{
	"id": "5918817e-c65d-4f4d-9fa5-20d783cdaa48",
	"created_at": "2026-04-06T00:07:55.519047Z",
	"updated_at": "2026-04-10T03:21:00.83802Z",
	"deleted_at": null,
	"sha1_hash": "9f6de6ec5446f9e867eac43b3bb6b9cfba40a18e",
	"title": "Threat Update: CaddyWiper | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1293564,
	"plain_text": "Threat Update: CaddyWiper | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-04-01 · Archived: 2026-04-05 17:50:50 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nAs the conflict in Eastern Europe continues, the Splunk Threat Research Team (STRT) is constantly monitoring\r\nnew developments, especially those related to destructive software. As we have showcased in previous releases in\r\nrelation to destructive software and HermeticWiper, malicious actors modify their TTPs in order to become more\r\neffective and achieve their objectives. In the case of HermeticWiper, we witnessed the introduction of new\r\nfeatures since the increment of malicious cyber activity targeting Ukraine from last month.\r\nWe now have a new payload recently discovered by ESET named CaddyWiper, indicating no code sharing with\r\nprevious malicious payloads during this campaign. There is one thing however that has been seen during the\r\ndeployment of payloads, and that is the use of Group Policy Objects (GPOs).\r\nGroup Policy Objects are Microsoft Active Directory network policies that can be applied selectively to\r\ncomputers, organizational units, applications, and individual users. Splunk Security research has previously shown\r\nhow to use GPOs to defend against Ransomware, as the selective and massive application of these settings helps\r\nstreamline, enforce and harden security policies.\r\nHowever, as we have witnessed, GPOs can be used to harm if malicious actors can compromise domain\r\nadministrators. This new malicious payload, incorporates the following features:\r\nDomain Controller killswitch. If payload detects installation on a Domain Controller it stops its functions.\r\nIf not in a Domain Controller it destroys users data “C:\\Users” and subsequent mapped drives (this may\r\ninclude network mapped drives).\r\nIf not in a Domain Controller it destroys drive partitions including boot partitions (\\\\.\\PhysicalDrive9 to\r\n\\\\.\\PhysicalDrive0)\r\nThe above new features indicate the intention of malicious actors to maintain access to Domain Controllers and\r\ndeploy destructive software without the need to have to compromise and get access again if they were destroyed\r\nand had to be reinstalled. This approach is much more tactical and it also gives attackers the possibility to modify,\r\nre-apply, or enforce GPOs that can achieve the deployment of this destructive payload. Below is a breakdown of\r\nthese features.\r\nDomain Controller Kill Switch\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html\r\nPage 1 of 4\n\nThis wiper will prepare the module name and API name string on the stack to dynamically parse it upon\r\nexecution. Then it will execute DsRolePrimaryDomainInformation() API to retrieve the state data of the targeted\r\nhost. If the state role of the computer is DsRole_RolePrimaryDomainController caddywiper will exit its process.\r\nOverwriting Files with Zeroed Buffer\r\nIf the computer is not a Domain Controller it will start to do its payload. One of them is overwriting files in\r\nC:\\users directory and from Drive D:\\ until Drive Z:\\.\r\nIf it finds a file that is not a folder and has a hidden system attribute, it will adjust the Security identifier\r\npermission of its process as well as its TokenPrivileges to “SeTokenOwnershipPrivilege” to be able to access\r\nthose files.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html\r\nPage 2 of 4\n\nAfter that checking, Caddywiper will initialize a zeroed buffer based on the file size of the file it found. If the file\r\nsize is greater than 0xA00000, It will set the maximum zeroed buffer size to 0xA00000. That buffer will be used\r\nto overwrite the files and make them unrecoverable.\r\nWiping Boot Partitions\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html\r\nPage 3 of 4\n\nThis payload will enumerate all possible boot sectors partitions from \\\\.\\PhysicalDrive9 to \\\\.\\PhysicalDrive0 to\r\noverwrite it with a zeroed buffer with size of 1920 bytes. The wiping was executed using DeviceIoControl\r\nIOCTL_DISK_SET_DRIVE_LAYOUT_EX.\r\nSource: https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html"
	],
	"report_names": [
		"threat-update-caddywiper.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f6de6ec5446f9e867eac43b3bb6b9cfba40a18e.pdf",
		"text": "https://archive.orkl.eu/9f6de6ec5446f9e867eac43b3bb6b9cfba40a18e.txt",
		"img": "https://archive.orkl.eu/9f6de6ec5446f9e867eac43b3bb6b9cfba40a18e.jpg"
	}
}