{
	"id": "286fcbc3-9b00-4742-ab8a-02496e930724",
	"created_at": "2026-04-06T00:16:11.976505Z",
	"updated_at": "2026-04-10T03:21:39.482606Z",
	"deleted_at": null,
	"sha1_hash": "b4b9e3eae3d136aba40fdcb91a7542ac7abb79b5",
	"title": "IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 801645,
	"plain_text": "IsaacWiper and HermeticWizard: New wiper and worm targeting\r\nUkraine\r\nBy ESET Research\r\nArchived: 2026-04-05 21:42:43 UTC\r\nUpdate (March 4th, 2022): We fixed an error in the analysis of IsaacWiper. It uses the Mersenne Twister PRNG and not the\r\nISAAC PRNG as initially written.\r\nAs the recent hostilities started between Russia and Ukraine, ESET researchers discovered several malware families\r\ntargeting Ukrainian organizations.\r\nOn February 23rd, 2022, a destructive campaign using HermeticWiper targeted multiple Ukrainian organizations.\r\nThis cyberattack preceded, by a few hours, the start of the invasion of Ukraine by Russian Federation forces\r\nInitial access vectors varied from one organization to another. We confirmed one case of the wiper being dropped by\r\nGPO, and uncovered a worm used to spread the wiper in another compromised network.\r\nMalware artifacts suggest that the attacks had been planned for several months.\r\nOn February 24th, 2022, a second destructive attack against a Ukrainian governmental network started, using a wiper\r\nwe have named IsaacWiper.\r\nESET Research has not yet been able to attribute these attacks to a known threat actor.\r\nDestructive attacks in Ukraine\r\nAs stated in this ESETResearch tweet and WLS blogpost, we uncovered a destructive attack against computers in Ukraine\r\nthat started around 14:52 on February 23rd, 2022 UTC. This followed distributed denial-of-service (DDoS) attacks against\r\nmajor Ukrainian websites and preceded the Russian military invasion by a few hours.\r\nThese destructive attacks leveraged at least three components:\r\nHermeticWiper: makes a system inoperable by corrupting its data\r\nHermeticWizard: spreads HermeticWiper across a local network via WMI and SMB\r\nHermeticRansom: ransomware written in Go\r\nHermeticWiper was observed on hundreds of systems in at least five Ukrainian organizations.\r\nOn February 24th, 2022, we detected yet another new wiper in a Ukrainian governmental network. We named it IsaacWiper\r\nand we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in an organization\r\nthat was not affected by HermeticWiper.\r\nAttribution\r\nAt this point, we have not found any tangible connection with a known threat actor. HermeticWiper, HermeticWizard, and\r\nHermeticRansom do not share any significant code similarity with other samples in the ESET malware collection.\r\nIsaacWiper is still unattributed as well.\r\nTimeline\r\nHermeticWiper and HermeticWizard are signed by a code-signing certificate (shown in Figure 1) assigned to Hermetica\r\nDigital Ltd issued on April 13th, 2021. We requested the issuing CA (DigiCert) to revoke the certificate, which it did on\r\nFebruary 24th, 2022.\r\nhttps://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\nPage 1 of 8\n\nFigure 1. Code-signing certificate assigned to Hermetic Digital Ltd\r\nAccording to a report by Reuters, it seems that this certificate was not stolen from Hermetica Digital. It is likely that instead\r\nthe attackers impersonated the Cypriot company in order to get this certificate from DigiCert.\r\nESET researchers assess with high confidence that the affected organizations were compromised well in advance of the\r\nwiper’s deployment. This is based on several facts:\r\nHermeticWiper PE compilation timestamps, the oldest being December 28th, 2021\r\nThe code-signing certificate issue date of April 13th, 2021\r\nDeployment of HermeticWiper through GPO in at least one instance suggests the attackers had prior access to one of\r\nthat victim’s Active Directory servers\r\nThe events are summarized in the timeline in Figure 2.\r\nFigure 2. Timeline of important events\r\nInitial access\r\nHermeticWiper\r\nhttps://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\nPage 2 of 8\n\nThe initial access vector is currently unknown but we have observed artifacts of lateral movement inside the targeted\r\norganizations. In one entity, the wiper was deployed through the default domain policy (GPO), as shown by its path on the\r\nsystem:\r\nC:\\Windows\\system32\\GroupPolicy\\DataStore\\0\\sysvol\\\u003credacted\u003e\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\Machine\\cc.exe\r\nThis indicates that attackers likely took control of the Active Directory server.\r\nIn other instances, it is possible that Impacket was used to deploy HermeticWiper. A Symantec blogpost states that the wiper\r\nwas deployed using the following command line:\r\ncmd.exe /Q /c move CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1 CSIDL_WINDOWS\\policydefinitions\\postgresql.exe 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__1636727589.6007507 2\u003e\u00261\r\nThe last part is the same as the default behavior in Impacket’s wmiexec.py, found on GitHub.\r\nFinally, a custom worm that we have named HermeticWizard was used to spread HermeticWiper across the compromised\r\nnetworks via SMB and WMI.\r\nIsaacWiper\r\nThe initial access vector is also currently unknown. It is likely that attackers used tools such as Impacket to move laterally.\r\nOn a few machines, we have also observed RemCom, a remote access tool, being deployed at the same time as IsaacWiper.\r\nTechnical analysis\r\nHermeticWiper\r\nHermeticWiper is a Windows executable with four drivers embedded in its resources. They are legitimate drivers from the\r\nEaseUS Partition Master software signed by CHENGDU YIWO Tech Development Co., and they implement low-level disk\r\noperations. The following files were observed:\r\n0E84AFF18D42FC691CB1104018F44403C325AD21: x64 driver\r\n379FF9236F0F72963920232F4A0782911A6BD7F7: x86 driver\r\n87BD9404A68035F8D70804A5159A37D1EB0A3568: x64 XP driver\r\nB33DD3EE12F9E6C150C964EA21147BF6B7F7AFA9: x86 XP driver\r\nDepending on the operating system version, one of those four drivers is chosen and dropped in\r\nC:\\Windows\\System32\\drivers\\\u003c4 random letters\u003e.sys. It is then loaded by creating a service.\r\nHermeticWiper then proceeds by disabling the Volume Shadow Copy Service (VSS) and wipes itself from disk by\r\noverwriting its own file with random bytes. This anti-forensic measure is likely intended to prevent the analysis of the wiper\r\nin a post-incident analysis.\r\nIt is interesting to note that most of the file operations are performed at a low level using DeviceIoControl calls.\r\nThe following locations are overwritten with random bytes generated by the Windows API function CryptGenRandom:\r\nThe master boot record (MBR)\r\nThe master file table (MFT)\r\n$Bitmap and $LogFile on all drives\r\nThe files containing the registry keys (NTUSER*)\r\nC:\\Windows\\System32\\winevt\\Logs\r\nIn addition, it also recursively wipes folders and files in Windows, Program Files, Program Files(x86), PerfLogs, Boot,\r\nSystem Volume Information, and AppData folders, using a FSCTL_MOVE_FILE operation. This technique appears to be\r\nquite unusual and very similar to what is implemented in the Windows Wipe project on GitHub (see the\r\nwipe_extent_by_defrag function). It also wipes symbolic links and big files in My Documents and Desktop folders by\r\noverwriting them with random bytes.\r\nFinally, the machine is restarted. However, it will fail to boot, because the MBR, the MFT, and most files were wiped. We\r\nbelieve it is not possible to recover the impacted machines.\r\nhttps://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\nPage 3 of 8\n\nHermeticWizard\r\nLooking for other samples signed by the same code-signing certificate (Hermetica Digital Ltd), we found a new malware\r\nfamily that we named HermeticWizard.\r\nIt is a worm that was deployed on a system in Ukraine at 14:52:49 on February 23rd, 2022 UTC. It is a DLL file developed\r\nin C++ that exports the functions DllInstall, DllRegisterServer, and DllUnregisterServer. Its export DLL name is Wizard.dll.\r\nIt contains three resources, which are encrypted PE files:\r\nA sample of HermeticWiper (912342F1C840A42F6B74132F8A7C4FFE7D40FB77)\r\nexec_32.dll, responsible for spreading to other local computers via WMI\r\n(6B5958BFABFE7C731193ADB96880B225C8505B73)\r\nromance.dll, responsible for spreading to other local computers via SMB\r\n(AC5B6F16FC5115F0E2327A589246BA00B41439C2)\r\nThe resources are encrypted with a reverse XOR loop. Each block of four bytes is XORed with the previous block. Finally,\r\nthe first block is XORed with a hardcoded value, 0x4A29B1A3.\r\nHermeticWizard is started using the command line regsvr32.exe /s /i \u003cpath\u003e.\r\nFirst, HermeticWizard tries to find other machines on the local network. It gathers known local IP addresses using the\r\nfollowing Windows functions:\r\nDNSGetCacheDataTable\r\nGetIpNetTable\r\nWNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY)\r\nNetServerEnum\r\nGetTcpTable\r\nGetAdaptersAddresses\r\nIt then tries to connect to those IP addresses (and only if they are local IP addresses) to see if they are still reachable. In case\r\nthe -s argument was provided when HermeticWizard was started (regsvr32.exe /s /i:-s \u003cpath\u003e), it also scans the full /24\r\nrange. So, if 192.168.1.5 was found in, for example, the DNS cache, it incrementally scans from 192.168.1.1 to\r\n192.168.1.254. For each IP address, it tries to open a TCP connection on the following ports:\r\n20: ftp\r\n21: ftp\r\n22: ssh\r\n80: http\r\n135: rpc\r\n137: netbios\r\n139: smb\r\n443: https\r\n445: smb\r\nThe ports are scanned in a random order so it’s not possible to fingerprint HermeticWizard traffic that way.\r\nWhen it has found a reachable machine, it drops the WMI spreader (detailed below) on disk and creates a new process with\r\nthe command line rundll32 \u003ccurrent folder\u003e\\\u003c6 random letters\u003e.ocx #1 -s \u003cpath to HermeticWizard\u003e - i \u003ctarget IP\u003e.\r\nIt does the same with the SMB spreader (detailed below) that is also dropped in \u003ccurrent folder\u003e\\\u003c6 random letters\u003e.ocx,\r\nbut with different random letters.\r\nFinally, it drops HermeticWiper in \u003ccurrent folder\u003e\\\u003c6 random letters\u003e.ocx and executes it.\r\nWMI spreader\r\nThe WMI spreader, named by its developers exec_32.dll, takes two arguments:\r\n-i: The target IP address\r\n-s: The file to copy and execute on the target machine\r\nhttps://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\nPage 4 of 8\n\nFirst, it creates a connection to the remote ADMIN$ share of the target using WNetAddConnection2W. The file provided in\r\nthe -s argument is then copied using CopyFileW. The remote file has a random name generated with CoCreateGUID (e.g.,\r\ncB9F06408D8D2.dll) and the string format c%02X%02X%02X%02X%02X%02X.\r\nSecond, it tries to execute the copied file, HermeticWizard, on the remote machine using DCOM. It calls CoCreateInstance\r\nwith CLSID_WbemLocator as argument. It then uses WMI Win32_Process to create a new process on the remote machine,\r\nwith the command line C:\\windows\\system32\\cmd.exe /c start C:\\windows\\system32\\\\regsvr32.exe /s /i C:\\windows\\\r\n\u003cfilename\u003e.dll.\r\nNote that the -s argument is not passed to HermeticWizard, meaning that it won’t scan the local network again from this\r\nnewly compromised machine.\r\nIf the WMI technique fails, it tries to create a service using OpenRemoteServiceManager with the same command as above.\r\nIf it succeeds in executing the remote DLL in any way, it sleeps until it can delete the remote file.\r\nSMB spreader\r\nThe SMB spreader, named by its developers romance.dll, takes the same two arguments as the WMI spreader. Its internal\r\nname is likely a reference to the EternalRomance exploit, even if it does not use any exploit.\r\nFirst it attempts to connect to the following pipes on the remote SMB share (on port 445):\r\nsamr\r\nbrowser\r\nnetlogon\r\nlsarpc\r\nntsvcs\r\nsvcctl\r\nThese are pipes known to be used in lateral movement. The spreader has a list of hardcoded credentials that are used in\r\nattempts to authenticate via NTLMSSP to the SMB shares:\r\n-- usernames --\r\nguest\r\ntest\r\nadmin\r\nuser\r\nroot\r\nadministrator\r\nmanager\r\noperator\r\n-- passwords --\r\n123\r\nQaz123\r\nQwerty123\r\nThis list of credentials is surprisingly short and is unlikely to work in even the most poorly protected networks.\r\nIf the connection is successful, it attempts to drop, to the target ADMIN$ share, the file referenced by the -s argument. As\r\nfor the WMI spreader, the remote filename is generated by a call to CoCreateInstance.\r\nIt then executes, via SMB, the command line cmd /c start regsvr32 /s /i ..\\\\\u003cfilename\u003e  \u0026 start cmd /c \\\"ping localhost -n 7 \u0026\r\nwevtutil cl System\\\".\r\nHermeticRansom\r\nESET researchers also observed HermeticRansom – ransomware written in Go – being used in Ukraine at the same time as\r\nthe HermeticWiper campaign. HermeticRansom was first reported in the early hours of February 24th, 2022 UTC, in a tweet\r\nfrom AVAST. Our telemetry shows a much smaller deployment compared to HermeticWiper. This ransomware was\r\ndeployed at the same time as HermeticWiper, potentially in order to hide the wiper’s actions. On one machine, the following\r\ntimeline was observed:\r\nhttps://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\nPage 5 of 8\n\n2022-02-23 17:49:55 UTC: HermeticWiper in C:\\Windows\\Temp\\cc.exe deployed\r\n2022-02-23 18:06:57 UTC: HermeticRansom in C:\\Windows\\Temp\\cc2.exe deployed by the netsvcs service\r\n2022-02-23 18:26:07 UTC: Second HermeticWiper in C:\\Users\\com.exe deployed\r\nOn one occasion, we observed HermeticRansom being deployed through GPO, just like HermeticWiper:\r\nC:\\WINDOWS\\system32\\GroupPolicy\\DataStore\\0\\sysvol\\\u003credacted\u003e\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\Machine\\cpin.exe\r\nA few strings were left in the binary by the attackers; they reference US President Biden and the White House:\r\n_/C_/projects/403forBiden/wHiteHousE.baggageGatherings\r\n_/C_/projects/403forBiden/wHiteHousE.lookUp\r\n_/C_/projects/403forBiden/wHiteHousE.primaryElectionProcess\r\n_/C_/projects/403forBiden/wHiteHousE.GoodOffice1\r\nOnce files are encrypted, the message in Figure 3 is displayed to the victim.\r\nFigure 3. HermeticRansom’s ransom note\r\nIsaacWiper\r\nIsaacWiper is found in either a Windows DLL or EXE with no Authenticode signature; it appeared in our telemetry on\r\nFebruary 24th, 2022. As mentioned earlier, the oldest PE compilation timestamp we have found is October 19th, 2021,\r\nmeaning that if its PE compilation timestamp was not tampered with, IsaacWiper might have been used in previous\r\noperations months earlier.\r\nFor DLL samples, the name in the PE export directory is Cleaner.dll and it has a single export _Start@4.\r\nWe have observed IsaacWiper in %programdata% and C:\\Windows\\System32 under the following filenames:\r\nclean.exe\r\ncl.exe\r\ncl64.dll\r\ncld.dll\r\ncll.dll\r\nIt has no code similarity with HermeticWiper and is way less sophisticated. Given the timeline, it is possible that both are\r\nrelated but we haven’t found any strong connection yet.\r\nIsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL\r\nIOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. It then wipes the first 0x10000 bytes of each\r\ndisk using the Mersenne Twister pseudorandom generator. The generator is seeded using the GetTickCount value.\r\nIt then enumerates the logical drives and recursively wipes every file of each disk with random bytes also generated by the\r\nMersenne Twister PRNG. It is interesting to note that it recursively wipes the files in a single thread, meaning that it would\r\ntake a long time to wipe a large disk.\r\nhttps://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\nPage 6 of 8\n\nOn February 25th\r\n, 2022, attackers dropped a new version of IsaacWiper with debug logs. This may indicate that the\r\nattackers were unable to wipe some of the targeted machines and added log messages to understand what was happening.\r\nThe logs are stored in C:\\ProgramData\\log.txt and some of the log messages are:\r\ngetting drives...\r\nstart erasing physical drives...\r\n–– start erasing logical drive\r\nstart erasing system physical drive...\r\nsystem physical drive –– FAILED\r\nstart erasing system logical drive\r\nConclusion\r\nThis report details a destructive cyberattack that impacted Ukrainian organizations on February 23rd, 2022, and a second\r\nattack that affected a different Ukrainian organization from February 24th through 26th, 2022. At this point, we have no\r\nindication that other countries were targeted.\r\nHowever, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns\r\nagainst countries that back the Ukrainian government or that sanction Russian entities.\r\nA list of IoCs can also be found in our GitHub repository.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nSHA-1 Filename ESET detection name De\r\n912342F1C840A42F6B74132F8A7C4FFE7D40FB77 com.exe Win32/KillDisk.NCV He\r\n61B25D11392172E587D8DA3045812A66C3385451 conhosts.exe Win32/KillDisk.NCV He\r\n3C54C9A49A8DDCA02189FE15FEA52FE24F41A86F c9EEAF78C9A12.dat Win32/GenCBL.BSP He\r\nF32D791EC9E6385A91B45942C230F52AFF1626DF cc2.exe WinGo/Filecoder.BK He\r\nAD602039C6F0237D4A997D5640E92CE5E2B3BBA3 cl64.dll Win32/KillMBR.NHP Isa\r\n736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950 cld.dll Win32/KillMBR.NHQ Isa\r\nE9B96E9B86FAD28D950CA428879168E0894D854F clean.exe Win32/KillMBR.NHP Isa\r\n23873BF2670CF64C2440058130548D4E4DA412DD XqoYMlBX.exe Win32/RiskWare.RemoteAdmin.RemoteExec.AC\r\nLeg\r\nRem\r\nacc\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 10 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1588.002 Obtain Capabilities: Tool\r\nAttackers used RemCom and\r\npotentially Impacket as part of\r\ntheir campaign.\r\nT1588.003\r\nObtain Capabilities: Code Signing\r\nCertificates\r\nAttackers acquired a code-signing\r\ncertificate for their campaigns.\r\nInitial Access T1078.002 Valid Accounts: Domain Accounts\r\nAttackers were able to deploy\r\nwiper malware through GPO.  \r\nhttps://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\nPage 7 of 8\n\nTactic ID Name Description\r\nExecution\r\nT1059.003\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell\r\nAttackers used the command line\r\nduring their attack (e.g., possible\r\nImpacket usage).\r\nT1106 Native API\r\nAttackers used native APIs in their\r\nmalware.\r\nT1569.002 System Services: Service Execution\r\nHermeticWiper uses a driver,\r\nloaded as a service, to corrupt data.\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nHermeticWizard attempts to spread\r\nto local computers using WMI.\r\nDiscovery T1018 Remote System Discovery\r\nHermeticWizard scans local IP\r\nranges to find local machines.\r\nLateral\r\nMovement\r\nT1021.002\r\nRemote Services: SMB/Windows\r\nAdmin Shares\r\nHermeticWizard attempts to spread\r\nto local computers using SMB.\r\nT1021.003\r\nRemote Services: Distributed\r\nComponent Object Model\r\nHermeticWizard attempts to spread\r\nto local computers using\r\nWbemLocator to remotely start a\r\nnew process via WMI.\r\nImpact T1561.002 Disk Wipe: Disk Structure Wipe\r\nHermeticWiper corrupts data in the\r\nsystem’s MBR and MFT.\r\nT1561.001\r\nDisk Wipe: Disk\r\nContent Wipe\r\nHermeticWiper corrupts files in\r\nWindows, Program Files, Program\r\nFiles(x86), PerfLogs, Boot, System\r\nVolume Information, and AppData.\r\nT1485 Data Destruction\r\nHermeticWiper corrupts user data\r\nfound on the system.  \r\nT1499.002\r\nEndpoint Denial of\r\nService: Service\r\nExhaustion Flood\r\nBy using DDoS attacks, the attackers\r\nmade a number of government\r\nwebsites unvailable.  \r\nSource: https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\nhttps://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/"
	],
	"report_names": [
		"isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434571,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4b9e3eae3d136aba40fdcb91a7542ac7abb79b5.pdf",
		"text": "https://archive.orkl.eu/b4b9e3eae3d136aba40fdcb91a7542ac7abb79b5.txt",
		"img": "https://archive.orkl.eu/b4b9e3eae3d136aba40fdcb91a7542ac7abb79b5.jpg"
	}
}