{
	"id": "76c36bfd-f156-426f-b20a-3b8c2308c327",
	"created_at": "2026-04-06T00:07:17.44947Z",
	"updated_at": "2026-04-10T03:21:09.581862Z",
	"deleted_at": null,
	"sha1_hash": "eecf453811d205591914868879385a6263cfdb80",
	"title": "Threat Update DoubleZero Destructor | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4820055,
	"plain_text": "Threat Update DoubleZero Destructor | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2022-03-28 · Archived: 2026-04-05 22:36:39 UTC\r\nThe Splunk Threat Research Team is actively monitoring the emergence of new threats in the cyber domain of\r\nongoing geopolitical events. As we have shown previously in several releases, including HermeticWiper and\r\nCaddyWiper, actors in this campaign are deploying, updating, and modifying stealthier malicious payloads. On\r\nMarch 17th, 2022, the Ukraine CERT discovered a new malicious payload named DoubleZero Destructor (CERT-UA #4243). This new malicious payload has the following features:\r\nEnumerates Domain Controllers and executes killswitch if detected. An automated friend or foe, like\r\ntargeting function that avoids destroying Domain Controllers so attackers can maintain access or perform\r\nfurther elevation tasks (i.e GPOs) on compromised networks.\r\nThe above feature also aims to help footprinting and identification of potential targets non-targets.\r\nOverwrites files with zero blocks of 4096 bytes. It may alternatively use API calls such as NtFileOpen,\r\nNtFSControlFile for the same purpose.\r\nLists system files and then proceeds to destroy them.\r\nDeletes registry hives: HKCU (currently logged user), HKLM (configuration of currently installed\r\nsoftware), HKU (information of all active users in the system), HKLM \\BCD (Boot configuration data\r\nneeded for UEFI, Legacy BIOS systems). Then shuts down the computer.\r\nAn added layering of obfuscation via junk code to obfuscate and impair forensic analysis.\r\nAnalysis\r\nPreparing Targeted File path\r\nThis malware is a .net compiled binary that has a customized obfuscation and a large amount of junk code that\r\nmakes analysis harder to accomplish. Before performing its destructive functions it will list several directory\r\nnames and paths where it will look for files it will wipe.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nPage 1 of 9\n\nDomain Controller Kill Switch\r\nIt also has a function that will enumerate the list of domain controllers connected to the compromised host. This\r\nfunction was used to skip or as a kill switch if the compromised host is the domain controller machine. Below is\r\nthe code snippet of how it enumerates all the domain controllers that are spread across the code because of the\r\ninserted junk code.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nPage 2 of 9\n\nWiping Files\r\nAside from the directory names it lists, shown earlier in its code, this malware will enumerate all the drives\r\nmounted to the machine to look for more files to wipe. The code below shows how it gets the drive’s information\r\nwithin the compromised host machine.\r\nThen it will adjust the token privilege and the securityIdentifier of its process to have “full control” file system\r\nrights to avoid error or access denied while wiping the normal or system files it found in the compromised host.\r\nBelow is the code, how it adjusts the privilege, and how it sets the access control for files with full control and\r\nallow control type.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nPage 3 of 9\n\nThen It will open the target file using NtOpenFile() native API to zero or wipe it using a native API\r\nNtFsControlFile() that sends an IOCTL control code FSCTL_SET_ZERO_DATA directly to a specified file\r\nsystem. The wiper can wipe system files that make the compromised host unbootable after the restart. Below is the\r\ncode screenshot of how this API was used in this wiper to do its destructive function.\r\nBelow is an example of the event that happened to the compromised test lab while it wipes the file. We can see\r\nhow the “MimeWriter.py” file was wiped with zero bytes after calling the IOCTL code\r\nFSCTL_SET_ZERO_DATA.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nPage 4 of 9\n\nWe also identified another wiping function. This additional function works by writing a zeroed buffer to the target\r\nfile using filestream.write .net function. Below is the screenshot of its code after removing some of its junk code.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nPage 5 of 9\n\nDeleting Registry Subkey\r\nThis wiper will also wipe known registry hives as part of its destructive payload. First, it will kill the enumerated\r\nprocess to look for a process with the name “lsass” and kill it. Below is the code screenshot of how it enumerates\r\nall processes and executes process.Kill() function if the “lsass” process was found.\r\nThen it will change the ownership of the registry to the current logo user and change the access control to full\r\naccess to delete each of the subkeys in each HKLM, HKCU, HKU registry hive. Below is the code snippet spread\r\nout in one of its classes that modifies the owner and access control to the registry to delete all of its registry\r\nsubkeys.\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nPage 6 of 9\n\nDetections:\r\nThe Splunk Threat Research Team (STRT) has developed the following detections specifically targeting this\r\npayload and produced several Analytic Stories (WhisperGate, HermeticWiper, CaddyWiper) targeting destructive\r\nsoftware. These previous Analytic Stories can also help in the detection of this payload.\r\nWindows Terminating Lsass Process\r\nThis analytic is to detect a suspicious process terminating Lsass process. Lsass process is known to be a critical\r\nprocess that is responsible for enforcing security policy. This technique was seen in double zero malware that tries\r\nto wipe files and registry in compromised hosts.\r\n`sysmon` EventCode=10 TargetImage=*lsass.exe GrantedAccess = 0x1\r\n | stats count min(_time) as firstTime max(_time) as lastTime by SourceImage, TargetImage,\r\n TargetProcessId, SourceProcessId, GrantedAccess CallTrace, Computer\r\n | rename Computer as dest\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nPage 7 of 9\n\nWindows Deleted Registry by a Non-Critical Process File Path\r\nThis analytic is to detect the deletion of a registry with a suspicious process file path. This technique was seen in\r\nDouble Zero wiper malware where it will delete all the subkeys in the HKLM, HKCU, and HKU registry hive as\r\npart of its destructive payload to the targeted hosts.\r\n| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry\r\n where Registry.action=deleted by _time span=1h Registry.dest Registry.user\r\n Registry.registry_path Registry.registry_value_name Registry.registry_key_name\r\nRegistry.process_guid\r\n Registry.registry_value_data Registry.action | `drop_dm_object_name(Registry)`\r\n|rename process_guid\r\n as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count\r\n FROM datamodel=Endpoint.Processes where NOT (Processes.process_path IN\r\n(\"*\\\\windows\\\\*\", \"*\\\\program files*\")) by _time span=1h Processes.process_id\r\nProcesses.process_name\r\n Processes.process Processes.dest Processes.parent_process_name\r\nProcesses.parent_process Processes.process_path\r\n Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as\r\n proc_guid | fields _time dest user parent_process_name parent_process process_name\r\n process_path process proc_guid registry_path registry_value_name registry_value_data\r\n registry_key_name action] | table _time parent_process_name parent_process\r\nprocess_name\r\n process_path process proc_guid registry_path registry_value_name registry_value_data\r\n registry_key_name action dest user\r\n | `windows_deleted_registry_by_a_non_critical_process_file_path_filter`\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nPage 8 of 9\n\nLearn More\r\nYou can find the latest content about security analytic stories on research.splunk.com. For a full list of security\r\ncontent, check out the release notes on Splunk Docs.\r\nContributors\r\nWe would like to thank the following for their contributions to this post.\r\nTeoderick Contreras\r\nRod Soto\r\nJose Hernandez\r\nPatrick Barreiss\r\nLou Stella\r\nMauricio Velazco\r\nMichael Haag\r\nBhavin Patel\r\nEric McGinnis\r\nSource: https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nhttps://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html\r\nPage 9 of 9\n\n https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html     \nWe also identified another wiping function. This additional function works by writing a zeroed buffer to the target\nfile using filestream.write .net function. Below is the screenshot of its code after removing some of its junk code.\n   Page 5 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html"
	],
	"report_names": [
		"threat-update-doublezero-destructor.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434037,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eecf453811d205591914868879385a6263cfdb80.pdf",
		"text": "https://archive.orkl.eu/eecf453811d205591914868879385a6263cfdb80.txt",
		"img": "https://archive.orkl.eu/eecf453811d205591914868879385a6263cfdb80.jpg"
	}
}