Researchers from ESET say Sandworm, the Russian state-backed hacking group, launched a wave of destructive wiper malware in Ukraine as part of the ongoing war, including an April attack on a Ukrainian university using two wipers, Sting and Zerlot.
Notably, Sting attacked Windows computers by scheduling a task named DavaniGulyashaSdeshka, a Russian slang phrase meaning “eat some goulash,” according to ESET researchers. Zerlot was the other wiper in the April operation.
In June and September, Sandworm rolled out additional wiper variants against Ukrainian critical infrastructure, including government, energy, and logistics sectors, with grain industry organizations also targeted—a relatively uncommon but strategically significant choice.
“Although all four targets have previously faced wiper attacks since 2022, the grain sector stands out as not often hit,” ESET said, noting that Ukraine’s grain exports are a key revenue stream and disrupting it could undermine the war economy.
Wipers have long been a favored tool of Kremlin-linked actors since NotPetya in 2012, which originated in Ukraine before spreading globally and causing tens of billions in damages. Researchers say such campaigns show that destructive cyber operations remain a core component of Russia’s hybrid warfare toolkit.
Experts note that while espionage has attracted more attention recently, wiper activity against Ukraine has persisted into 2025, underscoring the persistent cyber dimension of the conflict.
