CaddyWiper (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.caddywiper (Back to overview)

CaddyWiper

aka: KillDisk.NCX

Actor(s): APT28, Sandworm

VTCollection

CaddyWiper is another destructive malware believed to be deployed to target Ukraine.

CaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.

It also wipes disk partitions from \\.\PHYSICALDRIVE9 to \\.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.

References

2024-04-16 ⋅ Mandiant ⋅ Alden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm

2023-11-09 ⋅ Mandiant ⋅ Chris Sistrunk, Daniel Kapellmann Zafra, Jared Wilson, John Wolfram, Keith Lunden, Ken Proska, Nathan Brubaker, Tyler McLellan
Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
CaddyWiper

2023-07-12 ⋅ Mandiant ⋅ Dan Black, Gabby Roncone
The GRU's Disruptive Playbook
CaddyWiper INDUSTROYER2 XakNet

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-03-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate

2023-02-15 ⋅ Google ⋅ Google Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla

2023-01-27 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Cyber attack on the Ukrinform information and communication system
CaddyWiper

2023-01-24 ⋅ Fortinet ⋅ Geri Revay
The Year of the Wiper
Azov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar

2022-12-03 ⋅ Microsoft ⋅ Cliff Watts
Preparing for a Russian cyber offensive against Ukraine this winter
CaddyWiper HermeticWiper Prestige

2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate

2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare

2022-09-23 ⋅ Mandiant ⋅ Mandiant Intelligence
GRU: Rise of the (Telegram) MinIOns
ArguePatch CaddyWiper XakNet

2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket

2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare

2022-05-02 ⋅ AT&T ⋅ Fernando Martinez
Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper

2022-04-28 ⋅ Fortinet ⋅ Gergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare

2022-04-27 ⋅ Microsoft ⋅ Microsoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate

2022-04-12 ⋅ ESET Research ⋅ ESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2

2022-04-12 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2

2022-04-12 ⋅ Twitter (@silascutler) ⋅ Silas Cutler
Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2

2022-04-12 ⋅ ESET Research ⋅ ESET Ireland
Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2

2022-04-12 ⋅ Max Kersten's Blog ⋅ Max Kersten
Ghidra script to handle stack strings
CaddyWiper PlugX

2022-04-05 ⋅ Morphisec ⋅ Michael Dereviashkin
New Analysis: The CaddyWiper Malware Attacking Ukraine
CaddyWiper

2022-04-01 ⋅ splunk ⋅ Splunk Threat Research Team
Threat Update: CaddyWiper
CaddyWiper

2022-03-31 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: CaddyWiper
CaddyWiper

2022-03-26 ⋅ n0p Blog ⋅ Ali Mosajjal
Analysis of a Caddy Wiper Sample Targeting Ukraine
CaddyWiper

2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)
Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT

2022-03-24 ⋅ NextGov ⋅ Brandi Vincent
Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid
CaddyWiper DoubleZero HermeticWiper IsaacWiper

2022-03-18 ⋅ Malwarebytes ⋅ Threat Intelligence Team
Double header: IsaacWiper and CaddyWiper
CaddyWiper IsaacWiper

2022-03-17 ⋅ NioGuard ⋅ NioGuard Security Lab
Analysis of CaddyWiper
CaddyWiper

2022-03-16 ⋅ Cyber Security News ⋅ Gurubaran
Destructive Data Wiper Malware Targeting high-profile Ukrainian Organizations
CaddyWiper

2022-03-15 ⋅ Twitter (@HackNPatch) ⋅ HackNPatch
Tweet on Exploring CaddyWiper API resolution
CaddyWiper

2022-03-15 ⋅ SecurityIntelligence ⋅ Christopher Del Fierro, John Dwyer
CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations
CaddyWiper

2022-03-15 ⋅ TRUESEC ⋅ Nicklas Keijser
Analysis of CaddyWiper, wiper targeting Ukraine
CaddyWiper

2022-03-15 ⋅ SecurityAffairs ⋅ Pierluigi Paganini
CaddyWiper, a new data wiper hits Ukraine
CaddyWiper

2022-03-15 ⋅ ESET Research ⋅ ESET Research
CaddyWiper: New wiper malware discovered in Ukraine
CaddyWiper

2022-03-15 ⋅ The Hacker News ⋅ Ravie Lakshmanan
CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks
CaddyWiper

2022-03-15 ⋅ Cisco ⋅ Cisco Talos
Threat Advisory: CaddyWiper
CaddyWiper

2022-03-14 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
New CaddyWiper data wiping malware hits Ukrainian networks
CaddyWiper

2022-03-14 ⋅ Twitter (@ESETresearch) ⋅ ESET Research
Tweet on CaddyWiper as 3rd destructive wiper found deployed against Ukraine
CaddyWiper Sunglow Blizzard

2022-03-14 ⋅ Cybernews ⋅ Jurgita Lapienytė
New destructive wiper malware deployed in Ukraine
CaddyWiper

2022-02-28 ⋅ Microsoft ⋅ MSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586

Yara Rules

[TLP:WHITE] win_caddywiper_auto (20260504 | Detects win.caddywiper.)

rule win_caddywiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.caddywiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c685befbffff6c c685bffbffff00 c685c0fbffff33 c685c1fbffff00 c685c2fbffff32 }
            // n = 5, score = 100
            //   c685befbffff6c       | mov                 byte ptr [ebp - 0x442], 0x6c
            //   c685bffbffff00       | mov                 byte ptr [ebp - 0x441], 0
            //   c685c0fbffff33       | mov                 byte ptr [ebp - 0x440], 0x33
            //   c685c1fbffff00       | mov                 byte ptr [ebp - 0x43f], 0
            //   c685c2fbffff32       | mov                 byte ptr [ebp - 0x43e], 0x32

        $sequence_1 = { 6a00 6a03 68000000c0 8b95f4f7ffff 52 ff95fcf7ffff 8945fc }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   68000000c0           | push                0xc0000000
            //   8b95f4f7ffff         | mov                 edx, dword ptr [ebp - 0x80c]
            //   52                   | push                edx
            //   ff95fcf7ffff         | call                dword ptr [ebp - 0x804]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_2 = { 8d8d00f8ffff 51 8d55dc 52 e8???????? 83c408 }
            // n = 6, score = 100
            //   8d8d00f8ffff         | lea                 ecx, [ebp - 0x800]
            //   51                   | push                ecx
            //   8d55dc               | lea                 edx, [ebp - 0x24]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_3 = { c645df54 c645e06f c645e16b c645e265 c645e36e }
            // n = 5, score = 100
            //   c645df54             | mov                 byte ptr [ebp - 0x21], 0x54
            //   c645e06f             | mov                 byte ptr [ebp - 0x20], 0x6f
            //   c645e16b             | mov                 byte ptr [ebp - 0x1f], 0x6b
            //   c645e265             | mov                 byte ptr [ebp - 0x1e], 0x65
            //   c645e36e             | mov                 byte ptr [ebp - 0x1d], 0x6e

        $sequence_4 = { 898568ffffff c78548ffffff00000000 c685acfeffff53 c685adfeffff65 }
            // n = 4, score = 100
            //   898568ffffff         | mov                 dword ptr [ebp - 0x98], eax
            //   c78548ffffff00000000     | mov    dword ptr [ebp - 0xb8], 0
            //   c685acfeffff53       | mov                 byte ptr [ebp - 0x154], 0x53
            //   c685adfeffff65       | mov                 byte ptr [ebp - 0x153], 0x65

        $sequence_5 = { 52 ff55b0 85c0 7504 }
            // n = 4, score = 100
            //   52                   | push                edx
            //   ff55b0               | call                dword ptr [ebp - 0x50]
            //   85c0                 | test                eax, eax
            //   7504                 | jne                 6

        $sequence_6 = { c6459e5c c6459f00 c645a050 c645a100 c645a248 }
            // n = 5, score = 100
            //   c6459e5c             | mov                 byte ptr [ebp - 0x62], 0x5c
            //   c6459f00             | mov                 byte ptr [ebp - 0x61], 0
            //   c645a050             | mov                 byte ptr [ebp - 0x60], 0x50
            //   c645a100             | mov                 byte ptr [ebp - 0x5f], 0
            //   c645a248             | mov                 byte ptr [ebp - 0x5e], 0x48

        $sequence_7 = { 6a00 6a00 6880070000 8d8d10f8ffff }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6880070000           | push                0x780
            //   8d8d10f8ffff         | lea                 ecx, [ebp - 0x7f0]

        $sequence_8 = { c68543ffffff00 8d8d38ffffff 51 8d55b8 52 e8???????? 83c408 }
            // n = 7, score = 100
            //   c68543ffffff00       | mov                 byte ptr [ebp - 0xbd], 0
            //   8d8d38ffffff         | lea                 ecx, [ebp - 0xc8]
            //   51                   | push                ecx
            //   8d55b8               | lea                 edx, [ebp - 0x48]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_9 = { 83c40c 8d8524f2ffff 50 8d8d38f3ffff 51 8d95d0fbffff }
            // n = 6, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8d8524f2ffff         | lea                 eax, [ebp - 0xddc]
            //   50                   | push                eax
            //   8d8d38f3ffff         | lea                 ecx, [ebp - 0xcc8]
            //   51                   | push                ecx
            //   8d95d0fbffff         | lea                 edx, [ebp - 0x430]

    condition:
        7 of them and filesize < 33792
}

[TLP:WHITE] win_caddywiper_w0 (20220316 | Detects CaddyWiper)

rule win_caddywiper_w0 {
	meta:
		author = "IBM Security X-Force"
		description = "Detects CaddyWiper"
		threat_type = "Malware"
		rule_category = "Malware Family"
		usage = "Hunting and Identification"
		hash = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
		yara_version = "4.0.2"
		date_created = "15 March 22"
        malpedia_rule_date = "20220315"
        malpedia_hash = ""
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.caddywiper"
		malpedia_version = "20220316"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "DsRoleGetPrimaryDomainInformation" ascii fullword
		$hex1 = {
			C645??43 //'C'
			C645??3A //':'
			C645??5C //'\'
			C645??55 //'U'
			C645??73 //'s'
			C645??65 //'e'
			C645??72 //'r'
			C645??73 //'s'
		}
		$hex2 = {
			C645??44 // 'D'
			C645??65 // 'e'
			C645??76 // 'v'
			C645??69 // 'i'
			C645??63 // 'c'
			C645??65 // 'e'
			C645??49 // 'I'
			C645??6F // 'o'
			C645??43 // 'C'
			C645??6F // 'o'
			C645??6E // 'n'
			C645??74 // 't'
			C645??72 // 'r'
			C645??6F // 'o'
			C645??6C // 'l'
		}
	condition:
		uint16(0) == 0x5A4D and 
		all of them
}

Download all Yara Rules

CaddyWiper Propose Change

References

Yara Rules

CaddyWiper