Home/Threat Actor/CaddyWiper
Threat Actor

CaddyWiper

caddywiper · russia_apt_sandworm · active since 2022-03

CaddyWiper (canonical ESET naming per March 14, 2022 9:38am UK time first discovery deployed in network of Ukrainian bank.

ESET detection signature Win32/KillDisk.NCX.

loader companion ARGUEPATCH named by CERT-UA using modified Hex-Rays IDA Pro win32_remote.exe debugger server sometimes renamed peremoga.exe + ESET detection Win32/Agent.AEGY) is a destructive disk wiper attributed to Sandworm (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Dragos ELECTRUM, curated separately as sandworm_team parent operator cluster), the third and most variant-iterated wiper of the 2022 Ukraine wartime wiper cluster.

Russian state-sponsored APT attribution via ESET canonical April 12, 2022 "Industroyer2: Industroyer reloaded" disclosure (Anton Cherepanov) + ESET February 24, 2023 "A year of wiper attacks in Ukraine" Sandworm attribution compilation with high confidence based on Industroyer2 co- deployment + operational TTP analysis.

standalone malware platform cluster paralleling whispergate + hermeticwiper in Ukraine 2022 wartime wiper cell; cluster-defining 9KB encrypted small-binary architecture (32-bit PE Windows binary vs. HermeticWiper 114KB, encryption thwarts static analysis until decrypted via ARGUEPATCH loader); cluster-defining ARGUEPATCH IDA Pro loader operator- trolling tradecraft, patched version of Hex-Rays IDA Pro reverse-engineering tool with single-byte XOR key derived from input key decrypting shellcode (per ESET signature defender-trolling: "We don't know why attackers choose to trojanized this piece of software, it might be a troll towards defenders")

cluster- defining Industroyer2 co-deployment evidence-erasure tradecraft per April 8, 2022 attack timeline (15:02:22 UTC Sandworm operator creates scheduled task + 16:10 UTC scheduled execution of Industroyer2 to cut power in Ukrainian region + 16:20 UTC scheduled execution of CaddyWiper on same machine to erase Industroyer2 traces + slow ICS console recovery per ESET: "intended to slow down the recovery process and prevent operators of the energy company from regaining control of the ICS consoles")

per TechTarget Black Hat 2022 retrospective with Anton Cherepanov + Robert Lipovsky: CaddyWiper "caused more disruption than Industroyer2" , wiper authors' mistakes allowed defenders to mitigate before blackout triggered (attack foiled by Ukrainian energy provider + CERT-UA + ESET + Microsoft collaboration per Victor Zhora Ukraine SSSCIP); multi-variant evolution through 2022 (March 14 first variant at Ukrainian bank + April 1 ArguePatch combo + April 8 Industroyer2-companion variant + May 16 ArguePatch deployed as modified ESET binary with digital signature removed + code overwritten + June 20+23 ESET- CERT-UA Ukrainian institutions deployments + October 3 x64 Windows variant)

cross-platform wiper family in Industroyer2 attack including ORCSHRED + SOLOSHRED + AWFULSHRED data-wiping scripts for Linux + Solaris ICS systems.

no major coding similarities to predecessors HermeticWiper or WhisperGate per ESET, distinct codebase suggesting separate developer team or development branch within Sandworm.

sample lacked digital signature (distinct from HermeticWiper signed driver approach)

PE header timestamp same day as deployment indicating just-in-time compilation pattern; May 20, 2022 ESET disclosure of ArguePatch updated variant "Sandworm uses a new version of ArguePatch to attack targets in Ukraine" included feature to execute next stage at specified time bypassing Windows scheduled task (operator stay-under-radar tradecraft); cluster fills most-variant-iterated wiper position in 2022 Ukraine wartime wiper chronology: WhisperGate January 2022 - HermeticWiper February 23, 2022 - IsaacWiper February 24, 2022 - CaddyWiper March 14, 2022 - Industroyer2 April 8, 2022.

canonical illustration of small encrypted binary architecture + signature ARGUEPATCH IDA Pro loader operator-trolling tradecraft + signature evidence-erasure mission alongside Industroyer2 + Sandworm continued destructive cyberweapon platform capability cited in essentially all 2022+ Ukraine wiper + Sandworm-platform industry analyses through 2022-2026 period.

russia_apt_sandworm confidence: high 17 aliases
Sigma rules200 YARA rules1 Live IOCs0 CVEs exploited0

Profile

CaddyWiper (canonical ESET naming per March 14, 2022 first discovery at 9:38am UK time deployed in network of Ukrainian bank.

ESET detection signature Win32/KillDisk.NCX.

loader companion ARGUEPATCH named by CERT-UA, modified Hex-Rays IDA Pro win32_remote.exe debugger server) is a destructive disk wiper attributed to Sandworm, the third (and most variant-iterated) wiper of the 2022 Ukraine wartime wiper cluster. Russian state-sponsored APT attribution to Sandworm (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Dragos ELECTRUM, curated separately as sandworm_team parent operator cluster) via ESET canonical April 12, 2022 + February 24, 2023 "A year of wiper attacks in Ukraine" Sandworm attribution. Standalone malware platform cluster paralleling whispergate + hermeticwiper in the Ukraine 2022 wartime wiper cell. Operational attack architecture: (1) 9KB encrypted small-binary architecture (cluster- defining): 32-bit PE Windows binary at only 9KB (vs. HermeticWiper 114KB). Encryption thwarts static analysis, strings extraction produces nothing useful until decrypted via ARGUEPATCH loader. (2) ARGUEPATCH loader (cluster-defining): patched version of Hex-Rays IDA Pro software's IDA debugger server win32_remote.exe (sometimes renamed peremoga.exe). Single-byte XOR key derived from input key decrypts shellcode from file. Per ESET: signature operator trolling-defenders choice, IDA Pro is reverse- engineering tool used for malware analysis. "We don't know why attackers choose to trojanized this piece of software, it might be a troll towards defenders.

" (3) Multi-variant evolution through 2022 (cluster- defining)
  • March 14, 2022: initial CaddyWiper at Ukrainian bank.
  • April 1, 2022: ArguePatch + CaddyWiper combo.
  • April 8, 2022: Industroyer2-companion variant.
  • May 16, 2022: ArguePatch modified ESET binary (digital signature removed)
  • June 20+23, 2022: ArguePatch + CaddyWiper Ukrainian institutions.
  • October 3, 2022: x64 Windows variant (4) Industroyer2 co-deployment evidence-erasure tradecraft (signature): April 8, 2022 attack timeline: 15:02:22 UTC Sandworm operator creates scheduled task + 16:10 UTC Industroyer2 execution + 16:20 UTC CaddyWiper execution on same machine to erase Industroyer2 traces + slow ICS console recovery. Per ESET: CaddyWiper "caused more disruption than Industroyer2", wiper authors' mistakes allowed defenders to mitigate before blackout triggered per TechTarget Black Hat 2022 retrospective. (5) Cross-platform wiper family for ICS attack (signature): For Windows ICS systems: CaddyWiper. For Linux + Solaris ICS systems: ORCSHRED + SOLOSHRED + AWFULSHRED data-wiping scripts. (6) No major coding similarities to predecessors (signature): per ESET, CaddyWiper "appears to bear no major coding similarities to either of its predecessors" (HermeticWiper or WhisperGate). Distinct codebase suggesting separate developer team or development branch within Sandworm.
Operational target profile
  • March 14, 2022: Ukrainian bank.
  • April 8, 2022: Ukrainian energy provider high-voltage electrical substations (Industroyer2 co-deployment, attack foiled)
  • June 2022: Ukrainian institutions.
Throughout 2022: continued deployments Signature operational tradecraft
  • 9KB encrypted small-binary architecture (cluster- defining): anti-static-analysis tradecraft.
  • ARGUEPATCH IDA Pro loader (cluster-defining operator-trolling): defender-trolling software choice.
  • Multi-variant evolution through 2022: 6+ distinct variants.
  • Industroyer2 co-deployment evidence-erasure tradecraft: cluster-defining mission profile alongside ICS-specific malware.
  • Cross-platform wiper family (ORCSHRED + SOLOSHRED + AWFULSHRED): signature non-Windows ICS coverage.
  • Distinct codebase from HermeticWiper + WhisperGate predecessors: signature separate development branch.
  • Scheduled task execution timing pattern: signature UTC-time-precise coordination The cluster fills the most-variant-iterated wiper position in 2022 Ukraine wartime wiper chronology: WhisperGate January 2022.
  • HermeticWiper February 23, 2022.
  • IsaacWiper February 24, 2022.
  • CaddyWiper March 14, 2022.
  • Industroyer2 April 8, 2022. Operationally significant cluster-defining small encrypted binary + IDA Pro loader operator-trolling tradecraft + Industroyer2-companion evidence-erasure mission.

Aliases

17
caddywipercaddy wipercaddywiper_malwarewin32 killdisk ncxwin32_killdisk_ncxarguepatchargue patchargue_patch_loaderwin32 agent aegyorcshredsoloshredawfulshredcaddywiper march 14 2022 ukrainian bankcaddywiper industroyer2 companion april 2022caddywiper arguepatch loadercaddywiper 9kb encrypted binarycaddywiper x64 october 2022

Notable Campaigns

9
2023ESET 'A year of wiper attacks in Ukraine' Sandworm Attribution (February 24, 2023)
2022-2026Continued Industry Reference Status (2022-2026)
2022CaddyWiper Discovery, Ukrainian Bank (March 14, 2022)
2022CaddyWiper + ArguePatch Combo First Observed (April 1, 2022)
2022Industroyer2 + CaddyWiper Coordinated Co-Deployment (April 8, 2022)
2022ESET Industroyer2 + CaddyWiper Canonical Disclosure (April 12, 2022)
2022ArguePatch ESET-Binary-Masked Variant (May 16, 2022)
2022ArguePatch + CaddyWiper Ukrainian Institutions (June 20+23, 2022)
2022CaddyWiper x64 Windows Variant (October 3, 2022)

Attribution & Reporting

Attributed by
ESET WeLiveSecurity (canonical March 14, 2022 first disclosure + April 12, 2022 Industroyer2 + CaddyWiper canonical co-deployment + May 20, 2022 ArguePatch updated variant + February 24, 2023 "A year of wiper attacks" Sandworm attribution compilation)CERT-UA Ukrainian Computer Emergency Response Team (canonical ARGUEPATCH loader naming + incident response coordination)ESET researchers (Anton Cherepanov + Robert Lipovsky, canonical analysis)Mandiant / Google Cloud Threat Intelligence Group (APT44 Sandworm canonical tracking)Microsoft Threat Intelligence Center (Seashell Blizzard canonical Sandworm tracking)CrowdStrike (Voodoo Bear canonical Sandworm tracking)Securonix Threat Labs (canonical April 20, 2022 Industroyer2 + CaddyWiper detailed analysis)SOC Prime (canonical Sandworm Industroyer2 + CaddyWiper detection content)Victor Zhora (Deputy chairman Ukraine SSSCIP, canonical Black Hat 2022 + industry presentations)Computer Weekly (canonical industry reporting, CaddyWiper is fourth new malware linked to Ukraine war)SearchSecurity TechTarget (canonical Industroyer2 + Black Hat 2022 retrospective)Infosecurity Magazine (canonical Industroyer2 + CaddyWiper reporting)US Department of Justice (October 15, 2020 indictment of 6 GRU Unit 74455 officers per Scott W. Brady, Sandworm attribution baseline)MITRE ATT&CK Software S1132 (CaddyWiper)
Key reporting
reportESET WeLiveSecurity (Anton Cherepanov): Industroyer2, Industroyer reloaded (April 12, 2022), canonical Industroyer2 + CaddyWiper co-deployment disclosure
reportESET WeLiveSecurity: Sandworm uses a new version of ArguePatch to attack targets in Ukraine (May 20, 2022), canonical ArguePatch updated variant
reportESET WeLiveSecurity (Anton Cherepanov + Robert Lipovsky): A year of wiper attacks in Ukraine (February 24, 2023), canonical 2022 Ukraine wiper compilation + Sandworm attribution
reportESET Ireland blog mirror: Industroyer2 + CaddyWiper canonical disclosure
reportESET WeLiveSecurity: DynoWiper update, Technical analysis and attribution (January 2026), retrospective CaddyWiper context
reportComputer Weekly: CaddyWiper is fourth new malware linked to Ukraine war (March 2022), canonical March 14 first-day reporting
reportComputer Weekly: Sandworm rolls out Industroyer2 malware against Ukraine (April 12, 2022)
reportTechTarget SearchSecurity: Industroyer2, How Ukraine avoided another blackout attack (Black Hat 2022 retrospective)
reportSOC Prime: Detect Industroyer2 and CaddyWiper Malware, Sandworm APT Hits Ukrainian Power Facilities (April 13, 2022), canonical detection content
reportSecuronix Threat Labs: Industroyer2/CaddyWiper Targeting Ukrainian Power Grid, Detailed Analysis (April 20, 2022)
reportInfosecurity Magazine: Ukrainian Energy Supplier Targeted by New Industroyer Malware
reportCERT-UA Ukrainian Computer Emergency Response Team: canonical ARGUEPATCH loader naming + incident response coordination
reportVictor Zhora (Deputy chairman Ukraine SSSCIP): Black Hat 2022 + canonical industry presentations on Industroyer2 + CaddyWiper response
reportMandiant / Google Cloud Threat Intelligence Group: APT44 Sandworm canonical tracking
reportMicrosoft Threat Intelligence Center: Seashell Blizzard canonical Sandworm tracking
reportCrowdStrike: Voodoo Bear canonical Sandworm tracking
reportUS Department of Justice (Scott W. Brady): October 15, 2020 indictment of 6 GRU Unit 74455 officers
reportMITRE ATT&CK Software S1132: CaddyWiper
reportMalpedia Software Profile: CaddyWiper

Operational

State sponsor

Russian state-sponsored APT, Sandworm (Russian GRU Unit 74455, also Mandiant APT44 / Microsoft Seashell Blizzard / Dragos ELECTRUM, curated separately as sandworm_team parent operator cluster). Per ESET canonical "A year of wiper attacks in Ukraine" by Anton Cherepanov + Robert Lipovsky: CaddyWiper attributed to Sandworm based on multiple incident response engagements + cluster-cell coherence with Industroyer2 April 8, 2022 attack. Attribution chain: (1) ESET canonical March 14, 2022 first disclosure: ESET researchers detected CaddyWiper at 9:38am UK time March 14, 2022 deployed in network of Ukrainian bank.

ESET products detect it as Win32/KillDisk.NCX. Per Computer Weekly: "first detected CaddyWiper at 9.38am UK time on Monday 14 March 2022. It destroys user data and partition from attached drives, and so far has been seen on several dozen systems at a limited number of organisations." (2) ESET April 12, 2022 Industroyer2 + CaddyWiper canonical co-deployment disclosure: ESET (Anton Cherepanov) + CERT-UA published canonical "Industroyer2: Industroyer reloaded" establishing CaddyWiper as Industroyer2 companion in attempted Ukrainian power grid attack April 8, 2022.

Per ESET timeline
  • 2022-04-08 15:02:22 UTC: Sandworm operator creates scheduled task to launch Industroyer2.
  • 2022-04-08 16:10 UTC: Scheduled execution of Industroyer2 to cut power in Ukrainian region.
  • 2022-04-08 16:20 UTC: Scheduled execution of CaddyWiper on same machine to erase Industroyer2 traces Per ESET: "the attackers deployed a new version of CaddyWiper destructive malware. We believe it was intended to slow down the recovery process and prevent operators of the energy company from regaining control of the ICS consoles. It was also deployed on the machine where Industroyer2 was executed, likely to cover their traces." (3) ESET May 20, 2022 ArguePatch + CaddyWiper updated variant: ESET published "Sandworm uses a new version of ArguePatch to attack targets in Ukraine" establishing signature ArguePatch loader for CaddyWiper. (4) ESET February 24, 2023 canonical Sandworm attribution compilation: ESET "A year of wiper attacks in Ukraine" attributed majority of 2022 Ukraine wipers including CaddyWiper to Sandworm with varying degrees of confidence. (5) CERT-UA collaboration: CERT-UA naming for ArguePatch loader + canonical incident response across multiple CaddyWiper deployments through 2022. Operational attack architecture per ESET + CERT-UA + Securonix + SOC Prime: (1) Compromise + lateral movement to target system: attackers compromise Ukrainian organization weeks-to- months prior. For Industroyer2 attack: initial compromise of targeted energy company occurred on February 17, 2022 per Victor Zhora (Ukraine SSSCIP) or earlier. (2) ARGUEPATCH loader deployment: ESET-named ARGUEPATCH (CERT-UA naming) is a patched version of Hex-Rays IDA Pro software's IDA debugger server win32_remote.exe (sometimes renamed peremoga.exe). Operator-trolling signature choice, IDA Pro is reverse- engineering tool used for malware analysis. Per ESET: "We don't know why attackers choose to trojanized this piece of software, it might be a troll towards defenders." Single-byte XOR key derived from input key decrypts shellcode from file. (3) CaddyWiper destructive payload execution: 9KB encrypted 32-bit PE binary. Encryption thwarts static analysis. After decryption via ARGUEPATCH loader, destroys user data + partition from attached drives. (4) Scheduled task execution: ARGUEPATCH executed via scheduled task at specific UTC times. For Industroyer2 attack: 14:58 UTC on first machine + 16:20 UTC on machine where Industroyer2 deployed. (5) Cross-platform wiper companions in Industroyer2 attack: For Linux + Solaris ICS systems: ORCSHRED + SOLOSHRED + AWFULSHRED data-wiping scripts deployed alongside CaddyWiper.
Operational target profile
  • March 14, 2022: Ukrainian bank (initial CaddyWiper discovery on several dozen systems at limited number of organizations)
  • April 1, 2022: ArguePatch + CaddyWiper combo first observed.
  • April 8, 2022: Ukrainian energy provider (high- voltage electrical substations targeted by Industroyer2 + CaddyWiper combination, attack foiled by CERT-UA + ESET + Microsoft collaboration)
  • May 16, 2022: ArguePatch deployed as modified ESET binary (digital signature removed + code overwritten)
  • June 20 + 23, 2022: ArguePatch + CaddyWiper deployments against Ukrainian institutions.
  • October 3, 2022: x64 Windows variant deployed The cluster fills the most-variant-iterated wiper position in 2022 Ukraine wartime wiper chronology: WhisperGate January 2022.
  • HermeticWiper February 23, 2022.
  • IsaacWiper February 24, 2022.
  • CaddyWiper March 14, 2022.
  • Industroyer2 April 8, 2022.
Motivations
ukrainian_critical_infrastructure_disruption_during_invasion_first_months, third_wiper_of_2022_ukraine_wartime_wiper_cluster_capability_demonstration, industroyer2_companion_evidence_erasure_tradecraft_capability, sandworm_destructive_disk_wiper_continued_capability_demonstration, small_binary_encrypted_payload_evading_static_analysis_signature, operator_trolling_defenders_via_ida_pro_loader_software_choice, multi_variant_iterative_development_throughout_2022_capability, cross_platform_wiper_family_for_ics_disruption_orcshred_soloshred_awfulshred
Sectors
ukrainian_bankukrainian_energy_providerukrainian_high_voltage_electrical_substationsukrainian_government_institutionscritical_infrastructure_operatorsautomated_process_control_systems_windowsics_scada_industrial_control_systemsukrainian_financial_sector_broadly
Regions
ukraineeastern_europe

Techniques Used

60
T0814T0815T0826T0828T0832T0879T1003T1003.001T1005T1010T1014T1016T1021T1021.001T1021.002T1021.006T1027T1027.002T1027.005T1027.007T1027.013T1033T1036T1036.001T1036.005T1037T1037.003T1039T1047T1053T1053.005T1056T1057T1059T1059.001T1059.003T1068T1070T1070.004T1071T1078T1080T1082T1083T1087T1090T1095T1106T1119T1129T1133T1134T1140T1190T1195T1203T1218T1218.011T1485T1486

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)48/60 · 80%
Analytics (MITRE CAR)28/60 · 46%
Runtime / container (Falco)6/60 · 10%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
SANDWORM SIGNATURE WIPER PLATFORMSCHEDULED TASK LAUNCH ARGUEPATCH AT SPECIFIC UTC TIMESINGLE BYTE XOR KEY DERIVED FROM INPUT SHELLCODE DECRYPTIONSOLOSHRED
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin