{ "id": "565567d2-7847-4007-8bc8-ba3652157858", "created_at": "2026-04-06T00:17:31.666583Z", "updated_at": "2026-04-10T03:20:38.533911Z", "deleted_at": null, "sha1_hash": "bccf64eef7b96388171f16b50994592d5a3eb4fc", "title": "CaddyWiper: New wiper malware discovered in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 216933, "plain_text": "CaddyWiper: New wiper malware discovered in Ukraine\r\nBy Editor\r\nArchived: 2026-04-05 23:06:22 UTC\r\nUkraine Crisis – Digital Security Resource Center\r\nThis is the third time in as many weeks that ESET researchers have spotted previously unknown data wiping\r\nmalware taking aim at Ukrainian organizations\r\n15 Mar 2022  •  , 2 min. read\r\nESET researchers have uncovered yet another destructive data wiper that was used in attacks against organizations\r\nin Ukraine.\r\nDubbed CaddyWiper by ESET analysts, the malware was first detected at 11.38 a.m. local time (9.38 a.m. UTC)\r\non Monday. The wiper, which destroys user data and partition information from attached drives, was spotted on\r\nseveral dozen systems in a limited number of organizations. It is detected by ESET products as\r\nWin32/KillDisk.NCX.\r\nRELATED READING: Industroyer2: Industroyer reloaded \r\nCaddyWiper bears no major code similarities to either HermeticWiper or IsaacWiper, the other two new data\r\nwipers that have struck organizations in Ukraine since February 23rd.\r\nhttps://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine\r\nPage 1 of 3\n\nMuch like with HermeticWiper, however, there's evidence to suggest that the bad actors behind CaddyWiper\r\ninfiltrated the target's network before unleashing the wiper.\r\nA wiper a week\r\nThis is the third time in as many weeks that ESET researchers have spotted a previously unknown strain of data-wiping malware in Ukraine.\r\nOn the eve of Russia’s invasion of Ukraine, ESET’s telemetry picked up HermeticWiper on the networks of a\r\nnumber of high-profile Ukrainian organizations. The campaigns also leveraged HermeticWizard, a custom worm\r\nused for propagating HermeticWiper inside local networks, and HermeticRansom, which acted as decoy\r\nransomware.\r\nThe next day, a second destructive attack against a Ukrainian governmental network started, this time deploying\r\nIsaacWiper.\r\nUkraine in the crosshairs\r\nIn January of this year, another data wiper, called WhisperGate, swept through the networks of multiple\r\norganizations in Ukraine.\r\nAll these campaigns are only the latest in a long string of attacks to have hit high-profile targets in the country\r\nover the past eight years. As explored by ESET researchers in a recent webinar and podcast, Ukraine has been on\r\nthe receiving end of a number of highly disruptive cyberattacks since 2014, including the NotPetya attack that tore\r\nthrough the networks of a number of Ukrainian businesses in June 2017 before spreading beyond the country’s\r\nborders.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.\r\nESET Research now also offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page \r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine\r\nPage 2 of 3\n\nSource: https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine\r\nhttps://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine" ], "report_names": [ "caddywiper-new-wiper-malware-discovered-ukraine" ], "threat_actors": [], "ts_created_at": 1775434651, "ts_updated_at": 1775791238, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bccf64eef7b96388171f16b50994592d5a3eb4fc.pdf", "text": "https://archive.orkl.eu/bccf64eef7b96388171f16b50994592d5a3eb4fc.txt", "img": "https://archive.orkl.eu/bccf64eef7b96388171f16b50994592d5a3eb4fc.jpg" } }