The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

HermeticWiper & IsaacWiper Target Ukraine

Mar 9, 2022 1:34:55 PM / by PolySwarm Tech Team



Ukraine was recently targeted by several wiper malware families. In January,
WhisperGate, which was attributed to a Belarusian threat actor group known as Ghostwriter/UNC1151, targeted Ukraine’s government, non-profit, and technology verticals. On February 23, another wiper malware dubbed HermeticWiper or FoxBlade was used to target Ukraine. On February 24, a third wiper malware was observed targeting Ukrainian entities. This new malware was dubbed IsaacWiper. ESET recently published research on HermeticWiper and IsaacWiper.
What is HermeticWiper?

HermeticWiper, also known as FoxBlade, is an approximately 115 KB executable. The earliest known compile date was December 28, 2021, and one of the wiper executables was compiled on the same day the malware was deployed.

HermeticWiper has three components:

  • HermeticWiper - a MBR wiper component
  • HermeticWizard - a worm-like feature used to propagate the malware on the local network via WMI and SMB
  • HermeticRansom - a decoy ransomware program written in Go and used to mask the true intent of the malware
HermeticWiper and HermeticWizard were signed using a code signing certificate issued to Hermetica Digital Ltd. Originally, industry analysts presumed the certificate to be stolen. ESET later assessed that the threat actors likely impersonated the Hermetica Digital Ltd. company to obtain this certificate.

While the initial infection vector is unknown, ESET observed one sample being deployed via GPO, suggesting the threat actors already had access to the victim’s Active Directory. They note Impacket may have also been used to deploy HermeticWiper. HermeticWiper wipes the master boot record (MBR), effectively destroying the disk structure. It also erases itself from the disk by overwriting its own file with random bytes in an attempt to thwart forensic analysis.

What is Isaac Wiper?

According to ESET, IsaacWiper is found in a Windows DLL or EXE with no Authenticode signature and was compiled on October 19, 2021, about two months before HermeticWiper. IsaacWiper was used in attacks on Ukrainian entities one day after HermeticWiper was used. The initial infection vector for IsaacWiper is currently unknown. Threat actors likely used tools such as Impacket for lateral movement. ESET observed RemCom, a remote access tool, deployed on some of the machines affected by IsaacWiper. IssacWiper attacks were first observed on February 24, with a second round of attacks on February 25. The second version of IsaacWiper included debug logs.

At present, HermeticWiper and IsaacWiper have not been attributed to a particular threat actor group or country. They were not used on the same targets, nor do they seem to share code. IsaacWiper is reportedly less sophisticated than HermeticWiper.

PolySwarm has multiple samples associated with HermeticWiper and IsaacWiper activity.









4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 (HermeticRansom)







Contact us at | Check out our blog | Subscribe to our reports

Topics: Ukraine, Threat Bulletin, IsaacWiper, HermeticWiper, WhisperGate, HermeticWizard, HermeticRansom, FoxBlade

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts