MalwareUsed by 2 actors

BidSwipe

BidSwipe is a destructive wiper targeting FreeBSD systems. It was identified by CERT-UA during investigation of the January 17, 2023 cyberattack against Ukraine’s national news agency Ukrinform, where attackers used multiple destructive tools across platforms, including CaddyWiper and ZeroWipe for Windows, AwfulShred for Linux, and BidSwipe for FreeBSD. The malware/script was intended to damage integrity and availability by overwriting files or disks with zero bytes or arbitrary data and then deleting them. In that incident, attackers attempted centralized deployment via a Group Policy Object that created scheduled tasks, and CERT-UA attributed the operation to UAC-0082 (Sandworm), associated with Russia’s GRU. A referenced BidSwipe artifact was the FreeBSD script "audit.sh" with MD5 4a5863d34fc99e91af11dd7976c36c27 and SHA-256 66548ba6ca6d34b7d17e42ab2e1405db1c581a516e0b1a4942d373d6d5396ba4. ESET also explicitly described BidSwipe as a FreeBSD OS wiper and included it among Sandworm’s destructive malware families.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Sandworm

"...BidSwipe (FreeBSD)"; file reference: "audit.sh (BidSwipe)"

via cert uacert.gov.ua

UAC-0082

"...BidSwipe (FreeBSD)"; file reference: "audit.sh (BidSwipe)"

via cert uacert.gov.ua

MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1059.004Unix ShellEvidence1

TacticExecution

"/root/r.sh (AwfulShred)" and "/sbin/audit.sh (BidSwipe)"

Impact

1 technique

T1485Data DestructionEvidence1

TacticImpact

"...виявлено 5 зразків шкідливих програм (скриптів), функціонал яких спрямовано на порушення цілісності та доступності інформації (запис файлів/дисків нульовими байтами/довільними даними та їх подальше видалення), а саме: CaddyWiper... ZeroWipe... AwfulShred... BidSwipe..."

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

eset welivesecurity blogNews

Jan 24, 2026

A year of wiper attacks in Ukraine

FreeBSD-targeting wiper used in the Jan 2023 multi-wiper attack against a Ukrainian news agency (per CERT-UA).

eset welivesecurity blogNews

Jan 31, 2026

DynoWiper update: Technical analysis and attribution

Destructive malware family referenced as part of Sandworm-attributed destructive operations.

cert uaNews

Mar 18, 2026

CERT-UA

FreeBSD destructive script/tool used to wipe data to disrupt integrity and availability (overwriting and deleting).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.