The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.


Mar 21, 2022 1:45:31 PM / by PolySwarm Tech Team

Threat Bulletin - Images_Blog


Since January, Ukraine has been targeted by several wiper malware families. In early February, we reported on the WhisperGate wiper. Earlier this month we spotlighted HermeticWiper and IsaacWiper. Ukraine was recently under attack by yet another wiper malware. ESET announced the discovery of CaddyWiper on March 14th in a tweet. Cisco Talos followed up a day later with more information on this malware.

What is CaddyWiper?

CaddyWiper, which targets Windows systems, is a compact MBR wiper malware with a compiled size of only 9KB. CaddyWiper was compiled on March 14th, the same day it was deployed. It appears the malware was deployed via GPO (Group Policy Object), an Active Directory component used to define rules for users, endpoints, groups, and organizations. GPOs can be used to establish security settings, install applications, run scripts, and configure the registry.

Before destroying files, CaddyWiper checks whether the machine is a domain controller. If the machine is a domain controller, CaddyWiper does not execute. Otherwise, CaddyWiper destroys files in the Users directory and wipes files on drives C:\ - Z:\, including any network mapped drive attached to the system. The file destruction algorithm has two stages. The first stage overwrites files, and the second destroys the physical disk layout, including the MBR and partition tables.


PolySwarm has multiple samples of CaddyWiper.






You can use the following CLI command to search for all CaddyWiper samples in our portal:

$ polyswarm link list -f CaddyWiper

You can use the following CLI command to search for all Ukraine related samples in our portal:

$ polyswarm link list -t Ukraine 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Ukraine, Threat Bulletin, Wiper, CaddyWiper

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts