CaddyWiper

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWiper, IsaacWiper, and Industroyer 2. These malwares were used in coordinated attacks aimed at disrupting operations and causing extensive data loss. Interestingly, some of these malwares, particularly WhisperGate, impersonated ransomware attacks, providing victims with ransom notes but no decryption keys, resulting in irrecoverable data corruption. The CaddyWiper malware had a unique feature: it checked whether the device it infiltrated was a domain controller. If it was, the malware did not wipe the data. This malware, along with Industroyer 2, was utilized extensively in the attacks on Ukraine's industrial control system network. On March 14th, 2022, an attack using CaddyWiper targeted a Ukrainian bank, marking one of the significant instances of its deployment. Furthermore, CaddyWiper and Industroyer 2 were also used in conjunction with other malwares like AWFULSHRED, SOLOSHRED, and ORCSHRED in attacks on Ukraine’s electrical substations. Despite claims of independence from the GRU (Russian military intelligence), evidence suggests that supposed Russian hacktivist groups have close ties to intelligence services. For instance, a self-proclaimed hacktivist group called CyberArmyofRussia_Reborn boasted about CaddyWiper infecting systems before it had actually encrypted any systems. This premature announcement, coupled with the fact that CaddyWiper was part of a larger suite of malware tools used by Russia-backed state groups, indicates a coordinated effort rather than independent actions by disparate hacktivist groups.
What's your take? (Question 1 of 5)
85938e95-1bb3-4148-8527-f8743fce02ee Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Industroyer
4
Industroyer, also known as CrashOverride, is a potent form of malware designed to target Industrial Control Systems (ICS), particularly those used in electrical substations. Its functionality supports four critical industry protocols and has been notably deployed by the Russia-backed group Sandworm
Wiper Malware
3
Wiper malware is a type of malicious software designed to exploit and damage computer systems. It can infiltrate systems through various means, including suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can cause significant disruption, steal personal in
Nikowiper
3
NikoWiper is a malicious software (malware) identified as a new data wiper attributed to Sandworm, a state-backed hacker group linked with Russia's Main Directorate of the General Staff of the Armed Forces (GRU). This malware, unique in its design compared to other strains, was used in an attack on
Unc3810
2
UNC3810 is a malware identified and tracked by cybersecurity firm Mandiant, notorious for its deployment of CaddyWiper in October 2022. This malicious software is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites. The threat actor, init
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Wiper
Ics
Ukraine
Ransomware
russian
Eset
Russia
Mandiant
Windows
Apt
Ukrainian
Telegram
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HermeticWiperhas used
4
HermeticWiper is a destructive malware that was first identified in cyber attacks against organizations in Ukraine on February 23, 2022. It was disclosed by several cybersecurity researchers including SentinelLabs, a leading cybersecurity firm. This malware is designed to infiltrate and destroy comp
Industroyer2Unspecified
4
Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's
WhisperGateUnspecified
4
WhisperGate is a type of malware, specifically a wiper, used by cyber threat actors to destroy computer systems and render them inoperable. In 2022, it was deployed as part of a series of destructive cyber-attacks against Ukraine, initiated by the Russian Advanced Persistent Threat (APT) group. Thes
IsaacwiperUnspecified
4
IsaacWiper is a malicious software (malware) that has been identified as part of a series of cyberattacks against Ukraine in 2022. The malware is known to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, IsaacWiper can disru
FoxbladeUnspecified
2
Foxblade, also known as HermeticWiper, is a form of malware designed to exploit and damage computer systems. It was first reported in attacks that took place on March 10th, 2022, as part of the Hermetic campaign. The campaign also saw the deployment of another malware called HermeticRansom (or Sonic
Prestige RansomwareUnspecified
2
The Prestige ransomware is a type of malware that had not been observed by Microsoft prior to its deployment. It is a malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it can steal personal
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Sandwormhas used
8
Sandworm is a threat actor, often linked to Russia, known for its high-profile cyber attacks. The group gained notoriety for compromising 11 Ukrainian telecommunications providers and infiltrating Ukraine's telecom giant Kyivstar for months. In addition, Sandworm was responsible for disrupting power
Cyberarmyofrussia_rebornUnspecified
2
CyberArmyofRussia_Reborn is a threat actor with suspected links to the GRU, Russia's main intelligence agency. This group has been associated with several high-profile cyberattacks, including those on US and Polish water utilities and a French dam. The group uses its Telegram channel to leak stolen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the CaddyWiper Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
ESET
a year ago
A year of wiper attacks in Ukraine | WeLiveSecurity
SecurityIntelligence.com
6 months ago
CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations
CERT-EU
a year ago
俄罗斯黑客在攻击乌克兰时使用 Golang 语言编写恶意软件 - FreeBuf网络安全行业门户
MITRE
a year ago
CaddyWiper: New wiper malware discovered in Ukraine | WeLiveSecurity
CERT-EU
a year ago
Cybersecurity threatscape: Q1 2022
Securityaffairs
a year ago
Microsoft sheds light on a year of Russian hybrid warfare in Ukraine
CERT-EU
a year ago
APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc.
Fortinet
a year ago
The Year of the Wiper | FortiGuard Labs
Securityaffairs
a year ago
Google TAG warns of Russia-linked APT groups targeting Ukraine
ESET
a year ago
2022 in review: 10 of the year’s biggest cyberattacks | WeLiveSecurity
CERT-EU
a year ago
Ukraine : une nouvelle vague de virus menace de consumer toutes les données
Securityaffairs
a year ago
Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal
InfoSecurity-magazine
a year ago
Google Report Reveals Russia's Elaborate Cyber Strategy in Ukraine
CERT-EU
a year ago
שנה למלחמה: 1:0 לאוקראינה בסייבר מול רוסיה -
Securityaffairs
a year ago
Sandworm APT uses WinRAR in destructive attacks on Ukraine
Securityaffairs
7 months ago
Russian Sandworm disrupts power in Ukraine with a new OT attack
BankInfoSecurity
6 months ago
Ukraine Tracks a Record Number of Cyber Incidents During War
Malwarebytes
a year ago
New data wipers deployed against Ukraine
MITRE
a year ago
Update: Destructive Malware Targeting Organizations in Ukraine | CISA
CSO Online
a year ago
APT groups use ransomware TTPs as cover for intelligence gathering and sabotage