Russian state-backed hacker group Sandworm has deployed a number of data-wiping malware households in assaults concentrating on Ukraine’s schooling, authorities, and the grain sector, the nation’s major income supply.
The assaults occurred in June and September, cybersecurity firm ESET says in a report at present, and proceed Sandworm’s (a.ok.a. APT44) string of harmful operations in Ukraine.
Because the title signifies, a knowledge wiper’s objective is to destroy a goal’s digital info by corrupting or deleting information, disk partitions, and grasp boot information in a method that doesn’t permit restoration. The influence on the goal could be devastating, creating disruptions which can be tough to get well from.
Not like ransomware, the place the info is usually stolen after which encrypted, wiper malware is used purely in sabotage operations.
After the Russian invasion, Ukraine has been the goal of quite a few knowledge wiper campaigns, most of them attributed to Russian state-sponsored actors, together with PathWiper, HermeticWiper, CaddyWiper, Whispergate, and IsaacWiper.
Harmful assaults proceed
ESET’s new report covers superior persistent risk (APT) exercise between April and September 2025 and presents a number of instances of wipers deployed in Ukraine, a few of them concentrating on the nation’s grain manufacturing.
It is a new improvement, as attackers are exhibiting that attackers are actually specializing in Ukraine’s very important financial sector, as grain exports are the principle supply of earnings, particularly in the course of the battle.
“In June and September, Sandworm deployed a number of data-wiping malware variants towards Ukrainian entities energetic within the governmental, vitality, logistics, and grain sectors,” explains ESET.
“Though all 4 have beforehand been documented as targets of wiper assaults in some unspecified time in the future since 2022, the grain sector stands out as a not-so-frequent goal.”
“Contemplating that grain export stays one in every of Ukraine’s major sources of income, such concentrating on possible displays an try to weaken the nation’s battle financial system.”
APT44 additionally deployed ‘ZeroLot’ and ‘Sting’ wipers in April 2025, concentrating on a college in Ukraine. Sting was executed by means of a Home windows scheduled process named after the standard Hungarian dish goulash.
It’s famous that preliminary entry for a few of these incidents was achieved by UAC-0099, who then transferred the entry to APT44 for wiper deployment.
UAC-0099 is a risk actor that has been working since at the very least 2023 and seems to pay attention its assaults on Ukrainian organizations.
The researchers be aware that whereas Sandworm has just lately proven a larger give attention to espionage operations, knowledge wiper assaults towards Ukrainian entities stay a steady exercise for the risk group.
ESET additionally recognized Iran-aligned exercise that couldn’t be attributed to a particular risk group, however it’s per ways, strategies, and procedures (TTPs) related to Iranian hackers.
In June 2025, these exercise clusters deployed Go-based instruments based mostly on publicly out there open-source wipers, concentrating on Israel’s vitality and engineering sectors.
A lot of the steering for stopping ransomware additionally helps defend towards knowledge wipers. A key step is maintaining crucial knowledge backups on offline media, out of attain of hackers.
Implementing sturdy endpoint detection and intrusion prevention programs and sustaining all software program up to date might forestall a variety of assaults, together with knowledge wiping incidents.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your group construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
