Sandworm data-wiping malware activity against Ukrainian sectors in June and September 2025
Malware Activity
Summary
Hide ▲
Show ▼
Sandworm (APT44) deployed multiple data-wiping malware variants against Ukrainian entities in June and September 2025, extending destructive sabotage across vital civilian sectors. The activity hit government, energy, logistics, and grain targets, making the operation especially disruptive for services tied to state functions and the wartime economy. The wipers were designed for irrecoverable data destruction, not theft or encryption. The event matters because it shows continued destructive pressure on Ukraine’s critical sectors.
Related Happenings
Major South Korean electronics manufacturer hit by data theft breach
Incident
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentAbout this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
Campaign
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
About this happening:
The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
CampaignAbout this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target Trend
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
APT28 long-term espionage campaign targeting Ukrainian military personnel
Campaign
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
APT28 long-term espionage campaign targeting Ukrainian military personnel
CampaignAbout this happening: A **sustained APT28 espionage campaign** is using **BEARDSHELL** and **COVENANT** to surveil **Ukrainian military personnel**, extending access through **cloud-based C2** and incr...
MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm
Campaign
First: 06.03.2026 12:23
Last: 06.03.2026 12:23
Sources 1
About this happening:
**MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...
MuddyWater U.S. network intrusion campaign targeting banks, airports, and a software company arm
CampaignAbout this happening: **MuddyWater (Seedworm)** is running a **state-linked intrusion campaign** that has embedded itself in **U.S. banks, airports, a non-profit, and an Israeli software company arm**,...
Timeline
-
06.11.2025 12:01 2 articles · 6mo ago
Sandworm data-wiping malware activity against Ukrainian sectors in June and September 2025
Initial DisclosureIn **June 2025**, Sandworm began this wiper phase against **Ukrainian** government, energy, logistics, and grain targets, establishing the first destructive wave later repeated in **September**. The opening phase showed the group using sabotage-oriented malware rather than theft or encryption.
Show sources
- Sandworm hackers use data wipers to disrupt Ukraine's grain sector — www.bleepingcomputer.com — 06.11.2025 12:01
- Russian Hacking Group Sandworm Deploys New Wiper Malware in Ukraine — www.infosecurity-magazine.com — 07.11.2025 14:20