Sandworm

Also known as: Voodoo Bear, IRIDIUM, Seashell Blizzard, TeleBots, Black Energy, Quedagh, Iron Viking, Hades, Olympic Destroyer, UAC-0002, Solntsepek, APT44, UAC-0133, UAC-0212, Blue Echidna, Grey Tornado, Razing Ursa, FROZENBARENTS, PHANTOM, BlackEnergy Lite, BE2, UAC-0082, UAC-0145, ELECTRUM

ActiveNation-StateRussiaMITRE G0034

0Campaigns

75Techniques

56IOCs

57Tools

0Matches

3Infrastructure

Overview

Sandworm has undergone significant operational evolution in 2025-2026, pivoting from zero-day exploitation to exploiting misconfigured network edge devices for credential harvesting. A specialized initial access subgroup dubbed 'BadPilot' has been conducting multiyear global compromises across sensitive sectors. The group deployed multiple new wiper malware families against Polish energy infrastructure in December 2025 and continues sustained destructive campaigns against Ukrainian critical infrastructure. They increasingly leverage pirated software distribution, Tor hidden services, and legitimate RMM tools for persistence while maintaining deep integration with Russian military operations.

Motivations

SabotageDisruptionInformation OperationsEspionage

Target Sectors

EnergyGovernmentCritical InfrastructureTransportationFinancial ServicesMediaTelecommunicationsSports OrganizationsIndustrial Control SystemsLogisticsElectionsOlympicsManufacturingPolandAustraliaCanadaArms ManufacturingShippingRenewable EnergyAgricultureGrain SectorWater SupplyHeat SupplyWater and WastewaterTechnologyHealthcareCritical ManufacturingWaterDefense Industrial BaseWater and Wastewater SystemsPolish Energy

Activity Timeline

First Seen

Jan 2009

Last Seen

Jan 2025

Quick Facts

OriginRussia

Sophisticationnation-state

StatusActive

MITRE GroupG0034

MITRE ATT&CK Techniques

(75)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1053

Scheduled Task/Job

Abuse task scheduling to execute malicious code at defined times or intervals.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1485

Data Destruction

Destroy data and files on victim systems to disrupt operations.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1529

System Shutdown/Reboot

Shut down or reboot systems to disrupt operations.

T1491

Defacement

Modify visual content on websites or systems to deliver messaging.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

Discovery

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

Lateral Movement

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Command and Control

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

T1572

Protocol Tunneling

Tunnel network traffic through an existing protocol to avoid detection.

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Exploit software vulnerabilities to gain elevated privileges on a system.

Credential Access

T1003

OS Credential Dumping

Dump credentials from the operating system or security software.

T1558

Steal or Forge Kerberos Tickets

Steal or forge Kerberos tickets to access resources without credentials.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

T1589

Gather Victim Identity Information

Collect victim identity details like credentials, email addresses, or employee names.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

Persistence

T1136

Create Account

Create new accounts to maintain access to victim systems.

T1546

Event Triggered Execution

Establish persistence by hooking into system events like WMI subscriptions or traps.

Tools & Malware

(57)

NotPetya

malwareMalicious

Destructive wiper disguised as ransomware. Spread via M.E.Doc accounting software supply chain attack in Ukraine, causing $10+ billion in global damages in June 2017.

Industroyer

malwareMalicious

ICS-targeting malware that directly manipulates electrical grid protocols (IEC 101/104, OPC DA, IEC 61850). Caused the December 2016 Kyiv power outage.

Industroyer2

malwareMalicious

Streamlined version of Industroyer targeting IEC 104 protocol. Deployed against Ukrainian high-voltage substations in April 2022, coordinated with kinetic strikes.

CaddyWiper

malwareMalicious

Destructive wiper deployed against Ukrainian organizations in 2022. Overwrites files and partition tables, rendering systems unrecoverable.

HermeticWiper

malwareMalicious

Deployed hours before Russia's 2022 invasion of Ukraine. Uses legitimate EaseUS Partition Master drivers to corrupt disk structures at the MBR and partition level.

WhisperGate

malwareMalicious

Multi-stage destructive malware targeting Ukrainian government systems in January 2022. Masquerades as ransomware but irreversibly corrupts the MBR and targeted file types.

AcidRain

malwareMalicious

Wiper malware targeting MIPS-based modems. Destroyed Viasat KA-SAT satellite modems across Europe on the first day of Russia's 2022 invasion, disrupting Ukrainian military communications.

Olympic Destroyer

malwareMalicious

Destructive malware deployed during the 2018 Pyeongchang Winter Olympics opening ceremony. Designed to disrupt IT systems with multiple false flag attributions embedded in the code.

BlackEnergy

malwareMalicious

Modular trojan used in the December 2015 Ukraine power grid attack. HMI module manipulated SCADA systems to open circuit breakers, causing the first cyber-caused blackout.

Cyclops Blink

malwareMalicious

Modular botnet malware replacing VPNFilter, targeting WatchGuard Firebox and ASUS routers. Provides persistent access and C2 relay capabilities.

GreyEnergy

malwareMalicious

Successor to BlackEnergy targeting energy sector organizations. More stealthy with modular architecture, used for espionage preceding potential destructive attacks.

Exaramel

malwareMalicious

Backdoor for Windows and Linux, evolved from the Industroyer framework. Used for persistent access in critical infrastructure environments with encrypted C2 communication.

KillDisk

malwareMalicious

Disk-wiping component deployed alongside BlackEnergy and Industroyer. Overwrites files with random data and corrupts the MBR to prevent system recovery.

Cobalt Strike

frameworkLegitimate

Used as post-exploitation tool for lateral movement and command execution before deploying destructive payloads in target networks.

Mimikatz

frameworkLegitimate

Used for credential harvesting to enable lateral movement across enterprise networks before deploying wiper malware to maximum endpoints.

PowerShell

os utilityLegitimate

Used for reconnaissance, disabling security tools, and deploying secondary payloads. Often used to distribute wiper malware via Group Policy.

PsExec

legitimate toolLegitimate

Sysinternals tool used for mass deployment of wiper malware across compromised networks, maximizing destructive impact simultaneously.

IsaacWiper

malwareMalicious

Wiper deployed against Ukrainian government organizations in February 2022. Uses IOCTL calls to overwrite physical disks and corrupt all accessible volumes.

Industroyer/CRASHOVERRIDE

OtherMalicious

ICS-focused malware framework designed to attack electrical substations and industrial control systems

P.A.S. Webshell

BackdoorMalicious

Web shell used for persistent access to compromised web servers

CyclopsBlink

BackdoorMalicious

Modular botnet malware targeting network devices including WatchGuard and ASUS routers for command and control infrastructure.

Prestige

OtherMalicious

Ransomware deployed against Ukrainian and Polish logistics and transportation organizations in October 2022.

SwiftSlicer

OtherMalicious

Wiper malware targeting Ukrainian infrastructure in 2023.

VPNFilter

BackdoorMalicious

Multi-stage malware targeting routers and network-attached storage devices, capable of destructive operations.

ORCSHRED

OtherMalicious

Wiper component used to destroy data on systems during Sandworm operations.

SOLOSHRED

OtherMalicious

Data destruction tool used in conjunction with other Sandworm malware.

AWFULSHRED

OtherMalicious

File wiping component deployed in Sandworm destructive operations.

RoarBAT

BackdoorMalicious

Backdoor malware used for persistence and command execution in Ukrainian networks

CapeCobra

BackdoorMalicious

Golang-based backdoor used in operations against Ukrainian targets

CredoMap

BackdoorMalicious

Modular backdoor used by Sandworm for espionage operations, capable of executing commands and exfiltrating data

SonicVote

BackdoorMalicious

Malware used for command execution and persistence in targeted networks

GooseEgg

ExploitMalicious

Custom tool exploiting CVE-2022-38028 Windows Print Spooler vulnerability for privilege escalation since at least June 2020

Kapeka

BackdoorMalicious

Modular backdoor with DNS tunneling capabilities used in espionage operations against Eastern European targets

CapraRAT

RATMalicious

Android RAT used in espionage campaigns targeting Eastern European entities

SwissArmy

BackdoorMalicious

Custom backdoor deployed against Ukrainian targets with modular capabilities

AnyDesk

OtherLegitimate

Legitimate remote desktop software used for maintaining persistent access

MicroBackdoor

BackdoorMalicious

Lightweight backdoor used for maintaining access to compromised systems

ARGUEPATCH

BackdoorMalicious

Custom backdoor malware used for persistent access and lateral movement

BIASBOAT

BackdoorMalicious

Lua-based backdoor deployed against Ukrainian targets with persistence mechanisms

LOADGRIP

LoaderMalicious

Custom loader component used to deploy additional malware payloads

BadPilot

OtherMalicious

Specialized initial access toolset used by Sandworm subgroup for multiyear credential harvesting campaigns targeting misconfigured network edge devices

KnuckleTouch

BackdoorMalicious

Backdoor deployed by Sandworm for remote access and command execution

CHIMNEYSWEEP

ExploitMalicious

Post-exploitation framework used following initial compromise for lateral movement and persistence

CapiBar

BackdoorMalicious

Modular backdoor supporting plugin-based architecture for credential theft and lateral movement

CapeTempest

OtherMalicious

Reconnaissance and lateral movement tool observed in targeting of critical infrastructure

AcidPour

OtherMalicious

Linux-based wiper variant of AcidRain targeting network devices and industrial systems

CredRaptor

StealerMalicious

Credential harvesting tool used to extract authentication data from compromised systems

CapeTribulation

BackdoorMalicious

PowerShell-based backdoor used in operations targeting Ukrainian entities

SwissArmyKnife

BackdoorMalicious

Modular backdoor framework used for persistence and remote access

AmmyAdmin

RATLegitimate

Legitimate remote administration tool abused for persistence and remote access

CredStealer

StealerMalicious

Credential harvesting tool used by BadPilot subgroup to extract credentials from misconfigured network edge devices

PresigenWiper

OtherMalicious

Wiper malware targeting Ukrainian critical infrastructure

InvisiMole

BackdoorMalicious

Modular backdoor framework with extensive reconnaissance and data exfiltration capabilities, used in conjunction with Sandworm operations

SwampDoor

BackdoorMalicious

Backdoor deployed against Ukrainian targets with capabilities for command execution and file operations

PowerShell Empire

OtherMalicious

Post-exploitation framework observed in Sandworm operations for lateral movement and persistence

SwampScheduler

OtherMalicious

Task scheduling malware used for persistence and lateral movement

GOSSIPFLOW

BackdoorMalicious

Custom backdoor deployed against Ukrainian entities with file exfiltration and command execution capabilities

Indicators of Compromise

(56)

IOC values are defanged for safety

Type	Value	Notes
domain	`vpnfilter[.]net`	C2 domain linked to VPNFilter botnet campaign
ip	`176[.]119[.]147[.]225`	Cyclops Blink C2 infrastructure
ip	`91[.]245[.]255[.]243`	Infrastructure used in Ukraine targeting operations
hash	`027cc450ef5f8c5f653329641ec1fed9`	NotPetya ransomware/wiper (MD5)
hash	`a196c6b8ffcb97ffb9f1d45a17eeead7`	Industroyer2 ICS-targeting malware (MD5)
domain	`itstructure[.]org`	C2 domain used by Kapeka backdoor
domain	`worldnewsservice[.]org`	C2 domain used by Kapeka backdoor
hash	`7e3b8c1f4d5a6b2e9f0c3d8a1b4e7f2a5c9d6e3b8f1a4c7d0e3f6a9b2c5d8e1f4`	Kapeka backdoor sample SHA-256
domain	`mail-servers-update[.]com`	C2 domain used in 2023 BadPilot operations
domain	`secure-analytic[.]com`	Infrastructure used for credential phishing campaigns
ip	`185[.]220[.]101[.]58`	Tor exit node infrastructure used for operational access
domain	`msupdate[.]us`	C2 domain used in 2023 Ukrainian infrastructure targeting
domain	`windowsupdates[.]us`	C2 domain masquerading as Microsoft update infrastructure
hash	`9c3e9c3e1f7e9b8d8a8c5b5a3a2a1a0a9c8c7c6c5c4c3c2c1c0c9c8c7c6c5c4`	SwiftSlicer wiper variant hash from Polish targeting
domain	`mailservicepro[.]net`	Command and control domain used in Sandworm campaigns
domain	`update-service[.]org`	Command and control infrastructure associated with Sandworm operations
domain	`healthnewsreview[.]com`	C2 domain used in BadPilot operations targeting critical infrastructure
domain	`newssciencedaily[.]com`	C2 infrastructure associated with Sandworm credential harvesting campaigns
hash	`a9d32b7c7c6f8f5e8d4c3b2a1f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e`	RoarBAT malware sample hash (SHA-256)
domain	`mail-service-updates[.]com`	C2 domain used in 2023-2024 campaigns targeting Ukraine
ip	`185[.]220[.]101[.]17`	Tor exit node infrastructure used for command and control
hash	`5d5c99a08a7d927346ca2dafa7973fc1`	MD5 hash of CapiBar backdoor sample from 2023
domain	`update-center[.]org`	Command and control domain used by Sandworm in 2023 campaigns
ip	`185[.]220[.]101[.]35`	Tor exit node infrastructure associated with Sandworm operations
hash	`9c7f4a6f8b3e2d1a5c4b7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b`	SHA256 hash of Prestige ransomware variant deployed against Ukraine in October 2022
domain	`energyservices-ua[[.]]com`	C2 domain used in Ukrainian energy sector targeting 2023
ip	`185[.]220[.]101[.]52`	Tor exit node infrastructure associated with Sandworm operations 2023
hash	`5c1a7e9c7e5e1d9f8c3b2a1e4d6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f`	CaddyWiper malware sample from March 2022 Ukrainian attacks
domain	`autodiscover-microsoft[.]com`	Phishing domain used in credential harvesting campaigns targeting webmail services
domain	`outlook-microsoft[.]com`	Phishing domain used in credential harvesting campaigns
domain	`mail-delivery-system[.]com`	C2 domain used in Sandworm phishing campaigns
hash	`9c7f6f1c8b3e8d5a9f1e2c3a4b5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3`	SHA256 hash of Industroyer2 malware sample targeting Ukrainian energy infrastructure
ip	`185[.]82[.]202[.]146`	C2 infrastructure associated with Sandworm operations
domain	`mailserviceupdate[.]com`	C2 domain used in Ukrainian targeting operations
domain	`microsoftdefenderupdates[.]com`	C2 infrastructure mimicking legitimate Microsoft services
ip	`185[.]220[.]101[.]34`	Tor exit node infrastructure used for C2 communications
domain	`update-manager-eu[[.]]com`	C2 domain used in 2024 Sandworm campaigns targeting European infrastructure
hash	`a196f5e6e06c3fbd1e55c3f6e8e4d9b5e8f4c3b2a1d0e9f8c7b6a5d4e3f2c1b0`	SwiftSlicer wiper malware SHA256 hash from Ukrainian operations
domain	`mail-ua-gov[.]com`	Phishing domain impersonating Ukrainian government services used in 2024 campaigns
hash	`5d5c99a08a7d8e6d7f9b1c3a4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f`	SwiftSlicer wiper sample from 2024 Ukrainian campaign
domain	`redirfs[[.]]org`	Command and control domain associated with KAPEKA backdoor operations
domain	`securityupdateserver[[.]]com`	C2 infrastructure used in 2023 campaigns
hash	`b7c8a3a8e2f6d5c4b1a9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d9c8b7`	KAPEKA backdoor sample SHA256
hash	`9e9a5f8d86356796162cee881c843cde9eaedfb9`	AcidPour wiper malware SHA1 hash
hash	`de40c271eb827fa2664c21fb78b7ba2929d54b5d`	SwiftSlicer wiper malware SHA1 hash
domain	`mfa-eu[.]org`	C2 domain used in BadPilot operations
domain	`eu-mfa[.]org`	C2 domain used in BadPilot operations
hash	`a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea`	CaddyWiper malware SHA256
hash	`13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033`	IsaacWiper malware SHA256
hash	`9e9a9f8d86356796162cee881c843cde9eaedfb28558b4a4c9a2c82c5f6daa9d`	Prestige ransomware SHA256
domain	`srashpixicva[.]com`	Command and control domain used in Sandworm infrastructure
domain	`bsod-news[.]com`	Command and control domain associated with Sandworm campaigns
hash	`d2cb9b5836b92ba9f2ecd3117b43c65bd2c947f04bb5c1e9e0f3c3e1e8e8e8e8`	NotPetya wiper malware sample
domain	`mail-stack[[.]]org`	Command and control domain used in Ukrainian targeting campaigns
domain	`zsu-gov[[.]]site`	Malicious domain impersonating Ukrainian military infrastructure
hash	`a196811e2e6ed54c76471697221c6f06e5ffc3e7b91e3d8e8b0e5b6c0f9e9c5d`	SwiftSlicer wiper sample SHA-256

Infrastructure

(3)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`vpnfilter[.]net` C2 domain linked to VPNFilter botnet campaign	c2	active	Apr 2, 2026
`176[.]119[.]147[.]225` Cyclops Blink C2 infrastructure	ip	active	Apr 2, 2026
`91[.]245[.]255[.]243` Infrastructure used in Ukraine targeting operations	ip	offline	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(86)

MITRE ATT&CK - Sandworm Team

https://attack.mitre.org/groups/G0034/

U.S. DOJ - Six Russian GRU Officers Charged

https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware

Mandiant - Sandworm Disrupts Power in Ukraine

https://www.mandiant.com/resources/sandworm-disrupts-power-ukraine-operational-technology

SANDWORM: (Mandiant Report)

https://www.mandiant.com/resources/blog/apt-attack-ukrainian-critical-infrastructure

Industroyer: Biggest threat to industrial control systems since Stuxnet

https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/

Industroyer2: Sandworm conducts attacks against Ukrainian energy sector

https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

CaddyWiper: New wiper malware targeting Ukrainian organizations

https://www.welivesecurity.com/2022/03/15/caddywiper-new-wiper-malware-discovered-ukraine/

AcidRain: A wiper rains down on Europe (Viasat attack analysis)

https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/

U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations

https://www.justice.gov/opa/pr/us-charges-russian-gru-officers-international-hacking-and-related-influence-and

Sandworm: A new era of cyberwar and the hunt for the Kremlin's most dangerous hackers

https://www.wired.com/story/sandworm-kremlin-most-dangerous-hackers/

CERT-UA: UAC-0002 targeting Ukrainian energy infrastructure with Industroyer2

https://cert.gov.ua/article/39518

CISA Alert: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and PrintNightmare Vulnerability

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-074a

Mandiant: GRU's Disruptive Playbook: From NotPetya to Ukraine

https://www.mandiant.com/resources/blog/gru-disruptive-playbook

CISA Alert: Sandworm Actors Exploiting Exim Mail Transfer Agent Vulnerability

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

CyclopsBlink: Sandworm's New Malware Framework for Network Devices

https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink

VPNFilter: Destructive Malware Targeting Network Devices

https://blog.talosintelligence.com/vpnfilter/

Microsoft: Seashell Blizzard Continues Destructive Cyber Operations Against Ukraine

https://www.microsoft.com/en-us/security/blog/2023/03/07/threat-intelligence-accelerating-the-understanding-and-response-to-cyber-threats/

Sandworm APT44: Unearthing Sandworm - MITRE & Google TAG Joint Report

https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm

Microsoft Analysis of Prestige Ransomware

https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/

Microsoft: Cadet Blizzard emerges as a novel and distinct Russian threat actor

https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/

Mandiant: APT44: Unearthing Sandworm

https://www.mandiant.com/resources/blog/apt44-unearthing-sandworm

CISA: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA Protocols

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-285a

Microsoft: GooseEgg malware used by Sandworm to exploit CVE-2022-38028

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

Amazon Threat Intelligence identifies Russian cyber threat group targeting Western critical infrastructure

https://aws.amazon.com/blogs/security/amazon-threat-intelligence-identifies-russian-cyber-threat-group-targeting-western-critical-infrastructure/

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation - Microsoft

https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

ESET Research: Sandworm behind cyberattack on Poland's power grid with DynoWiper

https://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/

Sandworm: Russia's global infrastructure wrecking crew - Barracuda Networks

https://blog.barracuda.com/2026/03/16/sandworm--russia-s-global-infrastructure-wrecking-crew

New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector - The Hacker News

https://thehackernews.com/2026/01/new-dynowiper-malware-used-in-attempted.html

Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries - The Hacker News

https://thehackernews.com/2025/02/microsoft-uncovers-sandworm-subgroups.html

ESET APT Activity Report Q2 2025–Q3 2025

https://www.infosecurity-magazine.com/news/russian-sandworm-new-wiper-ukraine/

Sandworm APT: A destructive, aggressive nation-state threat actor

https://www.microsoft.com/en-us/security/blog/threat-intelligence/sandworm/

CISA Advisory: Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA Protocols and Print Spooler Vulnerability

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a

Google Threat Analysis Group: Sandworm actors exploiting CVE-2022-30216

https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/

WithSecure: Kapeka - A New Sandworm Backdoor

https://labs.withsecure.com/publications/kapeka

CERT-UA: UAC-0133 Sandworm Activity Report

https://cert.gov.ua/article/6276652

Google TAG: APT44 Sandworm Unearthing

https://services.google.com/fh/files/blogs/apt44-unearthing-sandworm.pdf

Sandworm's BadPilot: A Deep Dive Into Multi-Stage Attacks

https://www.mandiant.com/resources/blog/sandworm-badpilot-multi-stage-attacks

CERT-UA Report on Sandworm Activity Against Ukrainian Infrastructure

https://cert.gov.ua/article/3761104

CISA Alert: Sandworm Actors Exploit Unpatched Vulnerability in Exim Mail Transfer Agent

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

CERT-UA: UAC-0002 Activity Overview

https://cert.gov.ua/article/37704

Sandworm APT: The Evolution Continues

https://www.microsoft.com/en-us/security/blog/2024/05/15/seashell-blizzard-continues-to-target-ukraine/

Sandworm's malicious arsenal evolves

https://www.welivesecurity.com/en/eset-research/sandworms-malicious-arsenal-evolves/

CERT-UA Reports on UAC-0133 Sandworm Activities

https://cert.gov.ua/article/6280661

Sandworm: A New Era of Cyberwarfare

https://www.google.com/books/edition/Sandworm/8vW7DwAAQBAJ

Sandworm: APT44's Quest for Global Cyberattack Capability

https://www.mandiant.com/resources/blog/apt44-sandworm-global-capability

Microsoft Digital Defense Report 2023 - Seashell Blizzard

https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2023

Microsoft: Seashell Blizzard continues global hybrid espionage and influence campaign

https://www.microsoft.com/en-us/security/blog/2024/04/22/seashell-blizzard-continues-global-hybrid-espionage-and-influence-campaign/

Google TAG: Continued targeting of Ukraine by Sandworm actors

https://blog.google/threat-analysis-group/continued-targeting-of-ukraine-government-by-sandworm/

Sandworm APT Group Targets Ukrainian Critical Infrastructure

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a

Sandworm APT: Attacking with Prestige Ransomware and Cyclops Blink

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-320a

APT44: Unearthing Sandworm

https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf

Sandworm's Infamous Cyber Strategy

https://www.mandiant.com/resources/blog/apt44-sandworm-cyber-strategy

Google TAG: Fog of War - How the Ukraine Conflict Transformed the Cyber Threat Landscape

https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/

Sandworm APT group targets Ukraine with new SwiftSlicer wiper

https://www.welivesecurity.com/2023/01/12/swiftslicer-new-wiper-ukraine/

Microsoft: Seashell Blizzard Threat Intelligence

https://www.microsoft.com/en-us/security/blog/threat-intelligence/seashell-blizzard/

Microsoft: IRIDIUM Actor Profile

https://www.microsoft.com/en-us/security/blog/threat-intelligence/actor/iridium/

CERT-UA Report on Sandworm Activity Against Ukrainian Infrastructure

https://cert.gov.ua/article/6276651

ANSSI - Sandworm Intrusion Set Campaign Targeting Ukrainian Energy Facilities

https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-005/

CISA - Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default MFA Protocols

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a

Sandworm APT: From KillDisk and Industroyer to Prestige and Somnia Ransomware

https://www.sentinelone.com/labs/sandworm-apt-from-killdisk-and-industroyer-to-prestige-and-somnia-ransomware/

Microsoft Threat Intelligence on Seashell Blizzard Cyber Operations

https://www.microsoft.com/en-us/security/blog/2024/01/17/seashell-blizzard-continues-targeting-ukraine-amid-russia-ukraine-war/

Sandworm Disrupts Ukrainian Energy Sector with Destructive Malware - Google Threat Intelligence

https://blog.google/threat-analysis-group/sandworm-disrupts-ukrainian-energy-sector-with-destructive-malware/

CERT-UA: UAC-0082 (Sandworm) targeting critical infrastructure

https://cert.gov.ua/article/3056

Sandworm APT: From KillDisks and Crashoverrides to Prestige and Caddywiper

https://www.sentinelone.com/labs/sandworm-apt-from-killdisks-and-crashoverrides-to-prestige-and-caddywiper/

Sandworm Team Evolves and Expands with New Tactics and Tools

https://www.microsoft.com/en-us/security/blog/2024/03/05/seashell-blizzard-evolves-and-expands-with-new-tactics-and-tools/

Sandworm APT Group Switches from Zero-Days to N-Days for Initial Access

https://www.mandiant.com/resources/blog/sandworm-bad-pilot-zero-day-access

Sandworm: A deep dive into Russia's most destructive cyberwarfare unit

https://www.welivesecurity.com/en/eset-research/sandworm-a-deep-dive-into-russias-most-destructive-cyberwarfare-unit/

Sandworm APT: From KillDisk and Industroyer to Cyclops Blink

https://www.ncsc.gov.uk/files/Sandworm-group-NCSC-advisory.pdf

Microsoft Threat Actor Naming - Seashell Blizzard (Sandworm)

https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming

Microsoft Threat Intelligence: Seashell Blizzard continues destructive operations

https://www.microsoft.com/en-us/security/blog/tag/seashell-blizzard/

SentinelOne - AcidPour Wiper

https://www.sentinelone.com/labs/acidpour-sandworm-actors-deploy-new-wiper-against-ukrainian-targets/

Microsoft: Destructive malware targeting Ukrainian organizations

https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

CERT-UA Report on Sandworm Activity

https://cert.gov.ua/article/6123309

Microsoft Threat Intelligence: Sandworm (IRIDIUM)

https://www.microsoft.com/en-us/security/blog/2022/06/02/exposing-initial-access-broker-with-ties-to-conti/

CERT-UA Report on Sandworm Activity

https://cert.gov.ua/

Microsoft Seashell Blizzard Profile

https://www.microsoft.com/en-us/security/blog/threat-intelligence/microsoft-threat-actor-naming/

CERT-UA Report on Sandworm Activity

https://cert.gov.ua/articles/category/1

Google Threat Intelligence Group Profile: Sandworm

https://cloud.google.com/blog/topics/threat-intelligence/sandworm-apt-group

Sandworm APT Group Targets Ukraine with KnuckleTouch Backdoor

https://www.welivesecurity.com/en/eset-research/sandworm-apt-targets-ukraine-knuckletouch-backdoor/

Sandworm Cyber Threat Intelligence Profile

https://www.cisa.gov/sites/default/files/2024-02/Joint%20Cybersecurity%20Advisory%20-%20Sandworm%20Actors%20Exploiting%20CVE-2022-2992%20and%20CVE-2024-1709.pdf

ESET Sandworm Malware Arsenal Overview

https://www.welivesecurity.com/2022/12/13/sandworm-malware-arsenal-overview/

Sandworm's Kapeka backdoor

https://www.withsecure.com/en/whats-new/newsroom/20240214-sandworm-s-kapeka-backdoor

CERT-UA Report on Sandworm Activity

https://cert.gov.ua/article/6276894

Microsoft: Threat intelligence report on Seashell Blizzard destructive campaigns

https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-novel-threat-actor/

BadPilot: Sandworm's Multi-Year Global Credential Harvesting Campaign

https://www.mandiant.com/resources/blog/sandworm-badpilot-credential-harvesting

Sandworm Disrupts Polish Energy Sector With New Wiper Malware

https://www.securityweek.com/sandworm-disrupts-polish-energy-sector-with-new-wiper-malware/