S0693: CaddyWiper
CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[1][2]
Analyst context for executives and security teams
CaddyWiper matters because it is described by ATT&CK as destructive Windows wiper malware, with documented use against organizations in Ukraine since March 2022. For leaders, the key issue is not just malware removal; it is whether the business can detect destructive preparation, preserve recovery options, and make fast continuity decisions before data or boot structures are damaged.
Executive priority
Prioritize CaddyWiper as an availability and resilience scenario. ATT&CK links it to data destruction and disk structure wiping, and also to the 2022 Ukraine Electric Power Attack campaign involving an electric utility and SCADA-related consequences. Executives should ask whether critical Windows systems have recoverable backups, whether SOC and IR teams can recognize destructive behavior quickly, and whether cyber-physical or operational technology dependencies are included in incident playbooks and audit evidence.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the ATT&CK relationships rather than relying on a provided malware-specific analytic, because official detection text is not supplied. On Windows endpoints, focus on discovery activity before impact, including process, system, and file/directory discovery; unusual use of native APIs; permission or ACL changes; and destructive file, volume, or disk-structure activity. Treat alerts around mass file modification, permission changes, or boot/partition-related writes as high-context events when they occur on business-critical hosts.
Likely telemetry
- Windows endpoint detection and response events for process execution, process enumeration, and suspicious process behavior
- Host telemetry for system information discovery and file/directory enumeration
- File system auditing for mass file modification, deletion, overwrite, or abnormal access patterns
- Windows security and object access logs related to permission or ACL changes
- Low-level disk, volume, boot record, or partition-structure modification telemetry where available
Detection direction
- Build detections around the relationship-driven behaviors: Process Discovery, System Information Discovery, File and Directory Discovery, Native API usage, Windows permission changes, Data Destruction, and Disk Structure Wipe.
- Tune destructive-behavior detections to prioritize critical servers, operator workstations, domain-connected Windows assets, and systems supporting operational continuity.
- Review false positives from legitimate administration, backup, imaging, disk management, and software deployment tools; require context such as unusual timing, unexpected parent process, broad file scope, or execution on sensitive systems.
- Validate whether current telemetry can see permission changes and low-level disk or boot-structure modification; these are common blind spots compared with ordinary process logging.
- Use the 2022 Ukraine Electric Power Attack relationship as a scenario-planning input for environments where Windows systems support operational technology or SCADA workflows, without assuming local exposure.
Mitigation priorities
- Confirm resilient, tested, and access-controlled backups for critical Windows systems, including restoration procedures for destructive malware scenarios.
- Limit administrative privileges and monitor accounts capable of changing permissions or modifying sensitive system areas.
- Harden and monitor Windows endpoints that support critical operations, especially systems where data loss would interrupt business or operational processes.
- Ensure incident response playbooks include rapid isolation, preservation of recovery evidence, and executive decision points for destructive malware events.
- Use tabletop exercises to test SOC-to-IR escalation, backup restoration, and continuity communications for wiper-style impact.
Analyst notes and limits
ATT&CK provides no official detection guidance for CaddyWiper in the supplied object, so this take derives defensive direction from the object platform and its listed technique relationships. The campaign relationship adds cyber-physical relevance because ATT&CK associates use of CaddyWiper with the 2022 Ukraine Electric Power Attack, but local applicability depends on the organization’s own Windows, OT, and recovery architecture.
This summary uses only the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, full malware functionality, indicators of compromise, or guaranteed detection. The object lists Windows as the platform, while several related techniques have broader ATT&CK platform coverage; defensive validation should be scoped to local environments and confirmed telemetry.
CaddyWiper
CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | CaddyWiper can use `DsRoleGetPrimaryDomainInformation` to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.CitationCisco CaddyWiper March 2022CitationMalwarebytes IssacWiper CaddyWiper March 2022 |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | CaddyWiper can modify ACL entries to take ownership of files.CitationCisco CaddyWiper March 2022 |
| Enterprise | T1083 | File and Directory Discovery | CaddyWiper can enumerate all files and directories on a compromised host.CitationMalwarebytes IssacWiper CaddyWiper March 2022 |
| Enterprise | T1485 | Data Destruction | CaddyWiper can work alphabetically through drives on a compromised system to take ownership of and overwrite all files.CitationESET CaddyWiper March 2022CitationCisco CaddyWiper March 2022 |
| Enterprise | T1106 | Native API | CaddyWiper has the ability to dynamically resolve and use APIs, including `SeTakeOwnershipPrivilege`.CitationCisco CaddyWiper March 2022 |
| Enterprise | T1057 | Process Discovery | CaddyWiper can obtain a list of current processes.CitationMalwarebytes IssacWiper CaddyWiper March 2022 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | CaddyWiper has the ability to destroy information about a physical drive's partitions including the MBR, GPT, and partition entries.CitationESET CaddyWiper March 2022CitationCisco CaddyWiper March 2022 |
Groups, software, and campaigns
C0034: 2022 Ukraine Electric Power Attack
The 2022 Ukraine Electric Power Attack was a Sandworm Team campaign that used a combination of GOGETTER, Neo-REGEORG, CaddyWiper, and living of the land (LotL) techniques to gain access to a Ukrainian electric utility to send unauthorized commands from their SCADA system.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6f6c666bba8c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET CaddyWiper March 2022
ESET. (2022, March 15). CaddyWiper: New wiper malware discovered in Ukraine. Retrieved March 23, 2022.
Open source URL -
[2]
Cisco CaddyWiper March 2022
Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022.
Open source URL -
[3]
mitre-attack S0693Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.