Sandworm is a long-running, highly capable cyber-espionage and cyber-sabotage unit widely linked to Russia’s GRU, known for executing some of the most disruptive cyber operations ever recorded. Over the past decade, the group has repeatedly targeted Ukraine and a range of NATO-aligned nations, demonstrating a consistent focus on strategic disruption, political destabilization, and wide-scale operational impact. Their campaigns span from classic espionage and credential theft to large-scale, destructive attacks that affect critical infrastructure worldwide. Sandworm’s operations are marked by technical sophistication, multi-stage intrusion workflows, and a willingness to deploy destructive malware in geopolitical conflicts.
Since 2014, the group has steadily escalated its activity. Its early operations involved exploiting Microsoft Office zero-days in targeted spear-phishing campaigns against Ukrainian and NATO-related entities. By 2015, Sandworm had moved decisively into cyber-physical disruption, conducting the first known blackout caused by malicious software when it used BlackEnergy3 to interrupt electricity distribution for hundreds of thousands of Ukrainian customers. The group further demonstrated its destructive reach in 2017 with the NotPetya attack, a malware released through a compromised software supply chain that ultimately caused billions of dollars in global damage. Sandworm has also extended its campaigns beyond Ukraine, including the 2018 Olympic Destroyer attack on the PyeongChang Winter Olympics and a 2019 mass defacement operation against Georgian government and media websites.
In recent years, Sandworm has continued evolving its malware ecosystem and operational infrastructure. The Cyclops Blink botnet, revealed in 2022, replaced the earlier VPNFilter platform and showcased the group’s ability to hijack device firmware to maintain long-term, stealthy persistence on network equipment across the world. Their destructive operations have persisted as well, with new wipers, SwiftSlicer in 2023 and ZEROLOT from 2024 to 2025, deployed against Ukrainian targets. The group has also expanded its targeting to mobile platforms, as seen in the Infamous Chisel malware used against Android devices belonging to the Ukrainian military. These activities underscore Sandworm’s continued commitment to strategic sabotage campaigns aligned with Russian geopolitical interests.
In this post, we will provide a consolidated view of Sandworm’s major historical operations, examine their evolving malware families and destructive toolsets, and analyze their tactics, techniques, and procedures (TTPs) within the MITRE ATT&CK framework to better understand the group’s operational behavior and impact.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
The 2017 NotPetya attack was initiated by compromising the update servers of M.E.Doc, a widely used accounting software in Ukraine. By hijacking the legitimate update process, Sandworm pushed the NotPetya wiper to all M.E.Doc users simultaneously [11].
Sandworm conducted an email campaign impersonating a Ukrainian drone warfare training school. The emails invited recipients to join the school and linked to files hosted on fex[.]net, delivering a benign-looking PDF outlining a drone operator curriculum alongside a malicious ZIP archive titled "Навчальна-програма-Оператори.zip" that exploited CVE-2023-38831. The payload, "Навчальна-програма-Оператори.pdf /Навчальна-програма-Оператори.pdf_.bat", deployed a packed version of the Rhadamanthys infostealer [12].
During the 2016 Ukraine power grid attack, after gaining access to a Microsoft SQL server, Sandworm utilized the xp_cmdshell extended stored procedure [13]. This is a classic database exploitation technique that allows a user with sufficient permissions within the SQL server to execute arbitrary operating system commands via cmd.exe. Example usage of xp_cmdshell:
|
-- First, an attacker may need to re-enable the xp_cmdshell procedure if it is disabled. |
Sandworm deployed additional backdoors to maintain persistence and regain access if the primary Python/TeleBot backdoor was discovered and removed. The fallback backdoor was written in VBScript, with some samples packaged using the script2exe program. This layered approach increased the likelihood of reentry and evasion by diversifying tooling and delivery methods. Below is the source code of an additional backdoor written in VBS [14]:
|
script.vbs |
Cyclops Blink maintains persistence by hijacking the legitimate firmware update workflow through a child process of module ID 0x51.
When the file /pending/WGUpgrade-dl is found, the module copies the authentic installer /bin/install_upgrade to /pending/bin/install_upgraded. At the same time, it copies the Cyclops Blink binary /usr/bin/cpd to /pending/bin/cpd and the RC startup script /etc/runlevel/4/S51armled to /pending/bin/S51armled.
Next, the legitimate /bin/install_upgrade is overwritten with an embedded ELF. This ELF unpacks the firmware image, injects the Cyclops Blink executable and S51armled, and adjusts their timestamps to match /pending/sysa_code_dir/bin/busybox-rel using utime.
The firmware’s HMAC is then recalculated, which is feasible due to a hard-coded key on the device, allowing the altered image to pass verification. After this, the modified image is repacked, and installation proceeds via the preserved legitimate installer at /pending/bin/install_upgraded.
Following reboot, S51armled ensures that Cyclops Blink launches automatically at startup [15].
Sandworm maintained persistence by configuring a systemd service unit to launch GOGETTER at startup. GOGETTER is a Golang-based tunneler that proxies communications. The service was set to trigger at the multi-user.target, meaning it would run once the system reached a state suitable for user logins, such as after a successful boot. The ExecStart directive pointed to the GOGETTER executable, ensuring it was invoked on each reboot. This configuration allowed GOGETTER to persist across system restarts and remain active under normal operating conditions. Below shows the GOGETTER Systemd configuration:
|
[Unit] |
The Industroyer malware used by Sandworm establishes persistence by modifying an existing, non-critical Windows service. It replaces the ImagePath registry value for that service, which specifies the path to the service's executable, with the path to its own backdoor binary [13].
The Python-based TeleBot malware associated with Sandworm is packaged as a standalone executable using PyInstaller and employs multiple layers of obfuscation. Its backdoor code is ROT13 transformed, AES encrypted, compressed with the zlib library, and then Base64 encoded, creating a dense chain of protections that hinder analysis [14].
The core component of Cyclops Blink malware first checks whether it is running under the process name [kworker:0/1]. If not, it relaunches itself by spawning a child process via the Linux execl call with "/proc/self/exe" and the argument "[kworker:0/1]", then terminates the original process [15]:
|
execl("/proc/self/exe", [ "[kworker:0/1]" ], NULL) |
By adopting the name [kworker:0/1], which matches a legitimate Linux kernel worker thread, the malware blends into normal process listings and reduces the likelihood of detection.
Cyclops Blink alters the Linux iptables firewall to permit C2 traffic by leveraging a predefined list of port numbers [15]. Example commands Cyclops Blink might execute would be:
|
# The -I INPUT 1 inserts the rule at the top of the INPUT chain to ensure it is processed first. |
Sandworm’s toolkit includes a keylogger alongside other credential access features. The keylogger captures keystrokes using a common method that relies on the SetWindowsHookEx function [14].
A PDB path string, given below, within the malware indicates a tool dubbed CredRaptor. This utility is designed to harvest stored passwords from multiple web browsers, including Google Chrome, Internet Explorer, Mozilla Firefox, and Opera [14].
|
D:\Projects\GetPAI Release\Credraptor\Out\CredRaptor_Win32_Release.pdb |
The Cyclops Blink malware has a dedicated module (Module ID 0x8) for system reconnaissance. This module regularly gathers a wide range of information about the compromised device. It does this by running Linux commands and reading various system files [15]. These commands and files are given below [15]:
Gathered files include: /etc/issue, /etc/passwd, /etc/group, /proc/mounts, /proc/partitions, /proc/net/arp
The gathered system information is then sent to a C2 server.
NotPetya integrated the powerful EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145) exploits, which targeted a vulnerability in Microsoft's SMBv1 protocol. After infecting a host, NotPetya would scan the local network for other machines with a vulnerable SMB service [16]. If one were found, it would use the exploit to execute its code on the remote machine and infect it, without needing any valid credentials.
The Python/TeleBot is a backdoor used by Sandworm that communicates with its operators by abusing the Telegram Bot API, using HTTP(S) requests to api.telegram.org that resemble legitimate traffic to network observers. Each sample embeds a unique token tied to a distinct Telegram account and leverages private chats to receive commands, enabling control of infected machines from any device running Telegram, including smartphones. In at least one variant, the malware also uses an outlook.com mailbox as an alternative command-and-control channel. Below is the code part that communicates with the Telegram API [14]:
|
class mGYPGqombvNcHB : |
The most remarkable supported functions of the backdoor are given below [14]:
Prestige ransomware, used by Sandworm, encrypts files by using the CryptoPP C++ library to apply AES encryption to each targeted file. During this process, it employs a hardcoded RSA X.509 public key. Prestige scans the file system and encrypts files that match a predefined list of extensions, while deliberately skipping critical system paths. Specifically, it avoids encrypting any files located under C:\Windows\ and C:\ProgramData\Microsoft\. The predefined list is shown below [17]:
|
.1cd, .7z, .abk, .accdb, .accdc, .accde, .accdr, .alz, .apk, .apng, .arc, .asd, |
The ransomware appends .enc to existing file extensions after encrypting them. It also registers a custom file extension handler for .enc files, ensuring that when a user attempts to open any .enc file, the handler launches Notepad to open C:\Users\Public\README, which contains the ransom note left by the ransomware:
|
YOU PERSONAL FILES HAVE BEEN ENCRYPTED. |
Prestige employs two commands to set up a custom handler for files that use the .enc extension [17]:
|
C:\Windows\System32\reg.exe add HKCR\.enc /ve /t REG_SZ /d enc /f |
Sandworm Team leverages the Prestige ransomware that disrupts recovery mechanisms on targeted systems. It issues commands to remove the Windows backup catalog and also erase all Volume Shadow Copies with the following commands [18]:
|
C:\Windows\System32\wbadmin.exe delete catalog -quiet |
We also strongly suggest simulating Sandworm Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Sandworm:
|
Threat ID |
Threat Name |
Attack Module |
|
34800 |
Sandworm Threat Group Campaign |
Linux Endpoint |
|
54311 |
Sandworm Threat Group Campaign Backdoor Malware Download Threat |
Network Infiltration |
|
46557 |
Sandworm Threat Group Campaign Backdoor Malware Email Threat |
Network Infiltration |
|
57765 |
Sandworm Threat Group Campaign Malware Dropper Download Threat |
Network Infiltration |
|
96925 |
Sandworm Threat Group Campaign Malware Dropper Email Threat |
Network Infiltration |
|
47678 |
Sandworm Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
31724 |
Sandworm Threat Group Campaign Malware Email Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
Sandworm is also known as: APT44, Blue Echidna, ELECTRUM, FROZENBARENTS, G0034, IRIDIUM, IRON VIKING, Quedagh, Seashell Blizzard, TEMP.Noble, TeleBots, UAC-0082, UAC-0113, VOODOO BEAR, Iron Viking, CTG-7263, Voodoo Bear, ATK 14, BE2, UAC-0125, UAC-0133, Telebots, BlackEnergy (Group).
References
[1] Accessed: Oct. 30, 2025. [Online]. Available: https://web.archive.org/web/20141014083644/http://www.isightpartners.com/2014/10/cve-2014-4114/
[2] Accessed: Oct. 30, 2025. [Online]. Available: https://web.archive.org/web/20160129185858/http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/
[3] "NotPetya." Accessed: Oct. 30, 2025. [Online]. Available: https://attack.mitre.org/software/S0368/
[4] "Olympic Destroyer." Accessed: Oct. 30, 2025. [Online]. Available: https://attack.mitre.org/software/S0365/
[5] Commonwealth and Development Office, "UK exposes series of Russian cyber attacks against Olympic and Paralympic Games," GOV.UK. Accessed: Oct. 30, 2025. [Online]. Available: https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games
[6] "Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace." Accessed: Oct. 30, 2025. [Online]. Available: https://www.justice.gov/archives/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and
[7] "New Sandworm Malware Cyclops Blink Replaces VPNFilter," Cybersecurity and Infrastructure Security Agency CISA. Accessed: Oct. 30, 2025. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-054a
[8] "SwiftSlicer: New destructive wiper malware strikes Ukraine." Accessed: Oct. 30, 2025. [Online]. Available: https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/
[9] "Infamous Chisel Malware Analysis Report," Cybersecurity and Infrastructure Security Agency CISA. Accessed: Oct. 30, 2025. [Online]. Available: https://www.cisa.gov/news-events/analysis-reports/ar23-243a
[10] J.-I. Boutin, "ESET APT Activity Report Q4 2024–Q1 2025." Accessed: Oct. 30, 2025. [Online]. Available: https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q4-2024-q1-2025/
[11] W. D. O. F. Pennsylvania, "OCT 1 S [UNDER SEAL] CLl:~K U, S, OIS’fl~ICT COURT INDICTMENT." Accessed: Oct. 30, 2025. [Online]. Available: https://www.justice.gov/archives/opa/press-release/file/1328521/dl?inline=
[12] K. Morgan, "Government-backed actors exploiting WinRAR vulnerability," Google. Accessed: Oct. 30, 2025. [Online]. Available: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/
[13] "Sandworm Team." Accessed: Oct. 30, 2025. [Online]. Available: https://attack.mitre.org/groups/G0034/
[14] A. Cherepanov, "The rise of TeleBots: Analyzing disruptive KillDisk attacks." Accessed: Oct. 30, 2025. [Online]. Available: https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
[15] "Cyclops Blink." Accessed: Oct. 30, 2025. [Online]. Available: https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf
[16] "What are Petya and NotPetya?" Accessed: Oct. 30, 2025. [Online]. Available: https://www.cloudflare.com/learning/security/ransomware/petya-notpetya-ransomware/
[17] Accessed: Oct. 30, 2025. [Online]. Available: https://web.archive.org/web/20250726134922/https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/
[18] "Prestige." Accessed: Oct. 30, 2025. [Online]. Available: https://attack.mitre.org/software/S1058/