SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer2 (Back to overview)

INDUSTROYER2

Actor(s): Sandworm

VTCollection    

There is no description at this point.

References
2024-04-16MandiantAlden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm
2024-04-15UC Santa CruzAlonso Rojas, Alvaro A. Cardenas, Bing Huang, Emmanuele Zambon, Juan Lozano, Keerthi Koneru, Luis Salazar, Marina Krotofil, Ross Baldick, Sebastian R. Castro
A Tale of Two Industroyers: It was the Season of Darkness
Industroyer INDUSTROYER2
2023-07-12MandiantDan Black, Gabby Roncone
The GRU's Disruptive Playbook
CaddyWiper INDUSTROYER2 XakNet
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-04-14DragosDragos
2022 ICS/OT Threat Landscape Recap & What to Watch for This Year
INDUSTROYER2 Wassonite
2023-03-15MicrosoftMicrosoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-06-23splunkSplunk Threat Research Team
Threat Update: Industroyer2
INDUSTROYER2
2022-05-31NOZOMI Network LabsGiannis Tsaraias, Ivan Speziale
Industroyer vs. Industroyer2: Evolution of the IEC 104 Component
INDUSTROYER2
2022-05-18ntopntop
How ntopng monitors IEC 60870-5-104 traffic
INDUSTROYER2
2022-05-12BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure
INDUSTROYER2
2022-05-02AT&TFernando Martinez
Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-27Nozomi NetworksNozomi Networks Labs
Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
INDUSTROYER2
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-25NetresecErik Hjelmvik
Industroyer2 IEC-104 Analysis
INDUSTROYER2
2022-04-25MandiantChris Sistrunk, Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker, Raymond Leong
INDUSTROYER.V2: Old Malware Learns New Tricks
INDUSTROYER2
2022-04-23Stranded on Pylos BlogJoe Slowik
Industroyer2 in Perspective
INDUSTROYER2
2022-04-14SCADAfenceMaayan Fishelov
Industroyer2: ICS Networks need to heighten vigilance - SCADAfence
INDUSTROYER2
2022-04-12Cert-UACert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12Twitter (@silascutler)Silas Cutler
Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-12ESET ResearchESET Ireland
Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-04-12ESET ResearchESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-02-28MicrosoftMSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
Yara Rules
[TLP:WHITE] win_industroyer2_auto (20260504 | Detects win.industroyer2.)
rule win_industroyer2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.industroyer2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b55f0 52 8d4db8 e8???????? 8bc8 e8???????? }
            // n = 6, score = 100
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   52                   | push                edx
            //   8d4db8               | lea                 ecx, [ebp - 0x48]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_1 = { e8???????? eb20 6a00 8d55ec }
            // n = 4, score = 100
            //   e8????????           |                     
            //   eb20                 | jmp                 0x22
            //   6a00                 | push                0
            //   8d55ec               | lea                 edx, [ebp - 0x14]

        $sequence_2 = { e8???????? 50 e8???????? 83c40c e9???????? 68???????? e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   e9????????           |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_3 = { 6a00 8b450c 50 68???????? 8b4df0 51 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   68????????           |                     
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   51                   | push                ecx

        $sequence_4 = { 8b08 51 6a00 6a06 8b55fc 52 }
            // n = 6, score = 100
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6a06                 | push                6
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx

        $sequence_5 = { 8b4508 50 6a01 8b4d08 8b9148010100 8b45f4 }
            // n = 6, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   6a01                 | push                1
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b9148010100         | mov                 edx, dword ptr [ecx + 0x10148]
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_6 = { 8b4dcc 894dc0 eb07 c745f800000000 8b55fc 3b55f0 7364 }
            // n = 7, score = 100
            //   8b4dcc               | mov                 ecx, dword ptr [ebp - 0x34]
            //   894dc0               | mov                 dword ptr [ebp - 0x40], ecx
            //   eb07                 | jmp                 9
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   3b55f0               | cmp                 edx, dword ptr [ebp - 0x10]
            //   7364                 | jae                 0x66

        $sequence_7 = { 8a55d8 889146000100 eb11 8b450c c6801800010001 }
            // n = 5, score = 100
            //   8a55d8               | mov                 dl, byte ptr [ebp - 0x28]
            //   889146000100         | mov                 byte ptr [ecx + 0x10046], dl
            //   eb11                 | jmp                 0x13
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   c6801800010001       | mov                 byte ptr [eax + 0x10018], 1

        $sequence_8 = { eb0e c745e801680000 c745f800000000 8b4dfc 3b4df0 732c 837df800 }
            // n = 7, score = 100
            //   eb0e                 | jmp                 0x10
            //   c745e801680000       | mov                 dword ptr [ebp - 0x18], 0x6801
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   3b4df0               | cmp                 ecx, dword ptr [ebp - 0x10]
            //   732c                 | jae                 0x2e
            //   837df800             | cmp                 dword ptr [ebp - 8], 0

        $sequence_9 = { 740e e8???????? 8b45ec 50 }
            // n = 4, score = 100
            //   740e                 | je                  0x10
            //   e8????????           |                     
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 100352
}
[TLP:WHITE] win_industroyer2_w0   (20220905 | Industroyer2 malware targeting power grid components.)
// Created by Nozomi Networks Labs

rule win_industroyer2_w0 {
    meta:
        author = "Nozomi Networks Labs"
        name = "Industroyer2"
        description = "Industroyer2 malware targeting power grid components."
        actor = "Sandworm"
        source="https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf"
        hash = "D69665F56DDEF7AD4E71971F06432E59F1510A7194386E5F0E8926AEA7B88E00"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20220905"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220905"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "%02d:%lS" wide ascii
        $s2 = "PService_PPD.exe" wide ascii
        $s3 = "D:\\OIK\\DevCounter" wide ascii
        $s4 = "MSTR ->> SLV" fullword wide ascii
        $s5 = "MSTR <<- SLV" fullword wide ascii
        $s6 = "Current operation : %s"
        $s7 = "Switch value: %s"
        $s8 = "Unknown APDU format !!!"
        $s9 = "Length:%u bytes |"
        $s10 = "Sent=x%X | Received=x%X"
        $s11 = "ASDU:%u | OA:%u | IOA:%u |"
        $s12 = "Cause: %s (x%X) | Telegram type: %s (x%X)"

    condition:
        5 of them
}
Download all Yara Rules