🔴 HIGHaptNov 8, 2025

Sandworm Wiper Malware - Ukraine Targets in 2025 Campaigns

Category:Threat Alerts / Threat Intelligence

Sandworm wiper malware operations in Ukraine, detailed in ESET’s APT activity reporting and recent Infosecurity coverage, confirm that Russia-aligned APT44 remains committed to destructive campaigns rather than pure espionage. Sandworm wiper malware families including ZEROLOT and Sting were deployed against Ukrainian government, energy, logistics, and grain sector organizations throughout mid-2025, often using Group Policy mechanisms for rapid propagation across Windows domains. The attacks run in parallel with broader Russia-aligned activity, where companions such as Gamaredon, RomCom, and InedibleOchotense handle initial access and credential theft before handing off high-value targets to Sandworm for follow-on wiping operations. ESET’s reporting highlights that grain exporters — rarely targeted in earlier waves — are now explicitly in scope, signaling intent to disrupt Ukraine’s war economy as much as its government and critical infrastructure. For NATO members and other states supporting Ukraine, this pattern shows that destructive tooling and playbooks can be reused against logistics, energy, or policy institutions that indirectly underpin Ukrainian resilience. Sandworm’s historic use of wipers in NotPetya and subsequent campaigns suggests these operations are not isolated incidents but part of an evolving doctrine for geo-political coercion via cyber-induced disruption.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: Sandworm wiper malware campaigns demonstrate that state-aligned actors are willing to inflict irreversible data loss and service outages against civilian and economic targets, not just military systems. Organizations tied to Ukrainian grain exports, energy flows, or logistics — including foreign insurers, shippers, and financial intermediaries — should treat destructive attacks as a realistic business continuity risk, not a theoretical edge case. Technical Context: Sandworm wiper malware variants such as ZEROLOT and Sting typically rely on stolen domain credentials, Group Policy abuse, and scheduled tasks for fan-out, mirroring previous campaigns against Ukrainian targets. ESET’s APT report links these operations to a broader Russia-aligned ecosystem that includes RomCom exploiting WinRAR zero-days and InedibleOchotense using trojanized ESET installers with the Kalambur backdoor. The shared tooling emphasizes rapid domain-wide execution, destructive overwrites of key system files, and limited exfiltration, prioritizing disruption over long-term stealth.

⚡Strategic Intelligence Guidance

Segment and harden Active Directory for organizations with exposure to Ukrainian or Eastern European operations, enforcing tiered admin models and constrained delegation.
Deploy application allowlisting and protected service configurations on domain controllers and key servers to prevent unauthorized execution of wipers and scripting engines.
Continuously test offline, immutable backup strategies for critical data sets, including rapid restore exercises that assume simultaneous compromise of primary and DR environments.
Integrate Sandworm, Gamaredon, RomCom, and InedibleOchotense indicators into threat hunting and SOC playbooks, with a focus on Group Policy modifications, suspicious scheduled tasks, and lateral movement from VPN and email infrastructure.

Vendors

ESET

Threats

SandwormAPT44Zerolot wiperSting wiper

Targets

Ukrainian governmentEnergy sectorLogistics sectorGrain exporters

Tags

#sandworm-apt #zerolot-wiper #sting-wiper #ukraine-cyberattacks #russia-aligned-apt #eset-apt-report

Intelligence Source: Sandworm Wiper Malware - Ukraine Targets in 2025 Campaigns | Nov 8, 2025