Analytics Story: ZOVWiper

Date: 2026-02-12 ID: 3dfd6bc2-8f98-42dd-945c-d6ab5995a3e4 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

ZOVWiper is a destructive data-wiping malware identified by ESET researchers, attributed to the threat group Sandworm with high confidence. First observed in November 2025 targeting a financial institution and later in an energy sector incident, ZOVWiper systematically iterates over fixed drives and overwrites file contents to destroy data irrecoverably. The malware skips key system directories and uses size-based overwrite logic to maximize destructive impact. Its deployment highlights ongoing destructive operations against critical infrastructure and financial entities.

Why it matters

In late 2025, ESET researchers uncovered ZOVWiper during incident response to a destructive malware attack against a financial organization. ZOVWiper’s core function is to traverse all fixed drives, selectively overwrite file contents based on size, and render systems inoperable—a characteristic pattern tied to destructive campaigns by Sandworm. The malware’s directory exclusions and wiping methodology were later noted as technical parallels to other destructive tools such as DynoWiper, reinforcing attribution confidence. ZOVWiper’s operational use against both financial and energy sector targets underscores sustained threat actor focus on disrupting critical functions through targeted data destruction.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Modification Of Wallpaper	Defacement	TTP
Rubeus Command Line Parameters	Pass the Ticket, Kerberoasting, AS-REP Roasting	TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access	Pass the Ticket	TTP
Windows High File Deletion Frequency	Data Destruction	Anomaly
Windows Indicator Removal Via Rmdir	Indicator Removal	Anomaly
Windows System Shutdown CommandLine	System Shutdown/Reboot	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 10	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 23	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 26	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`

References

https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/

Source: GitHub | Version: 1