{
	"id": "7ac9e512-eecc-4253-8aae-427d1321d08c",
	"created_at": "2026-04-06T00:22:02.881741Z",
	"updated_at": "2026-04-10T03:37:04.398098Z",
	"deleted_at": null,
	"sha1_hash": "ba7868780e6dda0d1b3e950e6bbcf0253e7856a6",
	"title": "HermeticWiper \u0026 resurgence of targeted attacks on Ukraine | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1813902,
	"plain_text": "HermeticWiper \u0026 resurgence of targeted attacks on Ukraine | Zscaler\r\nBy Deepen Desai, Brett Stone-Gross\r\nPublished: 2022-02-24 · Archived: 2026-04-05 14:10:50 UTC\r\nSummary\r\nSince Jan 2022, ThreatLabz has observed a resurgence in targeted attack activity against Ukraine. We identified two attack-chains in the timeframe - Jan to Feb 2022, which we attribute to the same threat actor with a moderate confidence level. It is\r\nimportant to note that we are not attributing the attacks to any nation-state backed threat actors at this point, since we don't\r\nhave full visibility into the final payloads and the motives of the attack. The C2 infrastructure re-use points to Gamaredon\r\nAPT threat actor, however more visibility is needed for proper attribution.\r\nThe first attack-chain was blogged by the CERT team of Ukraine on 1st Feb 2022 here . It involved spear phishing emails\r\nsent to the “State Administration of Seaports of Ukraine”. The samples corresponding to the next-stage document\r\ntemplate and the VBScript payload were not available in public domain. We were able to identify the document template and\r\nVBScript payload, and we aim to share the technical analysis in this blog.\r\nOn 11th Feb 2022, we identified a sample uploaded to VirusTotal from Ukraine which resulted in our discovery of a\r\npreviously undocumented attack-chain. We describe the technical details of this second attack-chain in the blog. By\r\npivoting on the metadata of the files, we were able to discover 7 unique samples and the origins of campaign tracing back to\r\nNov 2020.\r\nOn 23rd Feb 2022, there were reports of a new sophisticated wiper malware hitting several organizations in the Ukraine with\r\nan objective of destroying data and causing business disruption. Threatlabz team analyzed the malware payload involved\r\nand uncovered several new tactics used in these attacks. A ransomware decoy known as PartyTicket was also observed being\r\ndeployed during these attacks.\r\nIn this blog, we will look at the technical details of these recent attacks targeting commercial and public entities in Ukraine.\r\n1. HermeticWiper DoS Attack - Technical Analysis\r\nHermeticWiper is a sophisticated malware family that is designed to destroy data and render a system inoperable\r\nThe wiper is multi-threaded to maximize speed and utilizes a kernel driver for low-level disk access\r\nThese driver files appear to be part an outdated version of the EaseUS Partition Master application developed by\r\nCHENGDU YIWO Tech Development\r\nThe HermeticWiper malware sample with SHA256\r\n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 was compiled at 2022-02-23 09:48:53 UTC and\r\nwas digitally signed with a valid certificate that was issued to Hermetica Digital Ltd. as shown in Figure 1.\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 1 of 11\n\nFigure 1: HermeticWiper’s digital signature\r\nThe malware supports two command-line arguments that control the maximum duration to spend destroying data before\r\nforcing the system to reboot. After parsing the command-line, HermeticWiper calls OpenProcessToken() with the access\r\nmask TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY. If the wiper does not have sufficient privileges, it will terminate\r\nwithout performing any malicious actions. Otherwise HermeticWiper will attempt to grant itself the privileges\r\nSeShutdownPrivilege and SeBackupPrivilege and install a Windows kernel driver. The driver is embedded in the\r\nmalware’s resource section, which contains the names and SHA256 hashes shown in Table 1. These files are digitally signed\r\ndrivers that are used to interact with disks.\r\nDriver\r\nfilename\r\nCompressed SHA256 Decompressed SHA256\r\nDRV_X64 e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5 96b77284744f8761c4f2558388e0aee2140618b484f\r\nDRV_X86 b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1 8c614cf476f871274aa06153224e8f7354bf5e23e685\r\nDRV_XP_X64 b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd 23ef301ddba39bb00f0819d2061c9c14d17dc30f780\r\nDRV_XP_X86 fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d 2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c\r\nTable 1. Driver files embedded in HermeticWiper\r\nThe specific driver that is extracted depends on whether the Windows operating system version is 32-bit or 64-bit and\r\nWindows XP or newer. The functions that are used to determine the Windows operating system version are\r\nVerSetConditionMask and VerifyVersionInfoW. These functions are rarely seen in comparison to the standard GetVersion\r\nfunctions to identify the Windows version.\r\nAfter these resources are extracted from the binary, the Windows LZ extraction library functions are used to decompress\r\nthem. The Windows command-line utility expand.exe can also be used to manually decompress the drivers as shown in\r\nFigure 2.\r\nFigure 2: Manual decompression of the HermeticWiper drivers using the Windows expand utility\r\nThe certificate for these signed drivers is registered to CHENGDU YIWO Tech Development Co., Ltd., but expired on\r\nSeptember 11, 2014 as shown in Figure 3.\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 2 of 11\n\nFigure 3: Expired certificate used to sign the HermeticWiper drivers\r\nThese driver files appear to be part of the EaseUS Partition Master application developed by CHENGDU YIWO Tech\r\nDevelopment. \r\nThe driver file is written to the Windows drivers directory with a filename that includes two alphabetic characters that are\r\npseudorandomly chosen using the current process ID concatenated with the string \"dr\" and appended with a .sys extension\r\n(e.g., lxdr.sys). Hermetic Wiper will then elevate its privileges to SeLoadDriverPrivilege and load the driver and start it as a\r\nservice. The malware disables the vss (Volume Shadow Copy) service used for backing up and restoring data and sets the\r\nCrashDumpEnabled registry value to zero in the registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl to\r\ndisable crash dumps. This ensures that if the malware crashes, Windows will not produce a crash dump file that can be used\r\nto identify the cause. The registry values ShowCompColor and ShowInfoTip are also set to zero (i.e. disabled) under the\r\nregistry key HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced to suppress pop-ups and other\r\nindicators of data destruction.\r\nThe driver registers itself as a device named EPMNTDRV to expose itself to the userland component of\r\nHermeticWiper. The malware enumerates physical disks 0-100 and destroys the Master Boot Record (MBR) on every\r\nphysical disk by overwriting the first 512 bytes with random data. The malware then parses the file system to determine\r\nwhether the partition is NTFS or FAT. If the file system is the former, it will overwrite the Master File Table (MFT) that\r\nstores information about every file on the system. Hermetic also targets files that are located in the directories:\r\nC:\\System Volume Information\r\nC:\\Windows\\SYSVOL\r\nC:\\Documents and Settings\r\nC:\\Windows\\System32\\winevt\\Logs\r\nAfter the data destruction occurs, a forced reboot will occur. As a result, the boot loader will not be able to load the operating\r\nsystem as shown in Figure 4.\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 3 of 11\n\nFigure 4. Result after HermeticWiper erases the Master Boot Record and forces a system reboot\r\n2. Targeted Attacks\r\nTimeframe - Nov 2021 onwards\r\nDuring our analysis, we found a C2 infrastructure overlap between the two targeted attack chains seen below in Figure 4 and\r\n5.\r\nFigure 4: Targeted attack chain #1\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 4 of 11\n\nFigure 5: Targeted attack chain #2\r\nTechnical analysis\r\nAttack chain #1\r\nThe attack chain #1 infection starts with an email which has a malicious RAR archive attachment. The victim downloads\r\nand extracts the RAR archive contents which contains a malicious document file that is themed using the ongoing geo-political conflict between Russia and Ukraine.\r\n[+] Stage 1: Document\r\nThe document on execution simply downloads a macro-based template from the specified remote location. Figure 6 below\r\nshows the template reference present inside one of the documents.\r\nFigure 6: Relationship referring the macro-based remote template\r\n[+] Stage 2: Macro template (714f8341bd1c4bc1fc38a5407c430a1a)\r\nThe macro code inside the template is obfuscated by adding a lot of junk code. This not only inflates the size of macro code\r\nbut also hinders the code analysis. The main operation it performs is to drop and execute a VBScript.\r\nThe VBScript is Base64-encoded inside the VBA macro as shown in Figure X below.\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 5 of 11\n\nFigure 7: Base64-encoded VBScript inside the VBA macro\r\n[+] Stage 3: VBScript\r\nAs per OSINT, this stage-3 VBScript which is dropped by the stage-2 macro is called GammaLoad. The VBScript code is\r\nobfuscated similar to the macro code. On execution it performs the following operations:\r\n1. Collects user and system information for exfiltration\r\n2. Grabs the IP address associated with the configured C2 domain using WMI\r\nWMI query format:\r\nSELECT * FROM Win32_PingStatus WHERE Address={configured_c2_domain}\r\n3. Sends a network request to download the next stage payload using the IP address obtained from step #2 and also exfiltrate\r\nthe information collected from step #1 using the UserAgent field\r\nUserAgent Format:\r\n{hardcoded_useragent_string}::%USERPROFILE%_%SYSTEMDRIVE%.SerialNumber::\\.{static_string}\\.\r\n4. Drops and executes the downloaded payload \r\nNote: At the time of analysis we didn’t get this next stage payload but based on past analysis the threat actor is known to\r\ndrop some remote desktop application like UltraVNC\r\nAttack Chain #2\r\nWe identified another attack-chain used by the same threat actor which is not documented anywhere in the public domain, to\r\nthe best of our knowledge. Based on our research, this campaign has been active since as early as November 2020 and only\r\n7 unique samples have been identified till date related to this campaign. The most recent instance was observed on 11th Feb\r\n2022 and based on the filename, we believe that it was distributed on 8th Feb 2022 to the targeted victim(s).\r\nThis low-volume campaign involves RAR archive files distributed through spear phishing emails. These RAR archive files\r\ncontain a malicious Windows shortcut file (LNK) which downloads the MSI payload from the attacker-controlled server and\r\nexecutes it on the endpoint using MSIEXEC. \r\nThis results in the packaged NSIS binary to be dropped on the system and it starts the infection-chain.\r\nComponents of the NSIS binary will be unpacked in the directory: %temp%\\.tmp\\ during the course of its execution.\r\nAll the extracted components are shown below.\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 6 of 11\n\nFigure 8: components of the NSIS binary\r\nIt loads the DLL from the above directory.\r\nMD5 hash of the DLL: 74ce360565fa23d9730fe0c5227c22e0\r\nFilename of the DLL: ypagjgfyy.dll\r\nThe NSIS script which controls the execution of the NSIS installer can be used to analyze the activity. The relevant code\r\nsections from the script are included in the Appendix section.\r\nThe steps below summarize the activity:\r\n1. Call the export function: \"oqiuqqaxaicm\" in the DLL file - ypagjgfyy.dll and pass it two parameters. The first one is\r\nthe encrypted string and the second one is the decryption key.\r\n2. The decrypted string is a URL: hxxp://kfctm[.]online/0102adqeczoL2.txt\r\n3. Call the download_quiet function in nsisdl (downloader component of NSIS installer) to fetch the contents of the\r\nURL which was decrypted in step #2.\r\n4. The response is saved in the file - $PLUGINSDIR\\readme.txt\r\n5. Call the export function: “cfyhayyyu” in the DLL file - ypagjgfyy.dll and pass it three parameters. The first parameter\r\nis the file created in step #4 and the other 2 parameters are used to decrypt the contents of the readme.txt file.\r\n6. At this point, the code can take 2 paths based on whether the readme.txt file was successfully created or not in step\r\n#4. If step #4 was successful, then the decrypted contents of the readme.txt file will be used as a decryption key to\r\ndecrypt other important strings and continue the malicious activities.\r\nAt the time of our analysis, since the URL in step #2 did not respond so the readme.txt file was not created. As a result, the\r\ncode execution continued to call the export function: “euuxijbaha” in the DLL - ypagjgfyy.dll to decrypt the contents of the\r\nDAT file - gofygsg.dat packaged inside the NSIS installer. The resulting decrypted content is a DOCX file which is\r\ndisplayed to the victim with MS Office Word application.\r\nInfrastructure overlap and re-use\r\nDuring our analysis of the targeted attacks, we found that one of the C2 domain - \"download.logins[.]online\" which was\r\nused to host the MSI payload as part of attack-chain #2 was previously attributed to the Gamaredon APT threat actor by\r\nAnomali labs. At that time, it was used to host a macro-based template document which overlaps with the attack-chain #1, as\r\nwe described in this blog.\r\nZscaler coverage\r\nWe have ensured coverage for the payloads seen in these attacks via advanced threat signatures as well as advanced cloud\r\nsandbox.\r\nAdvanced Threat Protection\r\nWin32.Trojan.KillDisk\r\nWin32.Trojan.HermeticWiper\r\nAdvanced Cloud Sandbox\r\nWin32.Trojan.HermeticWiper\r\nAdvanced Cloud Sandbox Report\r\nFigure 9 below shows the sandbox detection report for Wiper malware.\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 7 of 11\n\nFigure 9: Zscaler Cloud Sandbox Report - HermeticWiper \r\nFigure 10 below shows the document template (from attack chain #1) detection in the Zscaler sandbox.\r\nFigure 10: Zscaler Cloud Sandbox Report - Targeted Attack document template\r\n \r\nIndicators of compromise\r\n# Attack Chain 1\r\n[+] Hashes\r\nMD5 Description\r\n9fe8203b06c899d15cb20d2497103dbb RAR archive\r\n178b0739ac2668910277cbf13f6386e8\r\nfd4de6bb19fac13487ea72d938999fbd\r\nDocument\r\n714f8341bd1c4bc1fc38a5407c430a1a\r\n8293816be7f538ec6b37c641e9f9287f\r\nTemplate\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 8 of 11\n\n[+] C2 Domains\r\ncoagula[.]online\r\ndeer.dentist.coagula[.]online\r\ndeclaration.deed.coagula[.]online\r\nsurname192.temp.swtest[.]ru\r\n[+] Download URLs\r\nComponent URL\r\nTemplate\r\nhttp://surname192.temp.swtest[.]ru/prapor/su/ino.gif\r\n \r\nhttp://surname192.temp.swtest[.]ru/prapor/su/derg.gif\r\n \r\nhttp://surname192.temp.swtest[.]ru/prapor/su/flagua.gif\r\n \r\nhttp://surname192.temp.swtest[.]ru/prapor/su/flages.gif\r\nSecondary payload\r\n94.158.244[.]27/absolute.ace\r\n \r\n94.158.244[.]27/distant.cdr\r\n[+] Associated IPs\r\n94.158.244[.]27\r\n# Attack Chain 2\r\n[+] Hashes\r\nMD5 Description\r\n7c1626fcaf47cdfe8aaed008d4421d8c\r\n6d40826dc7a9c1f5fc15e9823f30966b\r\nc2ef9f814fc99670572ee76ba06d24da\r\n3751b3326f3963794d3835dbf65ac048\r\n3cfc9972ad7cbd13cac51aade3f2b501\r\nba1f2bfe95b219354ddad04b79579346\r\n56be65fe4d9709c10cae511d53d92d1a\r\nRAR archive\r\n5f568c80ab68a4132506f29ede076679\r\n2b7b4ad2947516e633f5008ace02690d\r\nbdcb83cc6f54d571a2c102fbbd8083c7\r\nb25865010562a3863ef892311644b3bb\r\nbc740d642893e0fe23c75264ca7c2bca\r\nd5628fe5de110e321110bbc76061702b\r\nLNK\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 9 of 11\n\n53ee0babcf03b17e02e4317b6a410b93\r\nc3564bde7b49322f2bacdc495146cfbc\r\n6fa9d3407b70e3928be3ee0a85ddb01c\r\ne6a9e19e1b019f95bfc5a4e161794a7f\r\n2cc96a41092e7adf726365bbc5726150\r\n9f566a164a5c6ae046c24d0e911dc577\r\nMSI\r\n[+] C2 domains\r\nkfctm[.]online\r\nmy.cloud-file[.]online\r\nmy.mondeychamp[.]xyz\r\nfiles-download.infousa[.]xyz\r\ndownload.logins[.]online\r\n[+] Download URLs\r\nComponent URL\r\nMSI\r\nhttp://kfctm[.]online/0802adqeczoL7.msi\r\n \r\nhttp://my.cloud-file[.]online/Microsoft_VieweR_2012.msi\r\n \r\nhttp://my.mondeychamp[.]xyz/uUi1rV.msi\r\n \r\nhttp://my.mondeychamp[.]xyz/ReadMe.msi\r\n \r\nhttp://files-download.infousa[.]xyz/Windows_photo_viewers.msi\r\n \r\nhttp://files-download.infousa[.]xyz/Windows_photo_viewer.msi\r\n \r\nhttp://download.logins[.]online/exe/LinK13112020.msi\r\nAppendix I\r\nNSI script\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 10 of 11\n\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nhttps://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine"
	],
	"report_names": [
		"hermeticwiper-resurgence-targeted-attacks-ukraine"
	],
	"threat_actors": [
		{
			"id": "236a8303-bf12-4787-b6d0-549b44271a19",
			"created_at": "2024-06-04T02:03:07.966137Z",
			"updated_at": "2026-04-10T02:00:03.706923Z",
			"deleted_at": null,
			"main_name": "IRON TILDEN",
			"aliases": [
				"ACTINIUM ",
				"Aqua Blizzard ",
				"Armageddon",
				"Blue Otso ",
				"BlueAlpha ",
				"Dancing Salome ",
				"Gamaredon",
				"Gamaredon Group",
				"Hive0051 ",
				"Primitive Bear ",
				"Shuckworm ",
				"Trident Ursa ",
				"UAC-0010 ",
				"UNC530 ",
				"WinterFlounder "
			],
			"source_name": "Secureworks:IRON TILDEN",
			"tools": [
				"Pterodo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434922,
	"ts_updated_at": 1775792224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba7868780e6dda0d1b3e950e6bbcf0253e7856a6.pdf",
		"text": "https://archive.orkl.eu/ba7868780e6dda0d1b3e950e6bbcf0253e7856a6.txt",
		"img": "https://archive.orkl.eu/ba7868780e6dda0d1b3e950e6bbcf0253e7856a6.jpg"
	}
}