CaddyWiper (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.caddywiper (Back to overview)

CaddyWiper

aka: KillDisk.NCX

Actor(s): APT28, Sandworm

VTCollection

CaddyWiper is another destructive malware believed to be deployed to target Ukraine.

CaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.

It also wipes disk partitions from \\.\PHYSICALDRIVE9 to \\.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.

References

2024-04-16 ⋅ Mandiant ⋅ Alden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm

2023-11-09 ⋅ Mandiant ⋅ Chris Sistrunk, Daniel Kapellmann Zafra, Jared Wilson, John Wolfram, Keith Lunden, Ken Proska, Nathan Brubaker, Tyler McLellan
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
CaddyWiper

2023-07-12 ⋅ Mandiant ⋅ Dan Black, Gabby Roncone
The GRU's Disruptive Playbook
CaddyWiper INDUSTROYER2 XakNet

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-03-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate

2023-02-15 ⋅ Google ⋅ Google Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla

2023-01-27 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Cyber attack on the Ukrinform information and communication system
CaddyWiper

2023-01-24 ⋅ Fortinet ⋅ Geri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar

2022-12-03 ⋅ Microsoft ⋅ Cliff Watts
Preparing for a Russian cyber offensive against Ukraine this winter
CaddyWiper HermeticWiper Prestige

2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate

2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare

2022-09-23 ⋅ Mandiant ⋅ Mandiant Intelligence
GRU: Rise of the (Telegram) MinIOns
ArguePatch CaddyWiper XakNet

2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket

2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare

2022-05-02 ⋅ AT&T ⋅ Fernando Martinez
Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper

2022-04-28 ⋅ Fortinet ⋅ Gergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare

2022-04-27 ⋅ Microsoft ⋅ Microsoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate

2022-04-12 ⋅ ESET Research ⋅ ESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2

2022-04-12 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2

2022-04-12 ⋅ Twitter (@silascutler) ⋅ Silas Cutler
Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2

2022-04-12 ⋅ ESET Research ⋅ ESET Ireland
Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2

2022-04-12 ⋅ Max Kersten's Blog ⋅ Max Kersten
Ghidra script to handle stack strings
CaddyWiper PlugX

2022-04-05 ⋅ Morphisec ⋅ Michael Dereviashkin
New Analysis: The CaddyWiper Malware Attacking Ukraine
CaddyWiper

2022-04-01 ⋅ splunk ⋅ Splunk Threat Research Team
Threat Update: CaddyWiper
CaddyWiper

2022-03-31 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: CaddyWiper
CaddyWiper

2022-03-26 ⋅ n0p Blog ⋅ Ali Mosajjal
Analysis of a Caddy Wiper Sample Targeting Ukraine
CaddyWiper

2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT

2022-03-24 ⋅ NextGov ⋅ Brandi Vincent
Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid
CaddyWiper DoubleZero HermeticWiper IsaacWiper

2022-03-18 ⋅ Malwarebytes ⋅ Threat Intelligence Team
Double header: IsaacWiper and CaddyWiper
CaddyWiper IsaacWiper

2022-03-17 ⋅ NioGuard ⋅ NioGuard Security Lab
Analysis of CaddyWiper
CaddyWiper

2022-03-16 ⋅ Cyber Security News ⋅ Gurubaran
Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations
CaddyWiper

2022-03-15 ⋅ Twitter (@HackNPatch) ⋅ HackNPatch
Tweet on Exploring CaddyWiper API resolution
CaddyWiper

2022-03-15 ⋅ SecurityIntelligence ⋅ Christopher Del Fierro, John Dwyer
CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations
CaddyWiper

2022-03-15 ⋅ TRUESEC ⋅ Nicklas Keijser
Analysis of CaddyWiper, wiper targeting Ukraine
CaddyWiper

2022-03-15 ⋅ SecurityAffairs ⋅ Pierluigi Paganini
CaddyWiper, a new data wiper hits Ukraine
CaddyWiper

2022-03-15 ⋅ ESET Research ⋅ ESET Research
CaddyWiper: New wiper malware discovered in Ukraine
CaddyWiper

2022-03-15 ⋅ The Hacker News ⋅ Ravie Lakshmanan
CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks
CaddyWiper

2022-03-15 ⋅ Cisco ⋅ Cisco Talos
Threat Advisory: CaddyWiper
CaddyWiper

2022-03-14 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
New CaddyWiper data wiping malware hits Ukrainian networks
CaddyWiper

2022-03-14 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine
CaddyWiper Sunglow Blizzard

2022-03-14 ⋅ Cybernews ⋅ Jurgita Lapienytė
New destructive wiper malware deployed in Ukraine
CaddyWiper

2022-02-28 ⋅ Microsoft ⋅ MSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586

Yara Rules

[TLP:WHITE] win_caddywiper_auto (20251219 | Detects win.caddywiper.)

rule win_caddywiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.caddywiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c645af55 c645b073 c645b165 c645b272 c645b373 c645b400 }
            // n = 6, score = 100
            //   c645af55             | mov                 byte ptr [ebp - 0x51], 0x55
            //   c645b073             | mov                 byte ptr [ebp - 0x50], 0x73
            //   c645b165             | mov                 byte ptr [ebp - 0x4f], 0x65
            //   c645b272             | mov                 byte ptr [ebp - 0x4e], 0x72
            //   c645b373             | mov                 byte ptr [ebp - 0x4d], 0x73
            //   c645b400             | mov                 byte ptr [ebp - 0x4c], 0

        $sequence_1 = { 33c0 eb69 c78564ffffff01000000 8b55a8 899568ffffff }
            // n = 5, score = 100
            //   33c0                 | xor                 eax, eax
            //   eb69                 | jmp                 0x6b
            //   c78564ffffff01000000     | mov    dword ptr [ebp - 0x9c], 1
            //   8b55a8               | mov                 edx, dword ptr [ebp - 0x58]
            //   899568ffffff         | mov                 dword ptr [ebp - 0x98], edx

        $sequence_2 = { c685b6fbffff65 c685b7fbffff00 c685b8fbffff72 c685b9fbffff00 c685bafbffff6e c685bbfbffff00 }
            // n = 6, score = 100
            //   c685b6fbffff65       | mov                 byte ptr [ebp - 0x44a], 0x65
            //   c685b7fbffff00       | mov                 byte ptr [ebp - 0x449], 0
            //   c685b8fbffff72       | mov                 byte ptr [ebp - 0x448], 0x72
            //   c685b9fbffff00       | mov                 byte ptr [ebp - 0x447], 0
            //   c685bafbffff6e       | mov                 byte ptr [ebp - 0x446], 0x6e
            //   c685bbfbffff00       | mov                 byte ptr [ebp - 0x445], 0

        $sequence_3 = { 33c0 eb13 ff55b4 3d14050000 7504 }
            // n = 5, score = 100
            //   33c0                 | xor                 eax, eax
            //   eb13                 | jmp                 0x15
            //   ff55b4               | call                dword ptr [ebp - 0x4c]
            //   3d14050000           | cmp                 eax, 0x514
            //   7504                 | jne                 6

        $sequence_4 = { c68597feffff00 c68598feffff70 c68599feffff00 c6859afeffff69 c6859bfeffff00 c6859cfeffff33 }
            // n = 6, score = 100
            //   c68597feffff00       | mov                 byte ptr [ebp - 0x169], 0
            //   c68598feffff70       | mov                 byte ptr [ebp - 0x168], 0x70
            //   c68599feffff00       | mov                 byte ptr [ebp - 0x167], 0
            //   c6859afeffff69       | mov                 byte ptr [ebp - 0x166], 0x69
            //   c6859bfeffff00       | mov                 byte ptr [ebp - 0x165], 0
            //   c6859cfeffff33       | mov                 byte ptr [ebp - 0x164], 0x33

        $sequence_5 = { 0f85fe000000 8b55f4 8b4210 8945f0 }
            // n = 4, score = 100
            //   0f85fe000000         | jne                 0x104
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8b4210               | mov                 eax, dword ptr [edx + 0x10]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_6 = { c685b8feffff72 c685b9feffff69 c685bafeffff74 c685bbfeffff79 c685bcfeffff49 }
            // n = 5, score = 100
            //   c685b8feffff72       | mov                 byte ptr [ebp - 0x148], 0x72
            //   c685b9feffff69       | mov                 byte ptr [ebp - 0x147], 0x69
            //   c685bafeffff74       | mov                 byte ptr [ebp - 0x146], 0x74
            //   c685bbfeffff79       | mov                 byte ptr [ebp - 0x145], 0x79
            //   c685bcfeffff49       | mov                 byte ptr [ebp - 0x144], 0x49

        $sequence_7 = { 85d2 7421 8b4508 0345f4 8a4dfb }
            // n = 5, score = 100
            //   85d2                 | test                edx, edx
            //   7421                 | je                  0x23
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0345f4               | add                 eax, dword ptr [ebp - 0xc]
            //   8a4dfb               | mov                 cl, byte ptr [ebp - 5]

        $sequence_8 = { c745fc00000000 c68538ffffff43 c68539ffffff6c c6853affffff6f c6853bffffff73 }
            // n = 5, score = 100
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c68538ffffff43       | mov                 byte ptr [ebp - 0xc8], 0x43
            //   c68539ffffff6c       | mov                 byte ptr [ebp - 0xc7], 0x6c
            //   c6853affffff6f       | mov                 byte ptr [ebp - 0xc6], 0x6f
            //   c6853bffffff73       | mov                 byte ptr [ebp - 0xc5], 0x73

        $sequence_9 = { 83ec70 c745f800000000 c745ec00000000 64a130000000 }
            // n = 4, score = 100
            //   83ec70               | sub                 esp, 0x70
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]

    condition:
        7 of them and filesize < 33792
}

[TLP:WHITE] win_caddywiper_w0 (20220316 | Detects CaddyWiper)

rule win_caddywiper_w0 {
	meta:
		author = "IBM Security X-Force"
		description = "Detects CaddyWiper"
		threat_type = "Malware"
		rule_category = "Malware Family"
		usage = "Hunting and Identification"
		hash = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
		yara_version = "4.0.2"
		date_created = "15 March 22"
        malpedia_rule_date = "20220315"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
		malpedia_version = "20220316"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "DsRoleGetPrimaryDomainInformation" ascii fullword
		$hex1 = {
			C645??43 //'C'
			C645??3A //':'
			C645??5C //'\'
			C645??55 //'U'
			C645??73 //'s'
			C645??65 //'e'
			C645??72 //'r'
			C645??73 //'s'
		}
		$hex2 = {
			C645??44 // 'D'
			C645??65 // 'e'
			C645??76 // 'v'
			C645??69 // 'i'
			C645??63 // 'c'
			C645??65 // 'e'
			C645??49 // 'I'
			C645??6F // 'o'
			C645??43 // 'C'
			C645??6F // 'o'
			C645??6E // 'n'
			C645??74 // 't'
			C645??72 // 'r'
			C645??6F // 'o'
			C645??6C // 'l'
		}
	condition:
		uint16(0) == 0x5A4D and 
		all of them
}

Download all Yara Rules

CaddyWiper Propose Change

References

Yara Rules

CaddyWiper