S1167: AcidPour
AcidPour is a variant of AcidRain designed to impact a wider range of x86 architecture Linux devices. AcidPour is an x86 ELF binary that expands on the targeted devices and locations in AcidRain by including items such as Unsorted Block Image (UBI), Deice Mapper (DM), and various flash memory references. Based on this expanded targeting, AcidPour can impact a variety of device types including IoT, networking, and ICS embedded device types.[1] AcidPour is a wiping payload associated with the Sandworm Team threat actor, and potentially linked to attacks against Ukrainian internet service providers (ISPs) in 2023.[2]
Analyst context for executives and security teams
AcidPour matters because it is described by ATT&CK as a Linux x86 ELF wiping payload designed for a wider range of embedded Linux targets, including IoT, networking, and ICS device types. For leaders, the practical risk is not data theft but loss of availability: devices that route traffic, support industrial operations, or provide embedded services may be rendered unusable if destructive activity reaches them.
Executive priority
Prioritize AcidPour as an operational resilience and recovery-readiness issue for Linux-based embedded, network, IoT, and ICS-adjacent environments. Executives should ask whether critical device inventories include Linux architecture and storage details, whether destructive-malware scenarios are covered in incident response and business continuity plans, and whether recovery evidence exists for firmware, configurations, and backups. The Sandworm Team relationship and potential linkage to attacks against Ukrainian ISPs should be treated as threat-intelligence context, not proof of exposure in any local environment.
Technical view
ATT&CK does not provide a detection analytic for AcidPour, so SOC and IR teams should validate coverage through the related behaviors: system information discovery, file and directory discovery, peripheral/device discovery, file deletion, data destruction, disk content wipe, and shutdown/reboot. The Linux platform and embedded-device focus make host visibility a likely blind spot, especially where EDR is absent on appliances, network devices, IoT, or ICS embedded systems. Detection engineering should focus on evidence of unusual enumeration of device, storage, flash, UBI, and device-mapper related paths followed by destructive writes, deletion activity, or reboot/shutdown events.
Likely telemetry
- Linux process execution and command-line telemetry where available
- File and directory enumeration events
- Access to block devices, flash memory, UBI, and device-mapper related locations
- File deletion and destructive write activity
- System shutdown or reboot logs
Detection direction
- Confirm which Linux embedded, network, IoT, and ICS devices produce usable security logs; many may not support standard endpoint telemetry.
- Tune for suspicious sequences rather than single events: discovery of system/storage/device details followed by deletion, disk wiping, or reboot behavior.
- Review false positives from legitimate maintenance, firmware updates, storage management, and device reimaging workflows.
- Correlate suspected destructive activity with the related ATT&CK techniques T1082, T1083, T1120, T1070.004, T1485, T1561.001, and T1529.
- Use the Sandworm Team relationship as enrichment for threat-intelligence triage, while avoiding attribution unless supported by local evidence.
Mitigation priorities
- Start with asset inventory: identify Linux x86 embedded, networking, IoT, and ICS devices that support critical services.
- Validate recovery: maintain offline or protected backups of device configurations, firmware images, and rebuild procedures.
- Restrict administrative access to embedded and network devices using least privilege and strong change-control processes.
- Segment management interfaces and critical device networks to reduce the chance that destructive payloads can reach high-impact systems.
- Include destructive Linux-device scenarios in incident response, disaster recovery, and business continuity exercises.
Analyst notes and limits
The ATT&CK object identifies AcidPour as a variant of AcidRain and a wiping payload associated with Sandworm Team, with potential linkage to attacks against Ukrainian ISPs in 2023. Its relationship set emphasizes discovery, deletion, wiping, and reboot/shutdown behaviors. The most important local validation question is whether the organization has visibility and recovery capability for Linux-based embedded devices, not only traditional servers.
ATT&CK provides no official detection text, aliases, or explicit tactics on the malware object itself. Detection and mitigation guidance here is inferred only from the supplied description, Linux platform, external references, and stated ATT&CK relationships. Local device models, logging capability, exposure, and recovery readiness must be verified before assessing actual risk or coverage.
AcidPour
AcidPour is a variant of AcidRain designed to impact a wider range of x86 architecture Linux devices. AcidPour is an x86 ELF binary that expands on the targeted devices and locations in AcidRain by including items such as Unsorted Block Image (UBI), Deice Mapper (DM), and various flash memory references. Based on this expanded targeting, AcidPour can impact a variety of device types including IoT, networking, and ICS embedded device types.[1] AcidPour is a wiping payload associated with the Sandworm Team threat actor, and potentially linked to attacks against Ukrainian internet service providers (ISPs) in 2023.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1529 | System Shutdown/Reboot | |
| Enterprise | T1120 | Peripheral Device Discovery | AcidPour includes functionality to identify MMC and SD cards connected to the victim device.CitationSentinelOne AcidPour 2024 |
| Enterprise | T1082 | System Information Discovery | AcidPour can identify various system locations and mapped devices on Linux systems as a precursor to wiping activity.CitationSentinelOne AcidPour 2024 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | AcidPour includes functionality to overwrite victim devices with the content of a buffer to wipe disk content.CitationSentinelOne AcidPour 2024 |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1070.004 | File Deletion Sub-technique | AcidPour includes a self-delete function where the malware deletes itself from disk after execution and program load into memory.CitationSentinelOne AcidPour 2024 |
| Enterprise | T1485 | Data Destruction |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 264c1b0983a3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne AcidPour 2024
Juan Andrés Guerrero-Saade & Tom Hegel. (2024, March 21). AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine. Retrieved November 25, 2024.
Open source URL -
[2]
CERT-UA TelecomAttack 2023
CERT-UA. (2023, October 15). Peculiarities of destructive Sandworm cyber attacks against Ukrainian providers (CERT-UA#7627). Retrieved November 25, 2024.
Open source URL -
[3]
mitre-attack S1167Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.