AcidPour
AcidPour is a destructive Linux wiper malware and a novel variant of AcidRain, first reported by SentinelLABS/SentinelOne in March 2024 after a sample was uploaded from Ukraine. It is an ELF 32-bit x86 binary written in C and is assessed to be technically connected to AcidRain through shared reboot logic, recursive directory wiping, and an IOCTL-based device wiping mechanism. Unlike AcidRain, which targeted MIPS-based modems and routers, AcidPour is compiled for x86 and expands destructive capability with support for Linux UBI and Device Mapper paths, improving its ability to wipe embedded flash-based systems, RAID arrays, large storage devices, LVM, software RAID, disk-encrypted volumes, and other attached storage. Reported target classes include Linux x86 IoT devices, network devices, storage arrays, and potentially industrial control or OT-adjacent systems running Linux x86 distributions. Its behavior includes in-depth wiping of filesystems and attached storage via direct overwrites or IOCTL erase operations, overwriting victim devices with buffer contents, rebooting the system after wiping, and self-deleting from disk after execution and loading into memory. SentinelLABS stated it could not confirm use in the ongoing March 2024 disruptions affecting Ukrainian ISPs, but the timing and capabilities were consistent with such operations. The activity was attributed by CERT-UA to UAC-0165, described as a Sandworm subcluster, and broader reporting links AcidPour/AcidRain to the Russian GRU-linked Sandworm cluster, also referred to as ELECTRUM, Razing Ursa, and Voodoo Bear. High-confidence sample indicators mentioned in the content are filename tmphluyl8zn, MD5 1bde1e4ecc8a85cffef1cd4e5379aa44, SHA1 b5de486086eb2579097c141199d13b0838e7b631, and SHA256 6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ELECTRUM ... специализируется на OT-impact - ей атрибутируется применение вайпера AcidPour в 2024 году.
SentinelLABS has discovered a novel malware variant of AcidRain... The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Stealth
2 techniques
Stealth
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Impact
6 techniques
Impact
"AcidPour includes functionality to overwrite victim devices with the content of a buffer to wipe disk content."
The references include multiple wiper campaigns and destructive malware operations such as NotPetya, SwiftSlicer, AcidRain, AcidPour, and DynoWiper associated with Sandworm/APT44.
Notable similarities include the use of the same reboot mechanism, the exact logic of the recursive directory wiping, and most importantly the use of the same IOCTL-based wiping mechanism used by both AcidRain and the VPNFilter plugin ‘dstr’.
SentinelLABS has discovered a novel malware variant of AcidRain... The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Wiper attributed in the article to ELECTRUM/Sandworm activity for OT-impact operations in 2024.
Embedded-device wiper assessed as a variant of AcidRain and observed in Ukraine.
A destructive malware/wiper referenced in the analytic story context for Linux init daemon script deletion and data destruction activity.
AcidPour (and AcidRain) are destructive Linux wiper malware strains. AcidRain targets MIPS-based devices, while AcidPour targets x86-based systems, including storage arrays, network devices, and ICS. Both use IOCTLs to destroy data and self-delete for evasion. Linked to Russian threat actor Sandworm.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.