APT / THREAT GROUP
CaddyWiper
3
aliases
Last seen:Mar 17, 2026
Intelligence Profile
CaddyWiper is another destructive malware believed to be deployed to target Ukraine.
CaddyWiper wipes all files under C:\Users and all also all files under available drives from D: to Z: by overwriting the data with NULL value. If the target file is greater than 0xA00000 bytes in size (10MB), it will only wipe the first 0xA00000 bytes.
It also wipes disk partitions from \\.\PHYSICALDRIVE9 to \\.\PHYSICALDRIVE0 by overwriting the first 0x780 bytes with NULL.
Threat Analysis
CaddyWiper is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases3
Also Known As
CaddyWiperKillDisk.NCXwin.caddywiper
External Intelligence
Malpedia: win.caddywiperResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.