CaddyWiper

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWiper, IsaacWiper, and Industroyer 2. These malwares were used in coordinated attacks aimed at disrupting operations and causing extensive data loss. Interestingly, some of these malwares, particularly WhisperGate, impersonated ransomware attacks, providing victims with ransom notes but no decryption keys, resulting in irrecoverable data corruption. The CaddyWiper malware had a unique feature: it checked whether the device it infiltrated was a domain controller. If it was, the malware did not wipe the data. This malware, along with Industroyer 2, was utilized extensively in the attacks on Ukraine's industrial control system network. On March 14th, 2022, an attack using CaddyWiper targeted a Ukrainian bank, marking one of the significant instances of its deployment. Furthermore, CaddyWiper and Industroyer 2 were also used in conjunction with other malwares like AWFULSHRED, SOLOSHRED, and ORCSHRED in attacks on Ukraine’s electrical substations. Despite claims of independence from the GRU (Russian military intelligence), evidence suggests that supposed Russian hacktivist groups have close ties to intelligence services. For instance, a self-proclaimed hacktivist group called CyberArmyofRussia_Reborn boasted about CaddyWiper infecting systems before it had actually encrypted any systems. This premature announcement, coupled with the fact that CaddyWiper was part of a larger suite of malware tools used by Russia-backed state groups, indicates a coordinated effort rather than independent actions by disparate hacktivist groups.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Industroyer
4
Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma
Nikowiper
3
NikoWiper is a malicious software (malware) identified as a new data wiper attributed to Sandworm, a state-backed hacker group linked with Russia's Main Directorate of the General Staff of the Armed Forces (GRU). This malware, unique in its design compared to other strains, was used in an attack on
Unc3810
2
UNC3810 is a malware identified and tracked by cybersecurity firm Mandiant, notorious for its deployment of CaddyWiper in October 2022. This malicious software is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites. The threat actor, init
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Wiper
Ukraine
Ics
Eset
Russia
Ransomware
russian
Telegram
Ukrainian
Mandiant
Apt
Windows
Loader
Ukraine’s
Ransom
Exploit
Linux
Sentinelone
Espionage
Ibm
Nato
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Industroyer2Unspecified
4
Industroyer2 is a sophisticated piece of malware designed to target Industrial Control Systems (ICS), developed and deployed by the Russian state-sponsored advanced persistent threat group, Sandworm. The group has been active since 2007 and used Industroyer2 in a significant attack against Ukraine's
HermeticWiperhas used
4
HermeticWiper is a destructive malware that was first disclosed by cybersecurity researchers on February 23, 2022. This malicious software was deployed against organizations in Ukraine, with the intent of destroying computer systems and rendering them inoperable. The malware infiltrates systems thro
WhisperGateUnspecified
4
WhisperGate is a type of malware, specifically a wiper, that was used extensively in cyberattacks against Ukrainian organizations throughout 2022. It was one of several malicious software tools deployed by Russian Advanced Persistent Threat (APT) actors, alongside others such as AwfulShred, CaddyWip
IsaacwiperUnspecified
4
IsaacWiper is a malicious software (malware) that has been identified as part of a series of cyberattacks against Ukraine in 2022. The malware is known to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, IsaacWiper can disru
FoxbladeUnspecified
2
Foxblade, also known as HermeticWiper, is a form of malware designed to exploit and damage computer systems. It was first reported in attacks that took place on March 10th, 2022, as part of the Hermetic campaign. The campaign also saw the deployment of another malware called HermeticRansom (or Sonic
Prestige RansomwareUnspecified
2
The Prestige ransomware is a type of malware that had not been observed by Microsoft prior to its deployment. It is a malicious software designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it can steal personal
DoublezeroUnspecified
1
DoubleZero is a form of malware, specifically classified as a "wiper," that was discovered by CERT-UA on March 17th, 2022. Like other malicious software, it can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Unlike most malware, however, Dou
WhisperkillUnspecified
1
None
AcidrainUnspecified
1
AcidRain is a malicious software, or malware, that was first described in March, following a cyberattack that disrupted approximately 10,000 satellite modems associated with communications provider Viasat's KA-SAT network. The malware was discovered by cybersecurity firm SentinelOne in February 2022
PrestigeUnspecified
1
Prestige is a type of malware attributed to the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. This malicious software was used in ransomware attacks against Ukrainian and Polish logistics companies in October 2022. The deployment of Prestige coincided with reported instances of ran
AcidpourUnspecified
1
AcidPour is a newly identified malware that has been specifically designed to target Linux x86 devices. As a wiper, AcidPour's primary function is to erase data from the infected device, leading to significant disruptions in operations and potential loss of valuable information. The malware infiltra
HermeticWizardUnspecified
1
HermeticWizard is a malicious software (malware) that emerged as part of a series of cyber-attacks against Ukraine since January 2022. The malware operates alongside other destructive programs such as HermeticWiper, IsaacWiper, and CaddyWiper, with additional Indicators of Compromise (IOCs) for Whis
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Sandwormhas used
8
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
Cyberarmyofrussia_rebornUnspecified
2
CyberArmyofRussia_Reborn is a threat actor with suspected links to the GRU, Russia's main intelligence agency. This group has been associated with several high-profile cyberattacks, including those on US and Polish water utilities and a French dam. The group uses its Telegram channel to leak stolen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the CaddyWiper Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
3 months ago
Previously unknown Kapeka backdoor linked to Sandworm APT
DARKReading
4 months ago
Russian APT Releases More Deadly Variant of AcidRain Wiper Malware
CERT-EU
7 months ago
Analysis of OT cyberattacks and malwares
Securityaffairs
7 months ago
Russia-linked APT Sandworm was inside Ukraine telecoms giant Kyivstar for months
BankInfoSecurity
8 months ago
Ukraine Tracks a Record Number of Cyber Incidents During War
CERT-EU
8 months ago
Mandiant tackles destructive Sandworm cyber attack on Ukrainian infrastructure
SecurityIntelligence.com
8 months ago
CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations
CERT-EU
8 months ago
Sandworm, a Russian Threat Actor, Disrupted Power in Ukraine Via Cyberattack
CERT-EU
8 months ago
Russia’s Sandworm hackers behind power blackouts in Ukraine amid massive missile strikes
CERT-EU
9 months ago
How Living-off-the-land (LotL) technique is used to hack into power grids & cause power outages
CERT-EU
9 months ago
Ukraine's power grid targeted by Sandworm hackers last year
CERT-EU
9 months ago
Russian Hackers Sandworm Cause Power Outage in Ukraine Amidst Missile Strikes
Securityaffairs
9 months ago
Russian Sandworm disrupts power in Ukraine with a new OT attack
CERT-EU
9 months ago
Sandworm hackers incapacitated Ukrainian power grid amid missile strike - Help Net Security
CERT-EU
9 months ago
Russian hackers disrupted Ukrainian electrical grid last year
CERT-EU
9 months ago
Russia's Sandworm, not just missile strikes, behind blackout
CERT-EU
9 months ago
Russian hackers switch to LOTL technique to cause power outage
InfoSecurity-magazine
9 months ago
Russian APT Sandworm Disrupted Power in Ukraine Using OT Techniques
CERT-EU
9 months ago
New BiBi-Linux wiper malware targets Israeli orgs in destructive attacks
BankInfoSecurity
9 months ago
Ukrainian Telcos Targeted by Suspected Sandworm Hackers