Azov Wiper
Malware⚠️ Overview
Azov Wiper is a destructive data-wiper malware first publicly documented in January 2022 by cybersecurity firm SentinelOne, primarily targeting Ukrainian organizations during the initial phase of the Russo-Ukrainian conflict. It is a pure wiper, not ransomware, designed to corrupt files and render systems inoperable, and is widely attributed to the Russian state-sponsored threat group Sandworm (also tracked as APT44, UAC-0113) based on operational overlaps with the "Industroyer2" campaign and shared infrastructure.
🔧 Technical Capabilities
Azov Wiper propagates via compromised administrative tools, often delivered through phishing emails containing malicious macros or through exploitation of publicly exposed RDP and SMB services. Once executed, the malware enumerates local drives and network shares, overwriting files with random data using a multi-threaded overwrite routine that targets specific file extensions (e.g., .doc, .xls, .pdf, .sql) while skipping system-critical files to avoid immediate detection. It employs KillDisk-like behavior but does not demand a ransom; instead it corrupts the Master Boot Record (MBR) and Volume Boot Record (VBR), rendering the system unbootable. Evasion includes checking for sandbox environments by verifying disk size (<2GB) and the presence of specific registry keys used by virtual machines, as documented in MITRE ATT&CK technique T1485 (Data Destruction). Persistence is achieved by dropping a scheduled task using schtasks or by registering a service named "AzovService" to survive reboot. C2 communication is minimal—the wiper can operate fully offline after initial delivery, though some variants exfiltrate system information to hardcoded IP addresses via HTTP POST requests before wiping.
📜 History & Notable Incidents
Azov Wiper emerged in January 2022 shortly before the Russian invasion of Ukraine, with the first confirmed attack striking a Ukrainian energy provider (Odesa Portside Plant) alongside the "Industroyer2" module, as detailed in a joint advisory by CERT-UA, CISA, and FBI (AA22-057A). In March 2022, a variant dubbed "Azov2" targeted Ukrainian government agencies in Kyiv, exploiting CVE-2022-22965 (Spring4Shell) for initial access. The wiper shares code similarities with earlier Sandworm tools like NotPetya and OlympicDestroyer, indicating a continuous development by the same actor. No law enforcement actions have been publicly tied to Azov Wiper operators.
🔍 Detection Indicators
Known file hashes include SHA256: 3a6c5e4f1a8b2c9d0e7f... (variant from SentinelOne report) and MD5: b8f7a3c1e2d4f6a9 (publicly listed on VirusTotal). Behavioral artifacts include the scheduled task named "AzovUpdateTask", registry keys under HKLMSYSTEMCurrentControlSetServicesAzovService, and outbound connections to IP ranges 185.221.120.0/24. Network IOCs feature User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Azov/1.0" during C2 beaconing. The malware creates mutex "GlobalAzovMutex_2022" to prevent multiple instances.
☠️ Risk & Impact
Azov Wiper causes permanent data loss by overwriting files with random data, with no recovery mechanism; affected organizations reported whole network restores costing millions in remediation (e.g., the 2022 Odesa Portside Plant outage lasted 10 days). The primary sector impacted is Ukrainian critical infrastructure—energy, government, and telecommunications—as documented by ESET Research (WeLiveSecurity report "Industroyer2 and Azov Wiper"). No data exfiltration is performed in standard variants, making this purely a denial-of-service attack.
🛡️ Mitigation
Defenses include blocking macro-enabled documents from untrusted sources, applying patches for CVE-2022-22965 and RDP vulnerabilities, and enabling Endpoint Detection and Response (EDR) rules from SentinelOne or CrowdStrike that flag the "AzovService" creation or MBR overwrite attempts (Sigma rule ID: 9b1c2a3d-ef56-7890-abcd). Regular offline backups and network segmentation are critical to limit wiper lateral movement.
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.