A surge of Russian wiper attacks has hit Ukrainian networks in recent months, as Sandworm — one of the Kremlin’s most aggressive state-backed hacking teams — continues deploying data-destroying malware across government, energy and logistics sectors. According to new research, the group is expanding the scope of its destructive campaigns, including rare strikes on Ukraine’s grain industry.
The activity is part of a long-running pattern: Russia-linked actors have repeatedly used wipers throughout the ongoing war, leveraging them to disrupt operations, destroy data, and pressure critical sectors that support Ukraine’s economy.
Sandworm’s latest destructive operations
Researchers at ESET report that Sandworm carried out multiple wiper operations throughout 2025, beginning with an April attack on a Ukrainian university. Two separate wipers were deployed:
- Sting, which wiped Windows systems through a scheduled task named DavaniGulyashaSdeshka — a slang phrase roughly translating to “eat some goulash.”
- Zerlot, another destructive payload used in tandem.
These dual strikes indicate that Russian operators were attempting layered disruption, a tactic Sandworm has used in past campaigns.
A broader target list — including Ukraine’s grain sector
In June and September, the attackers widened their operations to hit organizations tied to Ukrainian government functions, the energy grid and logistics infrastructure — all historically common targets for Russian cyber operations. But researchers noted a fourth, less typical target: companies in the grain sector.
ESET highlights that while the grain industry has been targeted before, it remains a relatively infrequent victim. Because grain exports are a critical revenue source for Ukraine, these attacks appear intended to undermine the economic base supporting the country’s war effort.
Wipers: a long-standing weapon of Russian cyber units
Wipers have been a signature tool of Russian state-backed attackers for over a decade. The infamous NotPetya attack in 2017 — initially aimed at Ukraine — spread globally within hours, causing billions in damage and becoming one of the most destructive cyber incidents in history.
Sandworm’s track record includes:
- 2016 & 2017 malware attacks that shut down parts of Ukraine’s power grid
- Wipers that disabled 10,000 satellite modems in 2022
- Destructive attacks on Ukrainian media networks
- WhisperGate and other 2022 campaigns targeting government and IT sectors
ESET reports more than a dozen wipers used by Russia-affiliated operators since the invasion began, with multiple variants still active across Ukraine.
Not just Sandworm: multiple Russian groups involved
Although Sandworm remains the most aggressive actor, other Russian-linked groups have contributed.
Examples include:
- RomCom, which exploited a WinRAR zero-day to deploy malware on Ukrainian systems
- Gamaredon, responsible for waves of destructive operations throughout the past year
- UAC-0099, which in some cases provided initial access for Sandworm by spear-phishing targeted employees
Notably, ESET observed cross-group cooperation — something historically rare due to deep rivalries between Russian cyber units.
Wipers remain a primary weapon going into 2025
Despite reporting suggesting a recent shift toward espionage, ESET’s data shows that Russian wiper attacks have continued steadily into 2025.
“These destructive attacks by Sandworm are a reminder that wipers remain a frequent tool of Russia-aligned threat actors in Ukraine,” researchers stated. “We have observed Sandworm conducting wiper attacks on a regular basis since the start of 2025.”
The findings suggest that data-destruction operations — not just intelligence gathering — will remain central to Russia’s cyber strategy in the ongoing conflict.
Read also
Join the discussion in our Facebook community .