S0041: Wiper

Wiper matters because it represents destructive malware associated by ATT&CK with breaches of South Korean banks and media companies, where the business issue is not data theft alone but loss of operational availability. The key defensive lesson from the supplied ATT&CK relationship is that trusted software deployment tooling can become the path for execution and lateral movement, turning routine administration infrastructure into a high-impact distribution mechanism for destructive activity.

Executive priority

Treat this as an operational resilience and privileged administration risk. Leaders should ask whether centralized deployment and configuration tools are governed as tier-zero or high-impact systems: who can push software or commands, how changes are approved, how quickly suspicious deployments can be stopped, and whether audit evidence exists for emergency response, compliance, and post-incident review. Budget priority should favor hardening and monitoring administrative distribution paths before a destructive incident forces recovery decisions under outage conditions.

Technical view

ATT&CK does not provide a detection analytic for Wiper and does not specify platforms for the malware object. The strongest supplied technical context is the relationship to T1072 Software Deployment Tools, which is an execution and lateral-movement technique. SOC and IR teams should validate visibility into centralized software deployment, configuration management, cloud management, and CI/CD-integrated administration tools where present, focusing on unauthorized or unusual command execution, package deployment, scope expansion, and administrative account use. Detection should be built around environment-specific baselines for legitimate deployment behavior rather than malware-family signatures alone.

Likely telemetry

Software deployment tool audit logs, including job creation, command execution, package assignment, deployment scope, and operator identity
Configuration management and endpoint management administrative activity logs
Identity and access logs for privileged users and service accounts that can deploy software or run commands
Endpoint process, file creation, and service execution telemetry on systems receiving deployments
Network or management-plane logs showing command distribution from centralized administration systems

Detection direction

Inventory all centralized software deployment and configuration tools, including those integrated into cloud management or CI/CD workflows, and confirm their logs are retained and searchable.
Baseline normal deployment windows, operator accounts, target groups, package names, command patterns, and rollout sizes; alert on deviations such as broad or urgent pushes outside approved change windows.
Correlate deployment-tool activity with endpoint execution telemetry to distinguish legitimate administration from suspicious mass execution or lateral movement.
Tune detections to account for expected IT operations, because these tools are dual-use and high false positives are likely without change-management and identity context.
Prioritize monitoring for privileged account misuse and service-account activity tied to deployment tools, since the relationship context centers on trusted administrative infrastructure.

Mitigation priorities

Classify centralized deployment and configuration platforms as high-impact administrative systems and restrict who can create jobs, push packages, or execute commands.
Require strong authentication, least privilege, and separation of duties for deployment-tool administrators and service accounts.
Enforce change approval and logging for broad deployments, emergency pushes, and command-execution features.
Segment and monitor management infrastructure so compromise of a deployment tool does not automatically provide uncontrolled reach across the environment.
Maintain recoverability for critical systems, including tested backups and incident procedures for stopping malicious deployments and rebuilding affected assets.

Analyst notes and limits

The supplied ATT&CK object is sparse: Wiper is identified as a destructive malware family used in March 2013 breaches of South Korean banks and media companies, with one cited external reference and one relationship showing use of T1072 Software Deployment Tools. The practical value is therefore in validating governance, monitoring, and response readiness around trusted deployment infrastructure rather than inferring detailed malware behavior not present in the provided fields.

No official ATT&CK detection guidance, tactics, platforms, aliases, or labels are provided for the Wiper malware object. Platform references come only from the related T1072 technique and should not be interpreted as confirmed Wiper platform support. Local architecture, tool inventory, logging configuration, and change-management data are required to turn this into deployable detection logic.

Official MITRE ATT&CK definition

Wiper

Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1072	Software Deployment Tools	It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the Wiper malware.CitationDell Wiper

Relationship explorer

All related ATT&CK context

uses · Technique T1072: Software Deployment Tools Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:44 UTC (UTC+00:00)
Raw hash: 97746c697b77eaab...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 25, 2025, 14:44 UTC (UTC+00:00)	Current bundle	`97746c697b77…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Dell Wiper

Dell SecureWorks. (2013, March 21). Wiper Malware Analysis Attacking Korean Financial Sector. Retrieved May 13, 2015.
Open source URL
[2]
mitre-attack S0041
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams