CaddyWiper
CaddyWiper is a destructive Windows wiper malware first detected by ESET on 2022-03-14 and publicly named by ESET. It was used against Ukrainian organizations during Russia’s invasion of Ukraine, including Ukrainian banks, a governmental entity, the news agency Ukrinform, and in Sandworm operations against a Ukrainian energy provider during the 2022 Ukraine Electric Power Attack. Multiple sources in the content associate CaddyWiper with Sandworm, the GRU-linked threat group also tracked as Unit 74455, and describe it as one of several wiper families used in destructive activity against Ukraine.
Its core behavior is destructive file and disk wiping. Reported capabilities include destroying user data, overwriting files and drives, wiping mapped drives, and destroying physical drive partition information, including the MBR, GPT, partition entries, and boot partitions, which can render systems unbootable. In the 2022 Ukraine Electric Power Attack, Sandworm deployed CaddyWiper on IT environment systems to wipe files related to OT capabilities, mapped drives, and physical drive partitions. Splunk’s analytic story further states that CaddyWiper checks whether it is running on a Domain Controller and triggers a killswitch if one is detected; otherwise it destroys user files, mapped drives, and drive partitions.
Deployment observed in the content includes execution via Scheduled Tasks pushed through Group Policy Objects, indicating use in domain-wide disruptive operations after compromise of Active Directory or related administrative infrastructure. ESET noted that some wipers in Ukraine, including CaddyWiper, were planted in this fashion. In the April 2022 energy-sector attack, CaddyWiper was scheduled to execute shortly after Industroyer2 to erase traces and hinder recovery. Additional reporting in the content states that a later Sandworm/UNC3810 operation used modified GPOs and scheduled tasks to deploy CADDYWIPER variants across a Windows domain, and that variants have included x64, x86, and shellcode forms.
Known identifiers directly mentioned in the content include ESET detection name Win32/KillDisk.NCX. High-confidence victimology and targeting in the content center on Ukrainian government, financial, media, and especially energy-sector environments as part of broader Russia-linked destructive campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
"...виявлено 5 зразків шкідливих програм (скриптів)... а саме: CaddyWiper (Windows) ..."; "...невдалу спробу... з використанням шкідливих програм-деструкторів CaddyWiper..."
"CADDYWIPER is a wiper that Mandiant first identified and reported on in March 2022... The malware enumerates the file system's physical drives and overwrites both file content and partitions with null bytes."
"CADDYWIPER is a wiper that Mandiant first identified and reported on in March 2022... The malware enumerates the file system's physical drives and overwrites both file content and partitions with null bytes."
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniques
Execution
"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"
Persistence
2 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"
Stealth
1 technique
Stealth
The content includes multiple anti-analysis and environment checks, such as "OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks" and "Raspberry Robin performs several system checks as part of anti-analysis mechanisms."
Defense Impairment
2 techniques
Defense Impairment
Discovery
5 techniques
Discovery
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
"CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller."
The content includes multiple anti-analysis and environment checks, such as "OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks" and "Raspberry Robin performs several system checks as part of anti-analysis mechanisms."
Lateral Movement
1 technique
Lateral Movement
Command and Control
1 technique
Command and Control
Impact
5 techniques
Impact
The hackers also deployed multiple forms of 'wiper' malware designed to destroy data on computers within the utility.
"GRU operations... frequently end with the deployment of wipers... CADDYWIPER... overwrites both file content and partitions with null bytes."
“AcidPour can identify various system locations and mapped devices on Linux systems as a precursor to wiping activity.”
APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR). APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable. CaddyWiper has the ability to destroy information about a physical drive's partitions including the MBR, GPT, and partition entries.
Recent activity
35 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Wiper malware used against Ukrainian infrastructure as part of Sandworm-attributed campaigns.
Destructive wiper malware previously deployed against Ukrainian networks, including power-supply units.
Data-wiping malware variants used in Sandworm-linked operations impacting Ukraine’s power grid.
Destructive wiper used in attacks (noted in 2022 activity).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.