S1135: MultiLayer Wiper
MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed samples of MultiLayer Wiper have an anomalous, future compilation date suggesting possible metadata manipulation.[1]
Analyst context for executives and security teams
MultiLayer Wiper matters because the ATT&CK record ties it to Windows wiper behavior, not just malware execution. For leaders, the practical issue is resilience: whether critical Windows systems, backups, recovery paths, and logging can withstand destructive activity that may include data destruction, disk structure wiping, recovery inhibition, reboot/shutdown activity, and evidence removal.
Executive priority
Treat this as a business-continuity and incident-readiness scenario. The decision value is validating that destructive malware on Windows would be detected early enough, contained quickly enough, and recovered from with evidence intact. Priority questions include: are critical systems backed up in a way the endpoint cannot easily destroy, are recovery procedures tested, do SOC teams see scheduled task and command-shell abuse, and can incident responders still investigate if event logs or files are deleted?
Technical view
ATT&CK does not provide a detection section for MultiLayer Wiper, so defenders should build coverage from the supplied relationships. Validate Windows telemetry for scheduled task creation or execution, command-shell activity, embedded or dropped payload behavior, file and directory discovery, file deletion, timestamp manipulation, Windows Event Log clearing, security tool impairment, recovery inhibition, shutdown/reboot activity, data destruction, stored data manipulation, and disk structure wipe indicators. The .NET implementation and anomalous future compilation date noted by ATT&CK are useful triage clues, but should not be treated as sufficient detection logic by themselves.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe and task scheduling utilities or APIs
- Windows Scheduled Task registration, modification, and execution records
- Endpoint file creation, deletion, overwrite, and high-volume file modification events
- File metadata and timestamp evidence, including anomalies consistent with timestomping
- Windows Event Log clear events and gaps in Security, System, or Application logs
Detection direction
- Because official detection guidance is not provided, map detections to the related ATT&CK techniques rather than relying on the malware name alone.
- Correlate scheduled task activity, command-shell execution, and rapid file system changes; each signal can be benign alone but is more meaningful when chained with discovery, deletion, recovery tampering, or reboot activity.
- Tune for administrative false positives: system maintenance, software deployment, backup operations, and legitimate log management can resemble parts of this behavior.
- Look for visibility loss as a detection signal, including event log clearing, security tool modification, and unexplained telemetry gaps.
- Do not overfit on the anomalous future compilation date; it can support triage but may reflect metadata manipulation and is not a complete behavioral detector.
Mitigation priorities
- Prioritize recoverability first: maintain tested, offline or otherwise protected backups for critical Windows systems and confirm restoration procedures.
- Limit and monitor administrative capabilities that can create scheduled tasks, clear logs, disable tools, alter recovery settings, or perform destructive file operations.
- Harden and monitor endpoint security tooling and logging pipelines so tampering or sudden loss of telemetry is alerted and investigated.
- Validate incident response playbooks for destructive malware, including isolation, evidence preservation, backup decision points, and business restoration priorities.
- Use ATT&CK relationship coverage to assess control gaps across execution, persistence, stealth, defense impairment, discovery, and impact behaviors.
Analyst notes and limits
The strongest ATT&CK-supported concern is destructive impact and recovery interference on Windows, derived from the malware description and its relationships to impact and stealth techniques. The record also notes association with Agrius operations and a Unit42 report, but this summary does not infer current activity, targeting, or exposure beyond the supplied fields.
ATT&CK provides no official detection text, no aliases, and no explicit tactic list for the malware object itself. Several related techniques have broader platform lists, but the malware platform supplied here is Windows. Local telemetry quality, privilege model, backup architecture, and IR procedures are required to determine actual defensive coverage.
MultiLayer Wiper
MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed samples of MultiLayer Wiper have an anomalous, future compilation date suggesting possible metadata manipulation.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1529 | System Shutdown/Reboot | MultiLayer Wiper reboots the infected system following wiping and related tasks to prevent system recovery.CitationUnit42 Agrius 2023 |
| Enterprise | T1070 | Indicator Removal | MultiLayer Wiper uses a batch script to clear file system cache memory via the |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | MultiLayer Wiper removes Windows event logs during execution.CitationUnit42 Agrius 2023 |
| Enterprise | T1565.001 | Stored Data Manipulation Sub-technique | MultiLayer Wiper changes the original path information of deleted files to make recovery efforts more difficult.CitationUnit42 Agrius 2023 |
| Enterprise | T1070.004 | File Deletion Sub-technique | MultiLayer Wiper uses a batch file, |
| Enterprise | T1485 | Data Destruction | MultiLayer Wiper deletes files on network drives, but corrupts and overwrites with random data files stored locally.CitationUnit42 Agrius 2023 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | MultiLayer Wiper contains two binaries in its resources section, MultiList and MultiWip. MultiLayer Wiper drops and executes each of these items when run, then deletes them after execution.CitationUnit42 Agrius 2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs.CitationUnit42 Agrius 2023 |
| Enterprise | T1490 | Inhibit System Recovery | MultiLayer Wiper wipes the boot sector of infected systems to inhibit system recovery.CitationUnit42 Agrius 2023 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | MultiLayer Wiper creates a malicious scheduled task that launches a batch file to remove Windows Event Logs.CitationUnit42 Agrius 2023 |
| Enterprise | T1070.006 | Timestomp Sub-technique | MultiLayer Wiper changes timestamps of overwritten files to either 1601.1.1 for NTFS filesystems, or 1980.1.1 for all other filesystems.CitationUnit42 Agrius 2023 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | MultiLayer Wiper opens a handle to |
| Enterprise | T1083 | File and Directory Discovery | MultiLayer Wiper generates a list of all files and paths on the fixed drives of an infected system, enumerating all files on the system except specific folders defined in a hardcoded list.CitationUnit42 Agrius 2023 |
| Enterprise | T1685 | Disable or Modify Tools | MultiLayer Wiper removes the Volume Shadow Copy (VSS) service from infected devices along with all present shadow copies.CitationUnit42 Agrius 2023 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9b5341e76626… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 Agrius 2023
Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
Open source URL -
[2]
mitre-attack S1135Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.