Russian state-sponsored hacker group Sandworm has deployed various data-wiping malware families in targeted attacks against Ukraine’s education, government, and grain sectors, integral to the nation’s economy.
According to a recent report by ESET, these attacks occurred in June and September 2025, furthering Sandworm’s (also known as APT44) series of destructive operations in Ukraine.
Data wipers aim to irreversibly destroy a target’s digital information by corrupting or deleting files, disk partitions, and master boot records, thereby rendering recovery virtually impossible. The ramifications for affected entities can be catastrophic, leading to longstanding disruptions.
In stark contrast to ransomware—which typically involves data theft followed by encryption—wiper malware is deployed solely for destructive purposes.
Since the onset of the Russian invasion, Ukraine has faced a series of data wiper campaigns predominantly attributed to Russian state-sponsored actors. Notable malware variants include PathWiper, HermeticWiper, CaddyWiper, Whispergate, and IsaacWiper.
Ongoing Destructive Attacks
ESET’s report details advanced persistent threat (APT) activities from April to September 2025, showcasing several instances of wipers targeting Ukrainian entities, with a notable focus on the grain production sector.
This marks a significant shift, as attackers are increasingly targeting Ukraine’s key economic sectors, particularly grain exports, which serve as essential revenue sources amid ongoing conflict.
“In June and September, Sandworm executed multiple malicious data-wiping variants against Ukrainian entities in the governmental, energy, logistics, and grain sectors,” ESET explains.
“While all four sectors have previously been identified as targets of wiper attacks since 2022, the grain sector emerges as a less frequently targeted focus.”
“Given that grain exports are one of Ukraine’s primary income sources, this targeting likely reflects an attempt to undermine the country’s wartime economy.”
Additionally, APT44 deployed ‘ZeroLot’ and ‘Sting’ wipers in April 2025, with Sting being executed via a Windows scheduled task named after the traditional Hungarian dish goulash.
Initial access for these incidents was reportedly achieved by UAC-0099, a threat actor operating since at least 2023, who subsequently transferred access to APT44 for wiper deployment.
Although Sandworm has recently intensified its focus on espionage operations, data wiper attacks against Ukrainian entities remain a persistent activity for this threat group.
Furthermore, ESET identified Iran-aligned activities that, while not attributed to a specific group, exhibit tactics, techniques, and procedures (TTPs) characteristic of Iranian hackers. In June 2025, these clusters utilized Go-based tools inspired by publicly available open-source wipers targeting Israel’s energy and engineering sectors.
Many preventative measures against ransomware also extend to defending against data wipers. A critical step is to maintain data backups on offline media, ensuring they are inaccessible to cyber adversaries.
Moreover, implementing robust endpoint detection and intrusion prevention systems, along with routine software updates, can thwart a broad range of attacks, including those involving data-wiping malware.