{ "id": "2c84d192-f6ce-4190-9601-ef1efd342b08", "created_at": "2026-04-06T00:18:43.208561Z", "updated_at": "2026-04-10T03:35:26.343282Z", "deleted_at": null, "sha1_hash": "e9c32a3584bd0ebd7af519f90a0f0b5fd902ab19", "title": "DoubleZero (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89219, "plain_text": "DoubleZero (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:12:07 UTC\r\nDoubleZero\r\naka: FiberLake\r\nA wiper identified by CERT-UA on March 17th, written in C#.\r\nReferences\r\n2023-03-15 ⋅ Microsoft ⋅\r\nA year of Russian hybrid warfare in Ukraine\r\nCaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer\r\nWhisperGate\r\n2022-11-18 ⋅ Palo Alto Networks Unit 42 ⋅ Akshata Rao, Wenjun Hu, Zong-Yu Wu\r\nAn AI Based Solution to Detecting the DoubleZero .NET Wiper\r\nDoubleZero\r\n2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov\r\nRussian wipers in the cyberwar against Ukraine\r\nAcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard\r\nINDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate\r\n2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita\r\nThe Anatomy of Wiper Malware, Part 3: Input/Output Controls\r\nCaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya\r\nSierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare\r\n2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket\r\n2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero\r\nPage 1 of 3\n\n2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita\r\nThe Anatomy of Wiper Malware, Part 1: Common Techniques\r\nApostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye\r\nKillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate\r\nZeroCleare\r\n2022-05-11 ⋅ Kaspersky ⋅ GReAT\r\nNew ransomware trends in 2022\r\nBlackCat Conti DEADBOLT DoubleZero LockBit PartyTicket StealBit\r\n2022-05-02 ⋅ AT\u0026T ⋅ Fernando Martinez\r\nAnalysis on recent wiper attacks: examples and how wiper malware works\r\nAcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper\r\n2022-04-28 ⋅ Fortinet ⋅ Gergely Revay\r\nAn Overview of the Increasing Wiper Malware Threat\r\nAcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer\r\nOrdinypt WhisperGate ZeroCleare\r\n2022-04-27 ⋅ Microsoft ⋅ Microsoft Digital Security Unit (DSU)\r\nSpecial Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine\r\nCaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate\r\n2022-04-05 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\neSentire Threat Intelligence Malware Analysis: DoubleZero\r\nDoubleZero\r\n2022-03-28 ⋅ splunk ⋅ Splunk Threat Research Team\r\nThreat Update DoubleZero Destructor\r\nDoubleZero\r\n2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)\r\nWho is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22\r\nXloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper\r\nIsaacWiper MicroBackdoor Pandora RAT\r\n2022-03-24 ⋅ NextGov ⋅ Brandi Vincent\r\nUkrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and\r\nHumanitarian Aid\r\nCaddyWiper DoubleZero HermeticWiper IsaacWiper\r\n2022-03-24 ⋅ Cisco Talos ⋅ Cisco Talos\r\nThreat Advisory: DoubleZero\r\nDoubleZero\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero\r\nPage 2 of 3\n\n2022-03-22 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nCyberattack on Ukrainian enterprises using the DoubleZero destructor program (CERT-UA # 4243)\r\nDoubleZero\r\n2022-02-28 ⋅ Microsoft ⋅ MSRC Team\r\nCyber threat activity in Ukraine: analysis and resources\r\nCaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket\r\nWhisperGate DEV-0586\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.doublezero" ], "report_names": [ "win.doublezero" ], "threat_actors": [ { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434723, "ts_updated_at": 1775792126, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e9c32a3584bd0ebd7af519f90a0f0b5fd902ab19.pdf", "text": "https://archive.orkl.eu/e9c32a3584bd0ebd7af519f90a0f0b5fd902ab19.txt", "img": "https://archive.orkl.eu/e9c32a3584bd0ebd7af519f90a0f0b5fd902ab19.jpg" } }