• Home
  • /Learn
  • /New Data-Wiping Malware, Swiftslicer, Can Overwrite Windows Domains
background image


New Data-Wiping Malware, Swiftslicer, Can Overwrite Windows Domains


Over the last several years, malware has developed a formidable reputation. Nowadays, there are nearly countless varieties of these malicious programs, and adversaries continually devise more innovative methods to target both organizations and individuals.

Attackers are increasingly using a destructive strain of malware known as the wiper. One such form, SwiftSlicer, is an especially hazardous variant as it can erase entire Windows systems and shadow copies – making data recovery impossible.

What category does SwiftSlicer belong to?

Wiper malware is a malicious program that permanently destroys data and files on a targeted system. This malware ensures that the victim cannot recover the data by any technique. Unlike traditional malware that deletes files, wiper malware wipes out, sabotages, and destroys all files, often with political or economic motives. 

SwiftSlicer, DoubleZero, WhisperGate, IsaacWiper, CaddyWiper, and HermeticWiper are well-known wiper malware. Even last year's report by Security Magazine claims that the wiper malware deployments are rising. It is an alarming concern for enterprises and industries across the globe.

What is SwiftSlicer, and how it works?

A newfound wiper malware, SwiftSlicer, written in Go-lang, was recently discovered by researchers. It is believed to have been designed by a collective of professional hackers and cyber criminals due to its versatility and can be compiled on any platform or hardware. ESET attributed the attack to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). Russian hackers targeting Windows systems developed this malware. Researchers of ESET spotted this destructive malware on January 25, 2023. 

The attackers deployed SwiftSlicer through Group Policy, which indicates that the attackers had taken command of the victim's Active Directory (AD) environment. The control over the AD environment allows attackers to execute scripts and malicious commands throughout all the different systems in the Windows network. ESET researchers stated that once SwiftSlicer is deployed, it deletes shadow copies by overwriting critical files from the Windows system directory. 

It can delete and overwrite specific files, drivers, and the Active Directory database. SwiftSlicer targets the %CSIDL_SYSTEM_DRIVE%\Windows\NTDS folder. It shows that the wiper will destroy files and bring down the entire Windows OS and system operations. According to ESET researchers, SwiftSlicer overwrites data using 4096-byte blocks loaded with randomly generated bytes. Once the data destruction process finishes, the malware will reboot its target system automatically. 

More about the attack on Ukrinform

A few days ago, SwiftSlicer was spotted on the network of Ukrinform—Ukraine's national news agency. Per a report by the Ukrainian Computer Emergency Response Team (CERT-UA), Sandworm also attempted to use five data-destruction utility programs on different systems and OSes within the Ukrinform news agency's network, including:

  • ZeroWipe (Windows)

  • BidSwipe (FreeBSD)

  • SDelete (Windows)

  • CaddyWiper (Windows)

  • AwfulShred (Linux)

Recently, the malware signature was included in varying antivirus databases; Virus Total being one of them.

Preventative measures against data-wiping malware

Here is a list of best practices and strategies enterprises and organizations can leverage to protect data from wiping attacks carried out by wiper malware like SwiftSlicer.

  • Backup data: It is essential to back up your data regularly in an isolated system/drive. Usually, cloud backups that remain isolated from regular work systems are the best option. A solid data recovery (DR) plan helps reduce the attack’s impact. Organizations can continue working even after the attack through robust data recovery practices.

  • Use and update malware protection tools: Anti-malware and malware protection tools act like flu shots that can protect systems from such wiper malware. Anti-malware and antivirus companies keep updating their databases with new malware and virus strains. These tools are effective enough to protect against malware threats.

  • Patching software and OS regularly: Patching software and operating systems regularly is an excellent habit. These patch updates offer fixes to security issues that help prevent different applications from vulnerabilities and flaws.

  • Continuous monitoring: Continuous monitoring helps enterprises stay vigilant about threats or malware attacks. Various network monitoring tools like Netwrix Auditor ease the administrative burden and help protect enterprise networks from wiping threats.

  • Educate employees and individuals: Enterprises must educate employees about various attack vectors. Enterprises can seek help from cybersecurity companies like Packetlabs to get expert advice on securing their networks and systems from wiper malware like SwiftSlicer.


Malware attacks are a pressing concern for all organizations. Wiper malware attacks damage the regular workflow and crumble the organizations' reputation. SwiftSlicer is one of the most advanced forms of wiper malware that can eliminate specific files, drivers, and even Active Directory databases. This is why taking necessary precautions to protect your data and networks is extremely vital.

Sign up for our newsletter

Get the latest blog posts in your inbox biweekly!