Try in Splunk Security Cloud


Caddy Wiper is a destructive payload that detects if its running on a Domain Controller and executes killswitch if detected. If not in a DC it destroys Users and subsequent mapped drives. This wiper also destroys drive partitions inculding boot partitions.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2022-03-25
  • Author: Teoderick Contreras, Rod Soto, Splunk
  • ID: 435a156a-8ef1-4184-bd52-22328fb65d3a


Caddy Wiper is destructive malware operation found by ESET multiple organizations in Ukraine. This malicious payload destroys user files, avoids executing on Dnomain Controllers and destroys boot and drive partitions.


Name Technique Type
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP


source | version: 1