.\r\neSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections\r\nenriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data\r\nand automate rapid response to advanced threats.\r\nIf you’re not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put\r\nyour business ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an\r\neSentire Security Specialist.\r\nAppendix\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 7 of 11\n\nSources\r\nhttps://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/\r\nhttps://twitter.com/ESETresearch/status/1503436420886712321?s=20\u0026t=9fWLU5NluwqmWqf8d0zD8g\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/\r\nIndicators of Compromise\r\nName File Hash (SHA-256)\r\nCaddyWiper ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72\r\nCaddyWiper a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\r\nCaddyWiper 1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176\r\nCaddyWiper (UPX packed) f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902\r\nYara Rules\r\nimport \"pe\"\r\nimport \"hash\"\r\nimport \"math\"\r\nrule CaddyWiper_1: detection\r\nCaddyWiper_a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\r\n{\r\ncondition:\r\n for any i in (0..pe.number_of_sections - 1): (\r\n hash.md5(pe.sections[i].raw_data_offset,\r\n pe.sections[i].raw_data_size) ==\r\n \"f0d4c11521fc3891965534e6c52e128b\" and\r\n pe.sections[i].name == \".text\") and\r\n for any i in (0..pe.number_of_sections - 1): (\r\n math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) \u003e= 5 and\r\n pe.sections[i].name == \".text\") and\r\n pe.imports(\"netapi32.dll\", \"DsRoleGetPrimaryDomainInformation\") and\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n filesize \u003c 11KB\r\n}\r\nrule CaddyWiper: detection CaddyWiper_2\r\n{\r\nmeta:\r\n hash = \"f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902\"\r\nstrings:\r\n $packer = \"UPX0\" ascii nocase\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 8 of 11\n\n$packer1 = \"UPX1\" ascii nocase\r\n $packer2 = \"UPX2\" ascii nocase\r\n $function = \"DsRoleGetPrimaryDomainInformation\" ascii nocase\r\ncondition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550\r\n and (3 of ($packer*) and $function)\r\n and filesize \u003c 26KB\r\n}\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 9 of 11\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 10 of 11\n\nSource: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-caddywiper"
	],
	"report_names": [
		"esentire-threat-intelligence-malware-analysis-caddywiper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434692,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99c352f4af3768a6e13cc8bbbce087c9f2b0bf79.pdf",
		"text": "https://archive.orkl.eu/99c352f4af3768a6e13cc8bbbce087c9f2b0bf79.txt",
		"img": "https://archive.orkl.eu/99c352f4af3768a6e13cc8bbbce087c9f2b0bf79.jpg"
	}
}