All news with #wiper tag

🔒 A jury found former federal contractor Sohaib Akhter guilty of conspiring to destroy dozens of government databases after being fired during a remote meeting in February 2025. Prosecutors say Akhter and his twin brother Muneeb ran write-protect commands and deleted roughly 96 databases hosting sensitive investigative and FOIA records for more than 45 agencies. They allegedly sought to hide their activity — even consulting an AI assistant about clearing system logs — and destroyed evidence; sentencing is set for September 9, 2026.

🔍 Researchers have reverse-engineered a sophisticated malware strain called Fast16, concluding it is almost certainly state-sponsored and likely of US origin. The malware was reportedly deployed against Iranian targets years before Stuxnet, and it propagates automatically across networks while avoiding overt disruption. Instead of crashing systems, Fast16 silently tampers with numerical computations inside specialized simulation and engineering applications, altering results in ways that can turn routine analyses into faulty designs or trigger catastrophic equipment failures.

⚠ Check Point Research discovered a critical implementation bug in Vect 2.0 that causes files larger than 131,072 bytes (128 KB) to be permanently destroyed rather than recoverably encrypted. The ransomware uses raw ChaCha20-IETF without the Poly1305 MAC and a faulty nonce-handling routine that discards three of four decryption nonces, effectively turning the RaaS into a wiper across Windows, Linux and ESXi variants. Researchers also identified multiple additional coding and design errors that undermine the group's RaaS ambitions and affiliate program.

⚠️ VECT 2.0 ransomware contains a nonce-handling defect that overwrites per-chunk nonces when encrypting files, leaving only the final nonce saved. As a result, files larger than about 128 KB are partially unrecoverable — roughly only the last quarter can be decrypted — causing the malware to act like a wiper for many enterprise assets. Check Point researchers report the flaw affects Windows, Linux and ESXi builds and means victims cannot recover corrupted data even if they pay.

⚠️ VECT 2.0 is effectively a destructive wiper rather than recoverable ransomware due to a critical implementation bug that discards key nonces during encryption. Check Point found that any file larger than 131,072 bytes loses three of four ChaCha20 nonces, rendering those chunks irrecoverable even if victims pay. The RaaS's Windows, Linux, and ESXi variants and affiliate model raise broad operational risk, but the technical flaw means payment will not restore most enterprise data.

🛑 VECT is a destructive ransomware family that permanently destroys large files instead of producing recoverable encrypted copies, so paying the ransom will not restore data. The group leveraged partnerships with TeamPCP and BreachForums to build a massive affiliate pipeline to thousands of potential victims. An encryption bug affects Windows, Linux, and ESXi variants and has persisted since before the public 2.0 release. Check Point's Threat Emulation and Harmony Endpoint provide full protection against known variants.

🔎 SentinelOne researchers have identified a sabotage-focused malware framework from around 2005 that predates Stuxnet by at least five years. The investigation uncovered a service binary (svcmgmt.exe) embedding a Lua 5.0 VM and a boot-start kernel driver (fast16.sys) that intercepts and patches executables at the storage layer. Fast16 acted as a wormable carrier with multiple 'wormlet' payloads, targeted Windows 2000/XP file shares using weak credentials, and included environmental checks to avoid specific security software. The framework was designed to corrupt outputs from engineering and simulation suites, and was later referenced in the Shadow Brokers leak.

🔎 SentinelOne researchers have disclosed fast16, a Lua-based cyber‑sabotage framework compiled in 2005 that predates Stuxnet. The implant embeds a Lua 5.0 VM and encrypted bytecode inside a carrier binary svcmgmt.exe and pairs with a kernel driver that patches executables to corrupt high‑precision calculations. fast16 targets legacy Windows 2000/XP environments and engineering simulation tools, and its discovery revises the timeline of state-backed cyber sabotage.

⚠️ Kaspersky has identified a previously undocumented file wiper named Lotus Wiper that was used in destructive attacks against Venezuela's energy and utilities sector in late 2025 and early 2026. The campaign relies on two coordinated batch scripts that weaken defenses, probe NETLOGON shares and legacy services, and prepare the environment to deploy a wiper that erases recovery mechanisms, overwrites drives and deletes files. The artifact contains no extortion demands, indicating a targeted, non-financially motivated destructive operation likely planned well in advance.

🔴 Kaspersky researchers analyzed a previously undocumented data-wiping malware, dubbed Lotus, uploaded from a Venezuelan host in mid-December and used in targeted attacks against energy and utility organizations in Venezuela. Before detonation the attacker runs two batch scripts that weaken defenses, change account passwords, log off users, disable network interfaces and run destructive tools like diskpart, robocopy and fsutil to overwrite and fill drives. The Lotus binary then performs low-level IOCTL operations, clears USN journals, deletes restore points and overwrites physical sectors to render systems unrecoverable. Administrators are advised to monitor these precursor activities and maintain offline, validated backups.

🛡️ The FBI has attributed a sustained campaign of targeted malware and hack-and-leak operations to the Iranian-linked threat actor Handala, noting activity against dissidents, journalists and opposition groups dating to autumn 2023. The group claimed responsibility for a wiper attack on US medtech firm Stryker and used a multi-stage payload that disguises itself as legitimate Windows applications. Investigators observed social engineering lures, PowerShell-based evasion, and a Telegram-based command-and-control channel enabling remote access and data exfiltration, and urged standard hardening and reporting measures.

🧨 The TeamPCP group is deploying a geopolitically targeted wiper that seeks out Iranian systems and either destroys host data or implants a persistent backdoor on Kubernetes nodes. Aikido researchers link the campaign to the earlier CanisterWorm and Trivy supply-chain incidents, noting identical C2 infrastructure and the same /tmp/pglog drop path. When Iran indicators (timezone/locale) and Kubernetes are detected, the malware creates a privileged DaemonSet named Host-provisioner-iran that mounts the host root and runs Alpine containers called "kamikaze" to delete top-level directories and force a reboot. If Kubernetes is present but the host is not identified as Iranian, it deploys host-provisioner-std to write a Python backdoor and install it as a systemd service; variants also propagate via SSH or unauthenticated Docker APIs.

🚨 A financially motivated group known as TeamPCP deployed a self‑propagating worm called CanisterWorm that spreads through poorly secured cloud control planes and conditionally executes a destructive wiper on systems set to Iran’s timezone or Farsi locale. The actors leveraged exposed Docker APIs, misconfigured Kubernetes clusters, Redis servers and the React2Shell vector, and inserted credential‑stealing code into official Trivy releases via compromised GitHub Actions. Researchers observed the group using ICP canisters to host payloads and noted the malicious builds were active only intermittently, leaving uncertainty about the extent of successful data destruction.

🛡️ Geopolitical tensions are driving a rise in destructive, non‑financial cyber campaigns that aim to disrupt operations rather than extort payment. Recent Iranian-linked wiper activity — exemplified by the March 2026 Handala attack on Stryker — shows attackers rely on stolen credentials and legitimate admin tools to move freely. Zero Networks recommends a five-step playbook focused on identity-aware access, default‑deny admin ports, scoped privileged access, detection of tunnels, and rapid automated containment to limit blast radius and preserve operations.

🔒 The FBI has seized two clearnet domains used by the Iranian-linked hacktivist group Handala after its destructive cyberattack on medical device maker Stryker. A seizure banner cites a Maryland court warrant and says the domains facilitated malicious cyber activities; DNS now points to FBI name servers. Handala acknowledged the seizures and said it will rebuild resilient infrastructure. Microsoft and CISA issued guidance to help organizations secure Intune and Windows domains against similar compromises.

🔒 Iranian-aligned threat actors are shifting from bespoke destructive wipers to weaponizing privileged identities and native management features. Rather than deploying novel binaries, attackers compromise high-privilege accounts and use legitimate MDM/RMM or cloud consoles to push remote-wipe and factory-reset commands at scale. This living-off-the-land approach bypasses traditional endpoint telemetry and enables rapid, high-impact disruption across managed tenants. Defenders must prioritize identity resilience, Zero Trust, and immutable backups to maintain survivability.

🔒 Unit 42 warns of elevated risk from destructive wiper operations attributed to the Iranian-linked Handala Hack actor, which has used phishing and compromised Microsoft Intune administrative access to delete servers and devices and disrupt operations. The actor, first seen in late 2023 and also tracked as Void Manticore, COBALT MYSTIQUE and Storm‑1084/0842, is assessed as a state-directed front for Iran’s MOIS. Mitigations focus on eliminating standing privileges (JIT, PIM), hardening Entra ID and Intune admin roles, enforcing conditional access and hardware MFA, reducing session lifetimes and ensuring immutable offline backups.

🚨 Pro-Iranian group Handala claimed it wiped over 200,000 devices and exfiltrated 50TB of data from medical device maker Stryker, asserting offices in 79 countries were forced to close. Stryker confirmed a cyber incident causing global disruption to its Microsoft environment but said there is no indication of ransomware and that it believes the incident is contained. Experts warned the attack appears to have leveraged enterprise management tools such as Microsoft Intune, suggesting a credential compromise and tactics consistent with Iranian state-linked activity.

🏥 Leading medical technology company Stryker is experiencing a severe, global outage after a wiper malware attack claimed by Handala, an Iran-linked hacktivist group. The attackers say they stole 50 TB of data and remotely wiped over 200,000 systems, servers, and mobile devices, forcing shutdowns across 79 countries. Employees report managed Windows and mobile devices were reset, internal services were disrupted, and some sites reverted to pen-and-paper workflows while Stryker works with Microsoft to restore systems.

🛡️A hacktivist group with reported ties to Iran's intelligence services has claimed responsibility for a large-scale data-wiping incident against Stryker, a global medical technology company. The group, known as Handala, said it erased data from more than 200,000 systems and forced shutdowns across 79 countries while Stryker sent thousands of staff in Ireland home and reported a building emergency at its U.S. headquarters. Reporting and internal sources indicate attackers may have used Microsoft Intune to issue remote wipe commands; some employee devices were reportedly wiped and defaced.