HermeticWiper

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

These include the momentary creation of the abused driver as well as a system service.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

It also modifies several registry keys, including setting the SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver’s execution starts.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

It was deployed through Group Policy, which suggests that the attackers had taken control of the victim’s Active Directory environment.

"Action RAT's commands, strings, and domains can be Base64 encoded within the payload." / "ADVSTORESHELL... strings... encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed." / "APT29 has used encoded PowerShell commands." / "APT41 used VMProtected binaries..."

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

Akira has used legitimate names and locations for files to evade defenses.

Many examples describe post-intrusion cleanup, anti-forensics, and removal of artifacts such as logs, scripts, malware components, scheduled tasks, registry keys, and temporary files.

“APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security …” / “APT38 clears Window Event logs and Sysmon logs …” / “BlackCat can clear Windows event logs using wevtutil.exe …” / “NotPetya uses wevtutil to clear the Windows event logs …”

The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.' | The content includes secure deletion and overwrite behavior, e.g., 'APT29 has used SDelete to remove artifacts,' 'GreyEnergy can securely delete a file,' 'LiteDuke can securely delete files by first writing random data to the file,' and 'PowerDuke has a command to write random data across a file and delete it.'

CSPY Downloader has the ability to remove values it writes to the Registry.

"...used 7-Zip to decode their Raindrop malware." / "...self-extracting RAR file to deliver modules..." / "...decompress a CAB file into executable content." | "...macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload." / "...involved the use of Base64 obfuscated scripts and commands." / "...deobfuscated Base64-encoded commands..."

Our analysis shows a signed driver is being used to deploy a wiper that targets Windows devices... The developers are using a tried and tested technique of wiper malware, abusing a benign partition management driver... HermeticWiper uses a similar technique by abusing a different driver, empntdrv.sys.

The content includes multiple anti-analysis and environment checks, such as "OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks" and "Raspberry Robin performs several system checks as part of anti-analysis mechanisms."

HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.

It also modifies several registry keys, including setting the SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver’s execution starts.

It was deployed through Group Policy, which suggests that the attackers had taken control of the victim’s Active Directory environment.

The content repeatedly describes threat actors and malware using valid, stolen, forged, self-signed, or abused code-signing certificates to sign malware and appear legitimate, including examples such as AppleJeus using a valid digital signature from Sectigo, APT41 leveraging code-signing certificates, FIN7 signing Carbanak payloads, and SUNBURST being digitally signed by SolarWinds.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

The content includes multiple anti-analysis and environment checks, such as "OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks" and "Raspberry Robin performs several system checks as part of anti-analysis mechanisms."

Examples in the content include malware extracting or unpacking ZIP, RAR, CAB, tar.gz, and other archived content, such as 'Emotet has used a self-extracting RAR file to deliver modules to victims' and 'Rocke has extracted tar.gz files after downloading them from a C2 server.'

Sandworm directly deployed the OLYMPICDESTROYER wiper at the 2018 Pyeongchang Winter Olympics, disabling Wi-Fi at the opening ceremony, taking down the official ticketing system, disrupting broadcast drone operations, and compromising over 300 systems, requiring 12 hours to restore.

Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.

Finally, the malware waits on sleeping threads before initiating a system shutdown, finalizing the malware’s devastating effect.

The malware then focuses on corrupting the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive.

While that should be enough for the device not to boot again, HermeticWiper proceeds to enumerate the partitions for all possible drives. They then differentiate between FAT and NTFS partitions... For NTFS, the HermeticWiper parses the Master File Table before calling this same bit fiddling function again.

Examples include BlackByte performing Registry modifications to escalate privileges and disable security tools; LockBit 3.0 changing Registry values to disable SmartScreen and Windows Defender; TA505 using malware to disable Windows Defender through Registry modification.

BlackByte performed Registry modifications to escalate privileges and disable security tools. Embargo has modified and deleted Registry keys to add services, and to disable Security Solutions such as Windows Defender. TA505 has used malware to disable Windows Defender through modification of the Registry. During SharePoint ToolShell Exploitation, threat actors, including Storm-2603, disabled security services via Registry modifications.