S1151: ZeroCleare
Analyst context for executives and security teams
ZeroCleare matters because it is described by ATT&CK as Windows wiper malware associated with destructive operations, including activity involving RawDisk and reporting tied to energy, industrial, government, and political targets. For leaders, the practical issue is not malware cleanup alone; it is whether the organization can detect destructive preparation, preserve evidence, and restore critical Windows systems before disk wiping creates a business continuity event.
Executive priority
Treat ZeroCleare as a resilience and incident-readiness planning case for destructive malware. Executives should ask whether critical Windows assets have recoverable backups, whether privileged execution and code-signing trust are governed, whether SOC teams can see PowerShell and command execution on high-value systems, and whether incident response plans distinguish data theft/ransomware-like disruption from true wiper activity. The relationship to HomeLand Justice and OilRig in ATT&CK supports using this object for threat-informed tabletop exercises, especially for government, energy, industrial, chemical, telecommunications, financial, and supply-chain-exposed environments, without assuming local exposure.
Technical view
ATT&CK does not provide a specific detection section for ZeroCleare, so defenders should validate coverage through the techniques linked to the malware: Command and Scripting Interpreter, PowerShell, Exploitation for Privilege Escalation, File Deletion, Native API use, Code Signing abuse, Disk Structure Wipe, and Local Storage Discovery. On Windows, prioritize visibility into script execution, process lineage, privileged process creation, driver or low-level disk access indicators where available, suspicious signed binaries, deletion of staging artifacts, and attempts to enumerate or modify disks, volumes, MBR, or partition structures. IR teams should confirm they can rapidly collect volatile and host evidence before destructive actions remove artifacts.
Likely telemetry
- Windows process creation and command-line telemetry, especially PowerShell and other scripting activity
- PowerShell logs, script block logging, module logging, and related execution policy context where enabled
- Windows security events for privilege use, service creation, administrative execution, and account context
- Endpoint detection telemetry for native API-heavy behavior, low-level disk access, and suspicious driver or tool execution
- File system telemetry showing creation and deletion of dropped tools, scripts, or staging files
Detection direction
- Because ATT&CK provides no official ZeroCleare detection text, avoid relying on malware-name matching alone; map detections to the related ATT&CK techniques and validate them in the local environment.
- Tune PowerShell and command-interpreter analytics for suspicious execution patterns on servers and administrative workstations while accounting for legitimate administration and automation.
- Correlate local storage discovery, privilege escalation indicators, signed binary or driver execution, and low-level disk modification attempts as a higher-risk sequence than any single event.
- Review blind spots around Windows systems without EDR, hosts with limited PowerShell logging, offline or segmented industrial support systems, and systems where disk or driver telemetry is not collected.
- Use campaign and group relationships as context for prioritization and threat hunting, not as proof of attribution in a local incident.
Mitigation priorities
- Prioritize tested, isolated, and recoverable backups for critical Windows systems and business services, including restoration exercises that assume disk structures may be damaged.
- Limit administrative privileges and harden privileged access paths that could enable execution, privilege escalation, or deployment across multiple systems.
- Strengthen application control, driver control, and code-signing trust policies where feasible, with attention to abuse of signed components rather than trust-by-signature alone.
- Harden and monitor PowerShell and command interpreter use on critical assets; restrict unnecessary scripting capability without breaking required administration.
- Maintain vulnerability and patch management for Windows and supporting software to reduce privilege-escalation opportunities referenced by the related techniques.
Analyst notes and limits
This take is based on the official ATT&CK S1151 ZeroCleare object, its external references, and supplied relationships. ATT&CK describes ZeroCleare as wiper malware used with RawDisk since at least 2019 and cites suspected Iran-nexus activity, including energy and industrial sector targeting in the Middle East and political targets in Albania. The related campaign HomeLand Justice and group OilRig provide useful context for threat-informed defense planning, but local attribution or exposure requires independent evidence.
The supplied ATT&CK object lists Windows as the platform but does not specify malware-level tactics and provides no official detection guidance. Telemetry and control recommendations are therefore derived from the supplied technique relationships and should be validated against the organization’s architecture, logging configuration, asset criticality, and recovery capabilities. No active exploitation or guaranteed detection coverage is implied.
ZeroCleare
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1680 | Local Storage Discovery | ZeroCleare can use the `IOCTL_DISK_GET_DRIVE_GEOMETRY_EX`, `IOCTL_DISK_GET_DRIVE_GEOMETRY`, and `IOCTL_DISK_GET_LENGTH_INFO` system calls to compute disk size.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | ZeroCleare has used a vulnerable signed VBoxDrv driver to bypass Microsoft Driver Signature Enforcement (DSE) protections and subsequently load the unsigned RawDisk driver.CitationIBM ZeroCleare Wiper December 2019 |
| Enterprise | T1553.002 | Code Signing Sub-technique | ZeroCleare can deploy a vulnerable, signed driver on a compromised host to bypass operating system safeguards.CitationIBM ZeroCleare Wiper December 2019 |
| Enterprise | T1059 | Command and Scripting Interpreter | ZeroCleare can receive command line arguments from an operator to corrupt the file system using the RawDisk driver.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1106 | Native API | ZeroCleare can call the `GetSystemDirectoryW` API to locate the system directory.CitationMandiant ROADSWEEP August 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | ZeroCleare has the ability to uninstall the RawDisk driver and delete the `rwdsk` file on disk.CitationMandiant ROADSWEEP August 2022CitationCISA Iran Albanian Attacks September 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | ZeroCleare can use a malicious PowerShell script to bypass Windows controls.CitationIBM ZeroCleare Wiper December 2019 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | ZeroCleare can corrupt the file system and wipe the system drive on targeted hosts.CitationMandiant ROADSWEEP August 2022CitationCISA Iran Albanian Attacks September 2022CitationIBM ZeroCleare Wiper December 2019 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
C0038: HomeLand Justice
HomeLand Justice was a disruptive cyber campaign conducted by Iranian state-affiliated actors against Albanian government networks in July and September 2022. The activity combined ransomware, wiper malware, and data leak operations. Initial access for HomeLand Justice was established as early as May 2021, and threat actors moved laterally, exfiltrated sensitive information, and maintained persistence for approximately 14 months prior to the destructive phase of the operation. Responsibility was claimed by the "HomeLand Justice" front, which framed the campaign as retaliation against the Mujahedeen-e Khalq (MEK), an Iranian opposition group with a presence in Albania. Multiple Iran-nexus groups are assessed to have participated in the campaign, including HEXANE who probed victim infrastructure.[1][2][3] A second wave of attacks was launched in September 2022 using similar tactics following public attribution of the previous activity to Iran and the severing of diplomatic ties between Iran and Albania.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d3658fbbfbf3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Albanian Government Attacks September 2022
MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
Open source URL -
[2]
CISA Iran Albanian Attacks September 2022
CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
Open source URL -
[3]
Mandiant ROADSWEEP August 2022
Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
Open source URL -
[4]
IBM ZeroCleare Wiper December 2019
Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.
Open source URL -
[5]
ZEROCLEAR
(Citation: Mandiant ROADSWEEP August 2022)
-
[6]
mitre-attack S1151Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.