Wiper malware
Wiper malware is data-destroying malware referenced in multiple incidents involving destructive cyber operations. In the provided content, it is described as being used to target financial data on victim systems in the Bank Sepah case, where branch, ATM, online, and in-branch banking services were disrupted, and in attacks against OT/ICS environments where attackers gained initial access through vulnerable or misconfigured internet-facing edge devices and then deployed wiper malware while compromising remote terminal units (RTUs). Reported OT impacts included reduced visibility between facilities and distribution system operators, corrupted human-machine interface (HMI) data, corrupted OT device firmware, and damage to RTUs. The content also describes a recurring Iranian playbook in which Microsoft-assessed MOIS-linked Storm-861 gains access and Storm-842 later deploys wiper malware, observed in Albania in 2022 and again in Israel in late October 2023. Separately, Mandiant reported that Russia’s GRU used edge-device compromises to enable rapid follow-on wiper attacks in Ukraine, including repeated destructive attacks against the same organizations while sometimes retaining access through compromised firewalls, routers, email servers, or Zimbra infrastructure. Sectors and environments explicitly mentioned as affected by wiper malware in the content include finance, government, media, telecom, energy, and distributed energy/critical infrastructure OT. Associated actors mentioned in connection with wiper malware include Predatory Sparrow in the Bank Sepah context, Microsoft-tracked MOIS-linked groups Storm-842 and Storm-861, and Russian state actors including GRU activity and the Poland energy-sector intrusion attributed in reporting to Static Tundra/Berserk Bear/Dragonfly/Ghost Blizzard, with other reporting also citing Sandworm/Electrum assessments. Infection vectors explicitly mentioned include exploitation or abuse of vulnerable internet-facing edge devices, compromised firewalls, routers, email servers, ProxyShell exploitation of Microsoft Exchange, and use of stolen credentials for Zimbra access.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
It appears that in both cases, the operations targeted the financial data resident on the targeted systems and not the functionality of the systems themselves (although ATM and on-line and in-branch services were disrupted), likely with the use of wiper malware in the Bank Sepah case...
"...enabled attackers to launch wiper malware and compromise remote terminal units..."
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques“Threat actors leveraged default credentials… to pivot onto the HMI and RTUs.”
“A malicious cyber actor(s) gained initial access in this incident through vulnerable internet-facing edge devices…”
After a few hours, the hackers accessed another server that delivered software updates to the modems – which allowed them to deliver the wiper malware
Dr. Al Kuwaiti noted that phishing emails, once easily identifiable by poor grammar, are now flawlessly written using AI. These emails often exploit current events to trick users into clicking malicious links, which then deploy ransomware or “wiper” malware.
Execution
1 techniqueThese emails often exploit current events to trick users into clicking malicious links, which then deploy ransomware or “wiper” malware.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueImpact
6 techniquesCERT Polska detailed coordinated destructive cyberattacks on more than 30 wind, solar, and combined heat and power (CHP) facilities in Poland... where attackers used wiper malware... to disrupt communications and OT systems.
Predatory Sparrow targeted Bank Sepah, Iran’s oldest and largest bank, causing branch closures and widespread service outages with customers unable to access accounts, withdraw cash, or use bank cards for some undetermined amount of time.
“…causing damage to remote terminal units (RTUs)… and corrupted system firmware on OT devices.”
After a few hours, the hackers accessed another server that delivered software updates to the modems – which allowed them to deliver the wiper malware that researchers publicly identified last year. The attack took 40,000 to 45,000 modems offline, thousands of which never resumed operation.
Russian hackers targeted Ukrainian government websites in January, ahead of the invasion, installing “wiper” malware that permanently clears data from computer networks.
It doesn’t just steal data; it erases it completely. We have seen instances where private institutions were targeted by such complex, AI-driven wiper attacks that managed to reach even their backup servers.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Destructive malware used to wipe or corrupt systems/data to degrade operational capability and visibility in OT/ICS environments.
Destructive malware used to wipe/destroy data and impair operational technology (OT) environments, contributing to loss of view/control, destruction of HMI data, and corruption of OT device firmware in the described incident.
A destructive malware type likely used in the Bank Sepah operation to wipe financial data rather than primarily damage system functionality.
Destructive malware used to wipe/disable systems as part of Iranian destructive cyber operations (notably MOIS-linked activity described as a repeatable playbook involving initial access by one group and destructive wiping by another).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.