{
	"id": "fefd06e6-82b3-4861-8110-1505f33d7217",
	"created_at": "2026-04-06T00:18:51.711358Z",
	"updated_at": "2026-04-10T03:30:49.754265Z",
	"deleted_at": null,
	"sha1_hash": "ee57b8d1d4998e1063bf5e387ac2ea237a6b4cdb",
	"title": "Wiper Malware Riding the 2021 Tokyo Olympic Games | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 81825,
	"plain_text": "Wiper Malware Riding the 2021 Tokyo Olympic Games |\r\nFortiGuard Labs\r\nBy Shunichi Imano and Fred Gutierrez\r\nPublished: 2021-07-26 · Archived: 2026-04-05 21:10:27 UTC\r\nFortiGuard Labs Threat Research Report\r\nAs society becomes increasingly reliant on technology, and as the world is more connected than ever, attacks by\r\nthreat actors are not only more prevalent but also more disruptive. Because of the variety of agendas held by\r\ndifferent malicious entities including—cybercriminals, hacktivists, nation states, etc.—attacks and disruptions\r\ntargeted at high profile events are easy targets for sowing chaos, distributing malware, capturing or exfiltrating\r\ndata, or even shutting down an event altogether. But regardless of the purpose, mass disruption and fear almost\r\nalways occurs whether that was the intended goal of the attackers or not.\r\nIn that context, FortiGuard Labs has observed new threat samples targeting the 2021 Tokyo Olympic games. It\r\nincludes a wiper component, which, if successful, could cause a disruption to targeted machines.\r\nBackground\r\nThe most recent attack targeting the Olympics was documented during the 2018 Winter Games. The lure was a\r\nmalicious Word document titled, \"Russian figure skater won the PyeongChang Winter Olympics in South\r\nKorea.doc.\" Once the user opened the document, the sample called and dropped a backdoor component, called\r\nIcefog. First discovered in 2013, the Icefog backdoor was used to attack sectors in the APAC region, with a focus\r\non Japan and South Korea.\r\nThe threat actor group responsible for Icefog is very methodical. Targets are carefully chosen, and the group\r\nseems to know what they are after beforehand. Icefog leveraged CVE-2012-0158—a older vulnerability in\r\nWindows common controls—relying on the fact that many system administrators, especially those in\r\norganizations with a large number of computers (governments, NGOs, companies, various organizations, etc.),\r\noften find patching cumbersome. Because of this, older exploits such as this are often a successfully exploited\r\nvector, even though this particular vulnerability was over 6 years old at the time of the attack.\r\nFast forward to today, and in the wee hours of the Tokyo Olympic Games an interesting Wiper malware surfaced\r\nthat reminded us of the same destructive malware that targeted the Pyeongchang Winter Games. This one is called\r\n“Olympic Destroyer.” Its file name is “【至急】東京オリンピック開催に伴うサイバー攻撃等発生に関する\r\n被害報告について.exe” (English translation: “(Urgent) Damage report in relation with cyber attacks targeting the\r\nTokyo Olympics Games.exe”.\r\nAlthough this particular malware is listed in some OSINT reports as potentially related to the Olympic Destroyer\r\nsample, we have not observed this to be the case. We also do not have any information on the delivery mechanism\r\nor methods used by the attacker, nor its intended targets. However, given its ties to the Olympics, and the relative\r\nhttps://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games\r\nPage 1 of 5\n\nshort time frame for exploitation, we feel it is important that we share what we know so far about this new wiper\r\nmalware.\r\nNote: This is an evolving situation, and we will update this blog with relevant information when available. \r\nFor a historical summary of attacks targeting the Olympic Games, please visit the Cyber Threat Alliance\r\nwhitepaper, for which FortiGuard Labs was a contributing author:\r\nUPDATING THE 2020 SUMMER OLYMPICS THREAT ASSESSMENT\r\nQ. When was this malware found?\r\nThe malware was uploaded to a publicly available file repository on July 20th, 2021. A related file was\r\nsubsequently found to have been uploaded to the same repository on July 17th, 2021. Both files have a PDF icon.\r\nQ. Are Fortinet customers protected?\r\nYes, FortiGuard Labs has the following AV coverage in place for the malware:\r\nW32/KillFiles.NKP!tr.ransom\r\nAll known IOCs are blocked by FortiEDR’s advanced real-time protection and have already been added to our\r\ncloud intelligence to prevent further execution on customer systems. \r\nAll network IOC’s are blocked by the WebFiltering client.\r\nQ. How are the two files related?\r\nThose files do not work in tangent with each other. The malware uploaded on July 20th has file deletion capability.\r\nThe July 17th sample includes everything but the destruction feature.\r\nQ. What does the malware do?\r\nThe destroyer malware searches for and deletes files with the following file extensions in the compromised\r\nmachine.\r\n.doc\r\n.docm\r\n.docx\r\n.dot\r\n.dotm\r\n.dotx\r\n.pdf\r\n.csv\r\n.xls\r\n.xlsx\r\n.xlsm\r\n.ppt\r\nhttps://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games\r\nPage 2 of 5\n\n.pptx\r\n.pptm\r\n.jtdc\r\n.jttc\r\n.jtd\r\n.jtt\r\n.txt\r\n.exe\r\n.log\r\nThe malware also silently accesses a benign adult site. Lastly, the threat deletes itself when all actions are\r\ncompleted.\r\nQ. Does the malware have worm capability?\r\nNo, the malware does not have any propagation mechanism.\r\nQ. Which organization did the malware target?\r\nCurrently, there is no information available pertaining to the targets or victims.\r\nQ: Is there any similarity to Olympic Destroyer?\r\nNo, this malware and Olympic Destroyer do not have any similarity in code.\r\nQ. Is there any nation state involvement?\r\nAt this time, there is insufficient evidence to support the involvement of any nation state. Based on the relative\r\nlack of sophistication of the code, however, it seems unlikely that a nation state is behind the malware. \r\nQ: Is there anything note-worthy about the malware?\r\nThe malware has one interesting trick up its sleeve to deter researchers—it checks to see whether its own code has\r\nbeen modified. For example, the non-wiper (July 17th) sample includes the following code.\r\nEssentially, what this means is that for certain functions, such as Enum_Procs, Check_Debuggers, and\r\nCheck_VMX (seen in the above screenshot), the malware checks the first 5 bytes to see if it contains the “0xCC”\r\nopcode. This x86 assembly instruction stands for INT3, which tells debuggers to temporarily stop a running\r\nprogram. This method works as another anti-debug check because it detects to see if this function has been\r\ndisabled.\r\nThe wiper (July 20th) version of this malware goes a step further. Aside from checking for “0xCC”, it also checks\r\nfor others such as “0xEB” (call), “0xE8” (jmp), and “0xE9” (jmp). These instructions divert program flow away\r\nfrom the intended flow created by the original programmer. One reason to divert program flow is to hook and\r\nmonitor Windows APIs. An API monitor can report what a program is doing while it is running, saving\r\nresearchers a lot of reverse engineering time and effort. However, if any of this code has been modified to enable\r\nmonitoring, the wiper exits without performing any malicious activities. This is yet another anti-analysis check to\r\nhttps://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games\r\nPage 3 of 5\n\navoid behavioral monitoring. More information about diverting program flow can be found on the Microsoft\r\nDetours website.\r\nAs this is an ongoing event, FortiGuard Labs is monitoring the situation and will provide relevant updates for\r\nsignificant findings as they are uncovered.\r\nMITRE Classifications\r\nDefensive Evasion\r\nT1480: Execution Guardrails\r\nT1070.004: File Deletion\r\nT1027.002: Software Packing\r\nT1497: Virtualization/Sandbox Evasion\r\nT1497.001: System Checks\r\nT1497.003: Time Based Evasion\r\nDiscovery\r\nT1083: File and Directory Discovery\r\nT1057: Process Discovery\r\nT1518.001: Security Software Discovery\r\nT1497: Virtualization/Sandbox Evasion\r\nT1497.001: System Checks\r\nT1497.003: Time Based Evasion\r\nImpact\r\nT1485: Data Destruction\r\nIOCs\r\nSample SHA-256:\r\nfb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97\r\nc58940e47f74769b425de431fd74357c8de0cf9f979d82d37cdcf42fcaaeac32\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda\r\n(TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans\r\nprogram. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nhttps://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games\r\nPage 4 of 5\n\nSource: https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games\r\nhttps://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games"
	],
	"report_names": [
		"wiper-malware-riding-tokyo-olympic-games"
	],
	"threat_actors": [
		{
			"id": "1aead86d-0c57-4e3b-b464-a69f6de20cde",
			"created_at": "2023-01-06T13:46:38.318176Z",
			"updated_at": "2026-04-10T02:00:02.925424Z",
			"deleted_at": null,
			"main_name": "DAGGER PANDA",
			"aliases": [
				"UAT-7290",
				"Red Foxtrot",
				"IceFog",
				"RedFoxtrot",
				"Red Wendigo",
				"PLA Unit 69010"
			],
			"source_name": "MISPGALAXY:DAGGER PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5d9dfc61-6138-497a-b9da-33885539f19c",
			"created_at": "2022-10-25T16:07:23.720008Z",
			"updated_at": "2026-04-10T02:00:04.726002Z",
			"deleted_at": null,
			"main_name": "Icefog",
			"aliases": [
				"ATK 23",
				"Dagger Panda",
				"Icefog",
				"Red Wendigo"
			],
			"source_name": "ETDA:Icefog",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Dagger Three",
				"Fucobha",
				"Icefog",
				"Javafog",
				"POISONPLUG.SHADOW",
				"RoyalRoad",
				"ShadowPad Winnti",
				"XShellGhost"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434731,
	"ts_updated_at": 1775791849,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ee57b8d1d4998e1063bf5e387ac2ea237a6b4cdb.pdf",
		"text": "https://archive.orkl.eu/ee57b8d1d4998e1063bf5e387ac2ea237a6b4cdb.txt",
		"img": "https://archive.orkl.eu/ee57b8d1d4998e1063bf5e387ac2ea237a6b4cdb.jpg"
	}
}