IsaacWiper
IsaacWiper is a destructive Windows wiper malware used against Ukraine in February 2022. Public reporting cited in the content states that a second destructive attack against a Ukrainian governmental network began on February 24, 2022 using IsaacWiper. ESET reported on March 1, 2022 that IsaacWiper targeted specific machines that had previously been compromised with the RemCom remote administration tool, which was used for lateral movement. The malware is consistently listed alongside other Ukraine-focused wipers such as WhisperGate, HermeticWiper, CaddyWiper, and DoubleZero, and multiple sources in the content place it within the broader wave of destructive operations aligned with Russia’s invasion of Ukraine. ESET’s broader reporting attributes the majority of these disruptive attacks in Ukraine to Sandworm with varying degrees of confidence, and later reporting lists IsaacWiper among multiple wipers used in attacks aimed at Ukraine by Russian actors. The content also notes that CaddyWiper bears no major code similarities to IsaacWiper, indicating IsaacWiper is a distinct malware family. A Splunk SnapAttack dataset referenced in the content simulates Windows IsaacWiper DLL RawDiskRead activity and maps it to MITRE ATT&CK technique T1006. High-confidence details in the provided content do not include specific file hashes or additional IoCs for IsaacWiper itself.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe.
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
1 technique
Stealth
Impact
1 technique
Impact
Following Russia’s invasion of Ukraine on 24 February 2022, likely Russian threat actors conducted several disruptive and destructive computer network attacks against Ukrainian targets... To date, there are eight tracked malware families that Russia-linked cyber threat actors have used for destructive activity against Ukraine: WhisperGate/Whisperkill, FoxBlade (HermeticWiper), SonicVote (HermeticRansom), CaddyWiper, DesertBlade, Industroyer2, Lasainraw (IsaacWiper) and FiberLake (DoubleZero).
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A wiper malware referenced in the dataset generation context for Windows, associated here with DLL RawDiskRead activity.
Destructive wiper used in attacks (noted in 2022 activity).
Wiper malware referenced as used in 2022 attacks aimed at Ukraine.
Wiper malware referenced as used in 2022 attacks targeting Ukraine.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.