APT / THREAT GROUP
HermeticWiper
6
aliases
Last seen:Mar 17, 2026
Intelligence Profile
According to SentinelLabs, HermeticWiper is a custom-written application with very few standard functions. It abuses a signed driver called "empntdrv.sys" which is associated with the legitimate Software "EaseUS Partition Master Software" to enumerate the MBR and all partitions of all Physical Drives connected to the victims Windows Device and overwrite the first 512 Bytes of every MBR and Partition it can find, rendering them useless.
This malware is associated to the malware attacks against Ukraine during Russians Invasion in February 2022.
Threat Analysis
HermeticWiper is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.
External References
Quick Facts
TypeAPT / Threat Group
Aliases6
Also Known As
KillDisk.NCVNEARMISSwin.hermeticwiperHermeticWiperDriveSlayerFoxBlade
External Intelligence
Malpedia: win.hermeticwiperResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.