{
	"id": "7b15c467-71ac-4d86-a7b1-f5d6fc66ca8a",
	"created_at": "2026-04-06T00:08:30.099327Z",
	"updated_at": "2026-04-10T03:20:56.63186Z",
	"deleted_at": null,
	"sha1_hash": "b40cabbc1f764c4d47546d48745d1921c735c52b",
	"title": "Threat Advisory: CaddyWiper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 271918,
	"plain_text": "Threat Advisory: CaddyWiper\r\nBy Asheer Malhotra\r\nPublished: 2022-03-15 · Archived: 2026-04-05 16:13:18 UTC\r\nTuesday, March 15, 2022 12:48\r\nThis post is also available in:\r\n日本語 (Japanese)\r\nУкраїнська (Ukrainian)\r\nOverview\r\nCybersecurity company ESET disclosed another Ukraine-focused wiper dubbed \"CaddyWiper\" on March 14. This\r\nwiper is relatively smaller than previous wiper attacks we've seen in Ukraine such as \"HermeticWiper\" and\r\n\"WhisperGate,\" with a compiled size of just 9KB.\r\nThe wiper discovered has the same compilation timestamp day (March 14) and initial reports suggest that it was\r\ndeployed via GPO.\r\nCisco Talos is actively conducting analysis to confirm the details included in these reports.\r\nAnalysis\r\nThe wiper is relatively small in size and dynamically resolves most of the APIs it uses. Our analysis didn't show\r\nany indications of persistency, self-propagation or exploitation code.\r\nBefore starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine\r\nis a domain controller, it stops execution.\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html\r\nPage 1 of 6\n\nPseudo-code: CaddyWiper checking for the Domain Controller role of the machine.\r\nIf the system is not a domain controller, the wiper will destroy files on \"C:\\Users,\" followed by wiping of all files\r\nin the next drive letter until it reaches the \"Z\" drive. This means that the wiper will also attempt to wipe any\r\nnetwork mapped drive attached to the system.\r\nFile in drives with letters from D:\\ overwritten with zeros.\r\nThis ensures that the system will not crash due to the wipe of system files.\r\nFile wiping algorithm\r\nThe file destruction algorithm is composed of two stages: a first stage to overwrite files and another to destroy the\r\nphysical disk layout and the partition tables along with it. For the file destruction, it takes ownership of the files by\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html\r\nPage 2 of 6\n\nmodifying their ACL entries after it has obtained the 'SeTakeOwnershipPrivilege'. A file found will then simply be\r\noverwritten with zeros.\r\nA file that is larger than 10,485,760 bytes  (0xA00000) in size will simply have the first 10,485,760 bytes\r\noverwritten with zeros.\r\nFile overwritten with a buffer consisting of zeros.\r\nThe wiper will then move on to the next drive on the system beginning with the \"D\" drive. It will recursively gain\r\nrights to files on a drive and overwrite them with zeros. This is done for the next 23 drives alphabetically (through\r\n\"Z:\\\").\r\nOn the second stage, the wiper attempts to set the drive layout of all the physical drives on the system numbered 9\r\nto 0. This will wipe out all extended information about the physical drive's partitions including MBR, GPT and\r\npartition entries.\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html\r\nPage 3 of 6\n\nWiper recursively performing IOCTL_DISK_SET_DRIVE_LAYOUT_EX requests with a zeroed out buffer.\r\nDestroying the start of the files and the partitions tables is a common technique seen on other wipers, and its\r\nhighly effective in preventing the file recovery.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html\r\nPage 4 of 6\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Firepower\r\nThreat Defense (FTD), Firepower Device Manager (FDM), Threat Defense Virtual, Adaptive Security Appliance\r\ncan detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all\r\nCisco Secure products.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html\r\nPage 5 of 6\n\nFor guidance on using Cisco Secure Analytics to respond to this threat, please click here.\r\nMeraki MX appliances can detect malicious activity associated with this threat.\r\nUmbrella, Secure Internet Gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs,\r\nwhether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSnort SIDs: 59268-59269\r\nThe following ClamAV signatures available for protection against this threat:\r\nWin.Malware.CaddyWiper-9941573-1\r\nIOCs\r\na294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\r\n1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176\r\nea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72\r\nf1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902\r\nSource: https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html\r\nhttps://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html"
	],
	"report_names": [
		"threat-advisory-caddywiper.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434110,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b40cabbc1f764c4d47546d48745d1921c735c52b.pdf",
		"text": "https://archive.orkl.eu/b40cabbc1f764c4d47546d48745d1921c735c52b.txt",
		"img": "https://archive.orkl.eu/b40cabbc1f764c4d47546d48745d1921c735c52b.jpg"
	}
}