Russian state-backed hacker group Sandworm has deployed a number of data-wiping malware households in assaults focusing on Ukraine’s training, authorities, and the grain sector, the nation’s primary income supply.
The assaults occurred in June and September, cybersecurity firm ESET says in a report right now, and proceed Sandworm’s (a.ok.a. APT44) string of harmful operations in Ukraine.
Because the identify signifies, an information wiper’s objective is to destroy a goal’s digital info by corrupting or deleting information, disk partitions, and grasp boot information in a method that doesn’t permit restoration. The affect on the goal may be devastating, creating disruptions which are tough to get well from.
Not like ransomware, the place the info is often stolen after which encrypted, wiper malware is used purely in sabotage operations.
After the Russian invasion, Ukraine has been the goal of quite a few information wiper campaigns, most of them attributed to Russian state-sponsored actors, together with PathWiper, HermeticWiper, CaddyWiper, Whispergate, and IsaacWiper.
Harmful assaults proceed
ESET’s new report covers superior persistent menace (APT) exercise between April and September 2025 and presents a number of instances of wipers deployed in Ukraine, a few of them focusing on the nation’s grain manufacturing.
It is a new growth, as attackers are exhibiting that attackers at the moment are specializing in Ukraine’s very important financial sector, as grain exports are the principle supply of earnings, particularly throughout the battle.
“In June and September, Sandworm deployed a number of data-wiping malware variants towards Ukrainian entities lively within the governmental, vitality, logistics, and grain sectors,” explains ESET.
“Though all 4 have beforehand been documented as targets of wiper assaults in some unspecified time in the future since 2022, the grain sector stands out as a not-so-frequent goal.”
“Contemplating that grain export stays one in every of Ukraine’s primary sources of income, such focusing on probably displays an try to weaken the nation’s battle financial system.”
APT44 additionally deployed ‘ZeroLot’ and ‘Sting’ wipers in April 2025, focusing on a college in Ukraine. Sting was executed via a Home windows scheduled activity named after the standard Hungarian dish goulash.
It’s famous that preliminary entry for a few of these incidents was achieved by UAC-0099, who then transferred the entry to APT44 for wiper deployment.
UAC-0099 is a menace actor that has been working since no less than 2023 and seems to pay attention its assaults on Ukrainian organizations.
The researchers be aware that whereas Sandworm has not too long ago proven a higher give attention to espionage operations, information wiper assaults towards Ukrainian entities stay a steady exercise for the menace group.
ESET additionally recognized Iran-aligned exercise that couldn’t be attributed to a particular menace group, however it’s in keeping with techniques, methods, and procedures (TTPs) related to Iranian hackers.
In June 2025, these exercise clusters deployed Go-based instruments primarily based on publicly accessible open-source wipers, focusing on Israel’s vitality and engineering sectors.
A lot of the steerage for stopping ransomware additionally helps defend towards information wipers. A key step is maintaining crucial information backups on offline media, out of attain of hackers.
Implementing robust endpoint detection and intrusion prevention methods and sustaining all software program up to date may forestall a variety of assaults, together with information wiping incidents.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your group construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
