Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

Sting

Sting is a data-wiping malware family used by the Russia-linked Sandworm threat group in 2025. Reporting in the provided content consistently describes Sting as a wiper deployed in destructive operations against Ukrainian targets. ESET and other cited reporting state that Sting was first observed alongside ZEROLOT against a Ukrainian university in April 2025, including execution via a Windows scheduled task named DavaniGulyashaSdeshka. Subsequent Sandworm activity between June and September 2025 used Sting and ZEROLOT against Ukrainian governmental entities and organizations in the energy, logistics, and grain sectors, with the grain-sector targeting described as likely intended to weaken the Ukrainian economy. The content places Sting within Sandworm’s broader destructive malware arsenal alongside families such as PathWiper and HermeticWiper. High-confidence behavior directly stated in the content is that Sting is wiper malware designed to permanently erase data and disrupt operations. The malware is associated with Sandworm, a GRU-linked Russian state threat actor, and with attacks focused on Ukraine’s critical and economically important sectors. No standalone technical indicators such as hashes or domains are provided for Sting in the supplied content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Sandworm

Indicators of Compromise (IoCs):- ... Malware Sting Malware deployed by Sandworm in 2025

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1485Data DestructionEvidence3

Several intrusions led to the deployment of destructive wiper malware... Malware ZEROLOT Wiper malware linked to Sandworm Malware PathWiper Wiper malware targeting Ukrainian organizations

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Malware deployed by Sandworm in 2025.

Read more
rescana blogNews
Jan 25, 2026
Sandworm’s DynoWiper Attack Targeting Polish Combined Heat and Power and Renewable Energy Management Systems: Incident Analysis and Lessons Learned

Destructive malware family referenced as used in wiper attacks.

Read more
the hacker newsNews
Jan 24, 2026
New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector

Data-wiping malware used by Sandworm in a Ukrainian university network.

Read more
risky biz rssNews
Nov 7, 2025
Risky Bulletin: Europol arrests payment service executives for role in credit card fraud ring

Sting is a destructive data wiper malware used by the Sandworm group in attacks against Ukrainian organizations to destroy data and disrupt operations.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.