AWFULSHRED
AwfulShred is a destructive Linux wiper, described as an obfuscated malicious Linux shell script designed to corrupt or wipe targeted Linux systems. It uses the shred command to overwrite files and increase data destruction, and reported behaviors include disabling or corrupting Apache, HTTP, and SSH services, deactivating swap files, clearing bash history, killing processes, stopping services, enabling SysRq functions, and rebooting the system. The malware is associated with data-destruction activity on Linux, and reporting also places it alongside non-Windows destructive malware affecting Solaris systems in broader Sandworm operations. High-confidence reporting links AwfulShred to Sandworm/UAC-0082, a Russia-linked GRU-associated threat actor, including its use in the April 2022 attack against a Ukrainian energy company alongside Industroyer2, CaddyWiper, Orcshred, and Soloshred, where the wipers were intended to hinder recovery, and in the January 2023 attack against Ukraine’s national news agency Ukrinform, where CERT-UA identified a Linux AwfulShred script named r.sh. The content explicitly states that in 2022 Sandworm used AwfulShred in attacks aimed at Ukraine. Mentioned artifact details for the Ukrinform case include r.sh (AwfulShred) with MD5 3a1070b882d6843fcfa9490c24700bd1 and SHA-256 246607235d560e90590dcf1b0507ab18de74afcc4429d8d5f3ba97eacc92d73f.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Among the tools that Sandworm deployed on the energy company's network was a Windows disk wiper called CaddyWiper and similar disk-wiping tools dubbed Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique"/root/r.sh (AwfulShred)" and "/sbin/audit.sh (BidSwipe)"
Stealth
1 techniquedeactivate swap files, clear bash history and finally reboot the system
Impact
3 techniquesAmong the tools that Sandworm deployed on the energy company's network was a Windows disk wiper called CaddyWiper and similar disk-wiping tools dubbed Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems.
This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services
Recent activity
16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
AwfulShred is referenced in the associated analytic story list in the context of compromised Linux hosts and data destruction.
Linux malware associated with enabling all SysRq functions to manipulate kernel system requests, potentially allowing reboot or other critical system actions that can lead to instability or compromise.
Linux malware associated here with data destruction activity; the content only references it as an analytic story and does not provide technical behavior details.
AwfulShred is referenced in the analytic story context related to Linux service restarts and data destruction, indicating relevance to destructive Linux malware activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.