Skip to content

S0693 CaddyWiper

CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022.12

Item Value
ID S0693
Associated Names
Version 1.0
Created 23 March 2022
Last Modified 11 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1485 Data Destruction CaddyWiper can work alphabetically through drives on a compromised system to take ownership of and overwrite all files.12
enterprise T1561 Disk Wipe -
enterprise T1561.002 Disk Structure Wipe CaddyWiper has the ability to destroy information about a physical drive’s partitions including the MBR, GPT, and partition entries.12
enterprise T1083 File and Directory Discovery CaddyWiper can enumerate all files and directories on a compromised host.3
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification CaddyWiper can modify ACL entries to take ownership of files.2
enterprise T1106 Native API CaddyWiper has the ability to dynamically resolve and use APIs, including SeTakeOwnershipPrivilege.2
enterprise T1057 Process Discovery CaddyWiper can obtain a list of current processes.3
enterprise T1082 System Information Discovery CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.23