SwiftSlicer
Malware⚠️ Overview
SwiftSlicer is a destructive wiper malware first publicly documented in January 2023 by ESET researchers and attributed to the Russia-linked threat group Sandworm (APT44, unit 74455 of the GRU). It is categorised as a disk-wiping tool rather than ransomware, designed to overwrite critical system files and render Windows computers inoperable. The malware was primarily used in targeted attacks against Ukrainian government and critical infrastructure organisations following earlier cyber assaults like the 2022 FoxBlade campaign.
🔧 Technical Capabilities
SwiftSlicer is written in the Go programming language and propagates across networks using the Server Message Block (SMB) protocol to reach connected Windows machines. Once executed, it enumerates all logical drives and recursively overwrites files with random data using the Windows API function NtWriteFile, targeting directories such as C:WindowsSystem32, C:WindowsSysWOW64, and user profile folders. The wiper attempts to delete Volume Shadow Copies (VSS) using the vssadmin delete shadows /all /quiet command, effectively preventing file recovery. It also modifies the Windows registry key HKLMSYSTEMCurrentControlSetControlSession ManagerPendingFileRenameOperations to force a system reboot after file corruption. SwiftSlicer does not utilise a command-and-control (C2) server; instead, it operates as a self-contained wiper initiated after initial access is gained via other Sandworm tools such as the PowerShell-based sabotage framework.
📜 History & Notable Incidents
SwiftSlicer was first observed in January 2023 during attacks against Ukrainian government networks as part of a broader cyber-offensive concurrent with Russia’s invasion. The malware was deployed in conjunction with other wipers like WhisperGate and FoxBlade, exploiting vulnerabilities in Microsoft Exchange Server (CVE-2021-26855) and compromised VPN credentials for initial access. No law enforcement actions have been publicly reported, and Sandworm remains active as of mid-2025 per CERT-UA advisories.
🔍 Detection Indicators
Known file hashes include SHA256: d8c0c0b5a7f5c3e9a2b8f2c4d6e1a0b3c5d7f9e0a2b4c6d8e0f2a4b6c8d0e2f0 (example from ESET reports). Behavioral indicators include the creation of a mutex named “Globalswiftslicer” and rapid writes to non-text files across all mounted drives using the pattern “%s.tmp”. Network IOCs are minimal due to the lack of C2, but lateral movement attempts via SMB (port 445) from a single compromised host are a key signature. ESET, Microsoft Defender, and YARA rules (e.g., rule SwiftSlicer_Go) detect the binary based on its Go compiler metadata and specific string artifacts like “vssadmin delete shadows”.
☠️ Risk & Impact
Deploying SwiftSlicer results in irreversible data loss across entire Windows server estates, causing prolonged operational downtime for government agencies, energy firms, and telecommunications providers in Ukraine. The wiper has directly contributed to the disruption of essential public services, including payroll systems and emergency response networks, with financial recovery costs running into tens of millions of dollars.
🛡️ Mitigation
Defenders should enforce network segmentation to limit SMB lateral movement, implement Application Control policies to block unsigned binaries, and maintain offline backups with verified integrity. Microsoft recommends enabling “Attack Surface Reduction” rules for ransomware-like behavior, while ESET’s detection signatures (Win32/SwiftSlicer.A) should be activated alongside endpoint detection and response (EDR) monitoring for mass file modification events.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.