Threat Management, Malware

Researchers discover a fourth distinct wiper malware used in Ukraine

A member of the Ukrainian military stands amid debris from a damaged residential apartment block caused after a Russian rocket was shot down by Ukrainian air defenses on March 14, 2022, in Kyiv, Ukraine. (Photo by Chris McGrath/Getty Images)

ESET discovered yet another distinct wiper malware deployed against Ukraine. This is the third discovered by ESET and the fourth overall since Jan. 15.

The latest wiper, dubbed CaddyWiper, was discovered just before noon Monday, Ukrainian time. It shares no known overlap with any of the previous wipers, or any other malware. ESET announced its discovery in a Twitter thread.

ESET had previously discovered HermeticWiper and IsaacWiper around the date of Russia's invasion of Ukraine. About a month earlier, Microsoft announced the discovery of Whispergate.

Early indications from ESET's telemetry show CaddyWiper infected only "a few dozen systems in a limited number of organizations." That would make CaddyWiper appear to be a substantially more limited attack than HermeticWiper, which ESET immediately said it saw in hundreds of systems in Ukraine (and Symantec found in two machines in Latvia and Lithuania).

Attackers installed the malware using group policy objects, a tactic also seen in HermeticWiper. The malware is designed to avoid infecting domain controllers, which ESET speculated in its Twitter thread "is probably a way for the attackers to keep their access inside the organization while still disturbing operations."

CaddyWiper appears to have been compiled the same day as it was deployed. HermeticWiper, on the other hand, was compiled and installed on systems months before deploying.

Though Russia's aggression in Ukraine is ongoing, and the U.S. has said it continues to be "vigilant" about new cyberattacks in the region, neither ESET nor any other organization has formally attributed the malware to Russia.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.