Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

ZEROLOT

ZEROLOT is a destructive data-wiping malware family associated with the Russia-aligned Sandworm threat group (also tracked as APT44, Voodoo Bear, Iron Viking, Telebots, and Seashell Blizzard). Reporting in the provided content links ZEROLOT to Sandworm operations against Ukrainian targets in 2024–2025, including a Ukrainian university and organizations in the government, energy, logistics, telecom, and grain sectors. Multiple sources in the content describe the malware as a wiper intended to permanently erase data and disrupt operations, with attacks framed as part of broader destructive campaigns against Ukraine’s critical infrastructure and economy. The content states that Sandworm deployed ZEROLOT via Active Directory Group Policy, and in one April 2025 university intrusion the deployment was executed using a Windows scheduled task named DavaniGulyashaSdeshka. ZEROLOT is repeatedly mentioned alongside another Sandworm wiper, Sting. High-confidence context in the content places ZEROLOT among Sandworm’s broader set of destructive malware families, alongside PathWiper and HermeticWiper. No file hashes or standalone technical IoCs specific to ZEROLOT are provided in the content beyond the scheduled task name DavaniGulyashaSdeshka and the reported use of Active Directory Group Policy for deployment.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Sandworm

Indicators of Compromise (IoCs):- ... Malware ZEROLOT Wiper malware linked to Sandworm

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1485Data DestructionEvidence3

Several intrusions led to the deployment of destructive wiper malware... Malware ZEROLOT Wiper malware linked to Sandworm Malware PathWiper Wiper malware targeting Ukrainian organizations

ACTIVITY FEED

Recent activity

16 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

16 SOURCESView more in app
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Wiper malware linked to Sandworm.

Read more
rescana blogNews
Jan 25, 2026
Sandworm’s DynoWiper Attack Targeting Polish Combined Heat and Power and Renewable Energy Management Systems: Incident Analysis and Lessons Learned

Destructive malware family referenced as used in wiper attacks.

Read more
the hacker newsNews
Jan 24, 2026
New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector

Data-wiping malware used by Sandworm in a Ukrainian university network.

Read more
risky biz rssNews
Nov 7, 2025
Risky Bulletin: Europol arrests payment service executives for role in credit card fraud ring

ZEROLOT is a destructive data wiper malware used by the Sandworm group to target Ukrainian organizations, aiming to destroy data and disrupt operations.

Read more
+12 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.