Russian APT Releases More Deadly Variant of AcidRain Wiper Malware

New AcidPour variant can attack a significantly broader range of targets including IoT devices, storage area networks, and handhelds.

Researchers have uncovered a more dangerous and prolific version of the wiper malware used by Russian military intelligence to disrupt satellite broadband service in Ukraine just prior to Russias invasion of the country in February 2022.
The new variant,
AcidPour,
bears multiple similarities with its predecessor but is compiled for X86 architecture, unlike AcidRain which targeted MIPS-based systems. The new wiper also includes features for its use against a significantly broader range of targets than AcidRain, according to researchers at SentinelOne who discovered the threat.
AcidPours expanded destructive capabilities include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, which impacts handhelds, IoT, networking, or, in some cases, ICS devices, says Tom Hegel, senior threat researcher at SentinelOne. Devices like storage area networks (SANs), network attached storage (NAS), and dedicated RAID arrays are also now in scope for AcidPours effects.
Another new capability of AcidPour is a self-delete function that erases all traces of the malware from systems it infects, Hegel says. AcidPour is a relatively more sophisticated wiper overall than AcidRain, he says, pointing to the latters excessive use of process forking and unwarranted repetition of certain operations as examples of its overall sloppiness.
SentinelOne discovered AcidRain in February 2022 following a cyberattack that
knocked offline some 10,000 satellite modems
associated with communications provider Viasats KA-SAT network. The attack disrupted consumer broadband service for thousands of customers in Ukraine, and to tens of thousands of people in Europe. SentinelOne concluded that the malware was likely the work of a group associated with Sandworm (aka APT 28, Fancy Bear, and Sofacy), a Russian operation responsible for
numerous disruptive cyberattacks
in Ukraine.
SentinelOne researchers first spotted the new variant, AcidPour, on March 16 but have not observed anyone using it in an actual attack yet.
Their initial analysis of the wiper revealed multiple similarities with AcidRain — which a subsequent deeper dive then confirmed. The notable overlaps that SentinelOne discovered included AcidPours use of the same reboot mechanism as AcidRain, and identical logic for recursive directory-wiping.
SentinelOne also found AcidPours IOCTL-based wiping mechanism to be the same as the wiping mechanism in AcidRain and in VPNFilter, a
modular attack platform
that the US Department of Justice has
linked to Sandworm
. IOCTL is a mechanism for securely erasing or wiping data from storage devices by sending specific commands to the device.
One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic
CaddyWiper
broadly utilized against Ukrainian targets alongside notable malware like
Industroyer 2
, SentinelOne said. Both CaddyWiper and Industroyer 2 are malware used by Russia-backed state groups in destructive attacks on organizations in Ukraine, even before Russias February 2022 invasion of the country.
Ukraines CERT has analyzed AcidPour and attributed to UAC-0165, a threat actor that is part of the Sandworm group, SentinelOne said.
AcidPour and AcidRain are among numerous wipers that Russian actors have deployed against Ukrainian targets in recent years —and particularly after the onset of the current war between the two countries. Even though the threat actor managed to knock thousands of modems offline in the Viasat attack, the company was able to recover and redeploy them after removing the malware.
In many other instances, though, organizations have been forced to discard systems following a wiper attack. One of the most notable examples is the 2012
Shamoon
wiper attack on Saudi Aramco that crippled some 30,000 systems at the company.
As was the case with Shamoon and AcidRain, threat actors typically have not needed to make wipers sophisticated to be effective. Thats because the only function of the malware is to overwrite or delete data from systems and render them useless, so
evasive tactics
and obfuscation techniques associated with data theft and cyber espionage attacks arent necessary.
The best defense for wipers — or to limit damage from them — is to implement the same kind of defenses as for ransomware. That means having backups in place for critical data and ensuring robust incident response plans and capabilities.
Network segmentation is also key because wipers are more effective when they are able to spread to other systems, so that type of defense posture helps thwart lateral movement.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Russian APT Releases More Deadly Variant of AcidRain Wiper Malware