ZeroWipe
ZeroWipe is a destructive Windows wiper malware associated with attacks attributed to the Russia-linked Sandworm APT, also tracked as UAC-0082. It was listed by ESET among the multiple wipers Sandworm used in 2022 attacks aimed at Ukraine. CERT-UA reported ZeroWipe as one of five destructive malware or script samples identified in the January 2023 attack against Ukraine’s national news agency Ukrinform. In that incident, the malware was intended to disrupt integrity and availability by overwriting files or disks with zero bytes or arbitrary data and then deleting them. CERT-UA stated attackers attempted, unsuccessfully, to disrupt user computers using CaddyWiper and ZeroWipe, while also using SDelete, AwfulShred, and BidSwipe across Windows, Linux, and FreeBSD environments. The attack involved attempted centralized deployment via a Group Policy Object that created scheduled tasks, and CERT-UA assessed the operation as attributable to UAC-0082 (Sandworm), associated with Russia’s GRU. A reported ZeroWipe sample was named upd.exe with MD5 54e5773071b193e109cbacc82565c6a9 and SHA-256 e3bc3689f01fd431cd2ed368ae91eceaa7c465c2781fa7b7dc2ec9143a404f79. The available content does not provide further technical details on ZeroWipe’s internal implementation beyond its destructive wiping behavior and Windows targeting.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe.
"...CaddyWiper (Windows) ZeroWipe (Windows)..."; "...невдалу спробу... з використанням... ZeroWipe..."
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniquePersistence
1 techniquePrivilege Escalation
2 techniques"...створено об'єкт групової політики (GPO), що, у свою чергу, забезпечував створення відповідних запланованих завдань." and "Windows_Security_Update_HxW (Scheduled Task)"
Defense Impairment
1 techniqueCommand and Control
1 technique"...з метою централізованого розповсюдження шкідливих програм, створено об'єкт групової політики (GPO)..." and paths under "\\%DOMAIN%\\SYSVOL...\\news.bat" / "upd.exe"
Impact
1 technique"...виявлено 5 зразків шкідливих програм (скриптів), функціонал яких спрямовано на порушення цілісності та доступності інформації (запис файлів/дисків нульовими байтами/довільними даними та їх подальше видалення), а саме: CaddyWiper... ZeroWipe... AwfulShred... BidSwipe..."
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Destructive wiper used in attacks (noted in 2022 activity).
Wiper malware referenced as used in 2022 attacks aimed at Ukraine.
Wiper malware referenced as used in 2022 attacks targeting Ukraine.
Wiper used in the Jan 2023 multi-wiper attack against a Ukrainian news agency (per CERT-UA).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.