INDUSTROYER2 (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.industroyer2 (Back to overview)

INDUSTROYER2

Actor(s): Sandworm

VTCollection

There is no description at this point.

References

2024-04-16 ⋅ Mandiant ⋅ Alden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm

2024-04-15 ⋅ UC Santa Cruz ⋅ Alonso Rojas, Alvaro A. Cardenas, Bing Huang, Emmanuele Zambon, Juan Lozano, Keerthi Koneru, Luis Salazar, Marina Krotofil, Ross Baldick, Sebastian R. Castro
A Tale of Two Industroyers: It was the Season of Darkness
Industroyer INDUSTROYER2

2023-07-12 ⋅ Mandiant ⋅ Dan Black, Gabby Roncone
The GRU's Disruptive Playbook
CaddyWiper INDUSTROYER2 XakNet

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-04-14 ⋅ Dragos ⋅ Dragos
2022 ICS/OT Threat Landscape Recap & What to Watch for This Year
INDUSTROYER2 Wassonite

2023-03-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate

2023-02-15 ⋅ Google ⋅ Google Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla

2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate

2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket

2022-06-23 ⋅ splunk ⋅ Splunk Threat Research Team
Threat Update: Industroyer2
INDUSTROYER2

2022-05-31 ⋅ NOZOMI Network Labs ⋅ Giannis Tsaraias, Ivan Speziale
Industroyer vs. Industroyer2: Evolution of the IEC 104 Component
INDUSTROYER2

2022-05-18 ⋅ ntop ⋅ ntop
How ntopng monitors IEC 60870-5-104 traffic
INDUSTROYER2

2022-05-12 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure
INDUSTROYER2

2022-05-02 ⋅ AT&T ⋅ Fernando Martinez
Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper

2022-04-27 ⋅ Nozomi Networks ⋅ Nozomi Networks Labs
Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
INDUSTROYER2

2022-04-27 ⋅ Microsoft ⋅ Microsoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate

2022-04-25 ⋅ Netresec ⋅ Erik Hjelmvik
Industroyer2 IEC-104 Analysis
INDUSTROYER2

2022-04-25 ⋅ Mandiant ⋅ Chris Sistrunk, Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker, Raymond Leong
INDUSTROYER.V2: Old Malware Learns New Tricks
INDUSTROYER2

2022-04-23 ⋅ Stranded on Pylos Blog ⋅ Joe Slowik
Industroyer2 in Perspective
INDUSTROYER2

2022-04-14 ⋅ SCADAfence ⋅ Maayan Fishelov
Industroyer2: ICS Networks need to heighten vigilance - SCADAfence
INDUSTROYER2

2022-04-12 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2

2022-04-12 ⋅ Twitter (@silascutler) ⋅ Silas Cutler
Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2

2022-04-12 ⋅ ESET Research ⋅ ESET Ireland
Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2

2022-04-12 ⋅ ESET Research ⋅ ESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2

2022-02-28 ⋅ Microsoft ⋅ MSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586

Yara Rules

[TLP:WHITE] win_industroyer2_auto (20251219 | Detects win.industroyer2.)

rule win_industroyer2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.industroyer2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4dfc 8b11 c6420603 8b45fc 8b08 c6410783 8b55fc }
            // n = 7, score = 100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   c6420603             | mov                 byte ptr [edx + 6], 3
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   c6410783             | mov                 byte ptr [ecx + 7], 0x83
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_1 = { ebcc 8b4508 8b8848010100 8b55f4 }
            // n = 4, score = 100
            //   ebcc                 | jmp                 0xffffffce
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b8848010100         | mov                 ecx, dword ptr [eax + 0x10148]
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

        $sequence_2 = { 894a0c 8b55f8 8b02 8b4d20 8b5108 895008 8b45f8 }
            // n = 7, score = 100
            //   894a0c               | mov                 dword ptr [edx + 0xc], ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8b4d20               | mov                 ecx, dword ptr [ebp + 0x20]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   895008               | mov                 dword ptr [eax + 8], edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_3 = { 8b4508 8945fc 8b4d0c 894df8 837d0800 7414 }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7414                 | je                  0x16

        $sequence_4 = { e8???????? 83c404 85c0 7636 68???????? 8b4508 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7636                 | jbe                 0x38
            //   68????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_5 = { 52 e8???????? 8b4508 83780800 }
            // n = 4, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   83780800             | cmp                 dword ptr [eax + 8], 0

        $sequence_6 = { 694d18a0860100 034d1c 8b55fc 894a14 8b45fc 8be5 }
            // n = 6, score = 100
            //   694d18a0860100       | imul                ecx, dword ptr [ebp + 0x18], 0x186a0
            //   034d1c               | add                 ecx, dword ptr [ebp + 0x1c]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   894a14               | mov                 dword ptr [edx + 0x14], ecx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8be5                 | mov                 esp, ebp

        $sequence_7 = { 50 e8???????? 8b4dec 894110 8b55fc 83c201 8955fc }
            // n = 7, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   894110               | mov                 dword ptr [ecx + 0x10], eax
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c201               | add                 edx, 1
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_8 = { a1???????? 8945e0 8b0d???????? 894de4 8a15???????? 8855e8 8d45d8 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b0d????????         |                     
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   8a15????????         |                     
            //   8855e8               | mov                 byte ptr [ebp - 0x18], dl
            //   8d45d8               | lea                 eax, [ebp - 0x28]

        $sequence_9 = { e9???????? 68???????? e8???????? 50 e8???????? 83c408 6a08 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   6a08                 | push                8

    condition:
        7 of them and filesize < 100352
}

[TLP:WHITE] win_industroyer2_w0 (20220905 | Industroyer2 malware targeting power grid components.)

// Created by Nozomi Networks Labs

rule win_industroyer2_w0 {
    meta:
        author = "Nozomi Networks Labs"
        name = "Industroyer2"
        description = "Industroyer2 malware targeting power grid components."
        actor = "Sandworm"
        source="https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf"
        hash = "D69665F56DDEF7AD4E71971F06432E59F1510A7194386E5F0E8926AEA7B88E00"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20220905"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220905"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "%02d:%lS" wide ascii
        $s2 = "PService_PPD.exe" wide ascii
        $s3 = "D:\\OIK\\DevCounter" wide ascii
        $s4 = "MSTR ->> SLV" fullword wide ascii
        $s5 = "MSTR <<- SLV" fullword wide ascii
        $s6 = "Current operation : %s"
        $s7 = "Switch value: %s"
        $s8 = "Unknown APDU format !!!"
        $s9 = "Length:%u bytes |"
        $s10 = "Sent=x%X | Received=x%X"
        $s11 = "ASDU:%u | OA:%u | IOA:%u |"
        $s12 = "Cause: %s (x%X) | Telegram type: %s (x%X)"

    condition:
        5 of them
}

Download all Yara Rules

INDUSTROYER2 Propose Change

References

Yara Rules

INDUSTROYER2