Also known as: Voodoo Bear, IRIDIUM, Seashell Blizzard, TeleBots, Black Energy, Quedagh, Iron Viking, Hades, Olympic Destroyer, UAC-0002, Solntsepek, APT44, UAC-0133, UAC-0212, Blue Echidna, Grey Tornado, Razing Ursa, FROZENBARENTS, PHANTOM, BlackEnergy Lite, BE2, UAC-0082, UAC-0145, ELECTRUM
Exploit Public-Facing Application
Exploit vulnerabilities in internet-facing applications to gain access.
Spearphishing Attachment
Send targeted emails with malicious file attachments to gain initial access.
Valid Accounts
Use legitimate credentials to authenticate and gain access.
External Remote Services
Abuse remote services like VPNs or RDP to gain access to the network.
T1195.002
T1561.002
T1071.001
T1562.001
T1070.004
T1210
T1569.002
T1204.002
T1550
T1588.002
T1584.004
T1071.004
T1583.006
T1587.001
T1583.001
T1091
T1498
T1499
T1016
T1057
T1033
T1049
T1007
T1124
T1135
T1201
T1113
T1119
T1008
T1102
T1562.004
T1565.001
T1498.001
T1499.001
T1592.002
T1595.002
T1592.001
T1594
T1598
T1590
T1222
T1574
PowerShell
Use PowerShell commands and scripts for execution and automation.
Windows Command Shell
Use cmd.exe to execute commands and batch scripts.
Windows Management Instrumentation
Use WMI to execute commands and manage systems remotely.
Scheduled Task/Job
Abuse task scheduling to execute malicious code at defined times or intervals.
Data Encrypted for Impact
Encrypt victim data to disrupt availability, typically for ransom.
Data Destruction
Destroy data and files on victim systems to disrupt operations.
Service Stop
Stop critical services to disrupt operations or aid in data destruction.
Inhibit System Recovery
Delete backups, shadow copies, or recovery partitions to prevent restoration.
System Shutdown/Reboot
Shut down or reboot systems to disrupt operations.
Defacement
Modify visual content on websites or systems to deliver messaging.
Ingress Tool Transfer
Download additional tools or payloads from an external system.
Proxy
Route C2 traffic through intermediary proxies to obscure the source.
Remote Access Software
Use legitimate remote access tools like TeamViewer or AnyDesk for C2.
Protocol Tunneling
Tunnel network traffic through an existing protocol to avoid detection.
Destructive wiper disguised as ransomware. Spread via M.E.Doc accounting software supply chain attack in Ukraine, causing $10+ billion in global damages in June 2017.
ICS-targeting malware that directly manipulates electrical grid protocols (IEC 101/104, OPC DA, IEC 61850). Caused the December 2016 Kyiv power outage.
Streamlined version of Industroyer targeting IEC 104 protocol. Deployed against Ukrainian high-voltage substations in April 2022, coordinated with kinetic strikes.
Destructive wiper deployed against Ukrainian organizations in 2022. Overwrites files and partition tables, rendering systems unrecoverable.
Deployed hours before Russia's 2022 invasion of Ukraine. Uses legitimate EaseUS Partition Master drivers to corrupt disk structures at the MBR and partition level.
Multi-stage destructive malware targeting Ukrainian government systems in January 2022. Masquerades as ransomware but irreversibly corrupts the MBR and targeted file types.
Wiper malware targeting MIPS-based modems. Destroyed Viasat KA-SAT satellite modems across Europe on the first day of Russia's 2022 invasion, disrupting Ukrainian military communications.
Destructive malware deployed during the 2018 Pyeongchang Winter Olympics opening ceremony. Designed to disrupt IT systems with multiple false flag attributions embedded in the code.
Modular trojan used in the December 2015 Ukraine power grid attack. HMI module manipulated SCADA systems to open circuit breakers, causing the first cyber-caused blackout.
Modular botnet malware replacing VPNFilter, targeting WatchGuard Firebox and ASUS routers. Provides persistent access and C2 relay capabilities.
Successor to BlackEnergy targeting energy sector organizations. More stealthy with modular architecture, used for espionage preceding potential destructive attacks.
Backdoor for Windows and Linux, evolved from the Industroyer framework. Used for persistent access in critical infrastructure environments with encrypted C2 communication.
Disk-wiping component deployed alongside BlackEnergy and Industroyer. Overwrites files with random data and corrupts the MBR to prevent system recovery.
Used as post-exploitation tool for lateral movement and command execution before deploying destructive payloads in target networks.
Used for credential harvesting to enable lateral movement across enterprise networks before deploying wiper malware to maximum endpoints.
Used for reconnaissance, disabling security tools, and deploying secondary payloads. Often used to distribute wiper malware via Group Policy.
Sysinternals tool used for mass deployment of wiper malware across compromised networks, maximizing destructive impact simultaneously.
Wiper deployed against Ukrainian government organizations in February 2022. Uses IOCTL calls to overwrite physical disks and corrupt all accessible volumes.
ICS-focused malware framework designed to attack electrical substations and industrial control systems
Web shell used for persistent access to compromised web servers
Modular botnet malware targeting network devices including WatchGuard and ASUS routers for command and control infrastructure.
Ransomware deployed against Ukrainian and Polish logistics and transportation organizations in October 2022.
Wiper malware targeting Ukrainian infrastructure in 2023.
Multi-stage malware targeting routers and network-attached storage devices, capable of destructive operations.
Wiper component used to destroy data on systems during Sandworm operations.
Data destruction tool used in conjunction with other Sandworm malware.
File wiping component deployed in Sandworm destructive operations.
Backdoor malware used for persistence and command execution in Ukrainian networks
Golang-based backdoor used in operations against Ukrainian targets
Modular backdoor used by Sandworm for espionage operations, capable of executing commands and exfiltrating data
Malware used for command execution and persistence in targeted networks
Custom tool exploiting CVE-2022-38028 Windows Print Spooler vulnerability for privilege escalation since at least June 2020
Modular backdoor with DNS tunneling capabilities used in espionage operations against Eastern European targets
Android RAT used in espionage campaigns targeting Eastern European entities
Custom backdoor deployed against Ukrainian targets with modular capabilities
Legitimate remote desktop software used for maintaining persistent access
Lightweight backdoor used for maintaining access to compromised systems
Custom backdoor malware used for persistent access and lateral movement
| Type | Value |
|---|---|
| domain | vpnfilter[.]net |
| ip | 176[.]119[.]147[.]225 |
| ip | 91[.]245[.]255[.]243 |
| hash | 027cc450ef5f8c5f653329641ec1fed9 |
| hash | a196c6b8ffcb97ffb9f1d45a17eeead7 |
| domain | itstructure[.]org |
| domain | worldnewsservice[.]org |
| hash | 7e3b8c1f4d5a6b2e9f0c3d8a1b4e7f2a5c9d6e3b8f1a4c7d0e3f6a9b2c5d8e1f4 |
| domain | mail-servers-update[.]com |
| domain | secure-analytic[.]com |
| ip | 185[.]220[.]101[.]58 |
| Domain / Host | Status |
|---|---|
vpnfilter[.]netC2 domain linked to VPNFilter botnet campaign | active |
176[.]119[.]147[.]225Cyclops Blink C2 infrastructure | active |
91[.]245[.]255[.]243Infrastructure used in Ukraine targeting operations | offline |
Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.
MITRE ATT&CK - Sandworm Team
https://attack.mitre.org/groups/G0034/
U.S. DOJ - Six Russian GRU Officers Charged
https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware
Mandiant - Sandworm Disrupts Power in Ukraine
https://www.mandiant.com/resources/sandworm-disrupts-power-ukraine-operational-technology
SANDWORM: (Mandiant Report)
https://www.mandiant.com/resources/blog/apt-attack-ukrainian-critical-infrastructure
Industroyer: Biggest threat to industrial control systems since Stuxnet
https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
Industroyer2: Sandworm conducts attacks against Ukrainian energy sector
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
CaddyWiper: New wiper malware targeting Ukrainian organizations
https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/
AcidRain: A wiper rains down on Europe (Viasat attack analysis)
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations
https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and
Sandworm: A new era of cyberwar and the hunt for the Kremlin's most dangerous hackers
https://www.wired.com/story/sandworm-kremlin-most-dangerous-hackers/
CERT-UA: UAC-0002 targeting Ukrainian energy infrastructure with Industroyer2
https://cert.gov.ua/article/39518
CISA Alert: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and PrintNightmare Vulnerability
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a
Mandiant: GRU's Disruptive Playbook: From NotPetya to Ukraine
https://www.mandiant.com/resources/blog/gru-disruptive-playbook
CISA Alert: Sandworm Actors Exploiting Exim Mail Transfer Agent Vulnerability
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
CyclopsBlink: Sandworm's New Malware Framework for Network Devices
https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink
VPNFilter: Destructive Malware Targeting Network Devices
https://blog.talosintelligence.com/vpnfilter/
Microsoft: Seashell Blizzard Continues Destructive Cyber Operations Against Ukraine
https://www.microsoft.com/en-us/security/blog/2023/03/07/threat-intelligence-accelerating-the-understanding-and-response-to-cyber-threats/
Sandworm APT44: Unearthing Sandworm - MITRE & Google TAG Joint Report
https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm
Microsoft Analysis of Prestige Ransomware
https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
Microsoft: Cadet Blizzard emerges as a novel and distinct Russian threat actor
https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/
Mandiant: APT44: Unearthing Sandworm
https://www.mandiant.com/resources/blog/apt44-unearthing-sandworm
CISA: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA Protocols
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-285a
Microsoft: GooseEgg malware used by Sandworm to exploit CVE-2022-38028
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure
https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/
The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation - Microsoft
https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
ESET Research: Sandworm behind cyberattack on Poland's power grid with DynoWiper
https://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/
Sandworm: Russia's global infrastructure wrecking crew - Barracuda Networks
https://blog.barracuda.com/2026/03/16/sandworm--russia-s-global-infrastructure-wrecking-crew
New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector - The Hacker News
https://thehackernews.com/2026/01/new-dynowiper-malware-used-in-attempted.html
Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries - The Hacker News
https://thehackernews.com/2025/02/microsoft-uncovers-sandworm-subgroups.html
ESET APT Activity Report Q2 2025–Q3 2025
https://www.infosecurity-magazine.com/news/russian-sandworm-new-wiper-ukraine/
Sandworm APT: A destructive, aggressive nation-state threat actor
https://www.microsoft.com/en-us/security/blog/threat-intelligence/sandworm/
CISA Advisory: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA Protocols and Print Spooler Vulnerability
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
Google Threat Analysis Group: Sandworm actors exploiting CVE-2022-30216
https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/
WithSecure: Kapeka - A New Sandworm Backdoor
https://labs.withsecure.com/publications/kapeka
CERT-UA: UAC-0133 Sandworm Activity Report
https://cert.gov.ua/article/6276652
Google TAG: APT44 Sandworm Unearthing
https://services.google.com/fh/files/blogs/apt44-unearthing-sandworm.pdf
Sandworm's BadPilot: A Deep Dive Into Multi-Stage Attacks
https://www.mandiant.com/resources/blog/sandworm-badpilot-multi-stage-attacks
CERT-UA Report on Sandworm Activity Against Ukrainian Infrastructure
https://cert.gov.ua/article/3761104