Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 5 actors

SDelete

SDelete is Microsoft Sysinternals’ legitimate command-line utility for secure file deletion. It overwrites files before deleting them so data is intended to be unrecoverable, and is associated in the provided content with MITRE ATT&CK T1485 and file deletion/anti-forensics behavior. The content describes it being used to delete evidence, securely wipe files, and remove forensic artifacts or activity logs.

The utility has been used by multiple threat actors for cleanup and defense evasion. The content specifically states that APT29 used SDelete to remove artifacts from victims, FIN5 used it to clean up the environment and attempt to prevent detection, and Sandworm used SDelete in destructive operations. CERT-UA reporting in the provided content states that during the January 2023 attack on Ukraine’s national news agency Ukrinform, attackers intended to execute sdelete.exe via a batch file named news.bat as part of a broader destructive operation that also involved CaddyWiper, ZeroWipe, AwfulShred, and BidSwipe; the attack was attributed to UAC-0082 (Sandworm), associated with Russia’s GRU. The content also notes ESET detected execution of the SDelete utility at a Ukrainian software reseller on 2023-01-01, and that NikoWiper is based on the SDelete Microsoft command-line utility.

Observed indicators directly mentioned in the content include the filename sdelete.exe and, in the Ukrinform incident, MD5 803df907d936e08fbbd06020c411be93 and SHA-256 e8eaa39e2adfd49ab69d7bb8504ccb82a902c8b48fbc256472f36f41775e594c for an SDelete binary, as well as the associated launcher news.bat with MD5 6aa899b47596323da573fb218f3a8266 and SHA-256 301b248a8291df6c7f3565a3dac17ee69609f36ef474b4f20eebe134746a9cac. The content also references a Splunk attack simulation dataset for SDelete execution dated 2021-10-06, with Sysmon telemetry collected in an attack_range environment for detection testing.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT29

"They commonly use tools like Microsoft's SDelete utility to securely delete files and wipe activity logs..."

via picus security blogpicussecurity.com
FIN5

APT29 used SDelete to remove artifacts from victims.

via mitre attackattack.mitre.org
Sandworm

SDelete deletes data in a way that makes it unrecoverable.

via mitre attackattack.mitre.org
UAC-0133

...зокрема, з використанням SDELETE.

via cert uacert.gov.ua
UAC-0082

"...а також легітимної утиліти SDelete (запуск якої передбачалося здійснити за допомогою "news.bat")"

via cert uacert.gov.ua
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.002ToolEvidence3

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

Execution

2 techniques
T1053Scheduled Task/JobEvidence1

"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"

T1059.003Windows Command ShellEvidence1

"...легітимної утиліти SDelete (запуск якої передбачалося здійснити за допомогою 'news.bat')."

Persistence

1 technique
T1053Scheduled Task/JobEvidence1

"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"

Privilege Escalation

2 techniques
T1053Scheduled Task/JobEvidence1

"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"

T1484.001Group Policy ModificationEvidence1

"...з метою централізованого розповсюдження шкідливих програм, створено об'єкт групової політики (GPO)..."

Stealth

3 techniques
T1036MasqueradingEvidence1

While Sdelete was designed as a utility to securely erase files on Windows systems, it’s just as useful to threat actors like ‘IRIDIUM’ who’ll rename it ‘cdel.exe’ and effectively use it as a wiper.

T1070Indicator RemovalEvidence5

Many examples describe post-intrusion cleanup, anti-forensics, and removal of artifacts such as logs, scripts, malware components, scheduled tasks, registry keys, and temporary files.

T1070.004File DeletionEvidence19

ASimProcess ... Update SdeletedeployedviaGPOandrunrecursively(ASIMVersion).yaml ... Mar 25, 2025

Defense Impairment

1 technique
T1484.001Group Policy ModificationEvidence1

"...з метою централізованого розповсюдження шкідливих програм, створено об'єкт групової політики (GPO)..."

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

It created two files: rar.exe and sdelete.exe.

Impact

1 technique
T1485Data DestructionEvidence6

MSTIC researchers also spotted abuse of Sdelete in data destruction operations. While Sdelete was designed as a utility to securely erase files on Windows systems, it’s just as useful to threat actors like ‘IRIDIUM’ who’ll rename it ‘cdel.exe’ and effectively use it as a wiper.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
coveware blogNews
Jul 21, 2023
Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments

Legitimate Sysinternals secure-deletion utility referenced as being abused by ransomware actors to destroy forensic artifacts (data destruction/anti-forensics).

Read more
splunk researchNews
Oct 6, 2021
Sdelete | Splunk Security Content

Sdelete is a secure deletion utility that can be used to irreversibly delete files and data. In this context it is associated with ATT&CK technique T1485, indicating destructive or data-wiping behavior.

Read more
eset welivesecurity blogNews
Jan 24, 2026
A year of wiper attacks in Ukraine

Legitimate Microsoft secure-deletion utility abused/used in destructive activity (basis for NikoWiper; also observed executed directly in Jan 2023).

Read more
mitre attackNews
Mar 18, 2026
Indicator Removal on Host: File Deletion, Sub-technique T1070.004 - Enterprise | MITRE ATT&CK®

Sysinternals secure deletion utility used for anti-forensics by securely deleting files to hinder recovery.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.