Russia🇷🇺 RU1 malware family

razing_ursa

Also known asRazing Ursa

Razing Ursa is a Russian threat actor referred to in the provided content as Sandworm and Voodoo Bear, and also associated with GRU Unit 74455. The content links the actor to destructive operations and malware, including attribution by the UK FCDO for the 2018 Pyeongchang Winter Olympics Olympic Destroyer wiper incident. That operation disabled Wi-Fi at the opening ceremony as well as the Olympics website, ticketing, and broadcast drones, with more than 300 systems reportedly compromised and restoration taking 12 hours. The content also links Razing Ursa to the destructive Linux wiper families AcidRain and AcidPour. AcidRain is described as targeting MIPS-based modems and routers, while AcidPour targets x86-based storage arrays and industrial control systems. In the cloud-focused reporting provided, AcidRain and AcidPour are identified as destructive Linux wipers associated with this actor.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Media & Entertainment
Government & Administration

Where they target

Geographies tied to known operations.

🇰🇷 South Korea
🇯🇵 Japan

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0040

Impact

1 technique

T1485

Data Destruction

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Olympic DestroyerPyeongchang Winter Olympics 2018 Olympic Destroyer wiper; attributed to Razing Ursa (aka GRU Unit 74455, Sandworm) ... Wi-Fi at opening ceremony, Olympics website, ticketing, broadcast drones disabled. 300+ systems compromised.1May 28, 2026

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

palo alto networks unit 42 blogNews

May 28, 2026

2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface

Russian state-linked actor attributed with destructive Olympic-related operations including Olympic Destroyer and later reconnaissance/disruption activity around Tokyo 2020/21.

palo alto networks unit 42 blogNews

Jun 10, 2025

The Evolution of Linux Binaries in Targeted Cloud Operations

Razing Ursa is a Russian threat actor known for deploying destructive wiper malware (AcidRain, AcidPour) against infrastructure, including modems, routers, storage arrays, and industrial control systems.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.