Overview
- ESET attributes multiple destructive intrusions between April and September 2025 to Sandworm, also tracked as APT44.
- Wiper attacks in June and September hit organizations in government, energy, logistics and, unusually, Ukraine’s grain sector.
- ESET assesses the focus on grain producers as an effort to weaken Ukraine’s war economy given the sector’s central role in export revenue.
- In April, Sandworm deployed Sting and Zerlot wipers at a Ukrainian university, with Sting executed via a scheduled Windows task named “DavaniGulyashaSdeshka.”
- Researchers report that in some cases initial access was obtained by UAC-0099 before being handed off to APT44 for wiper deployment.