Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareUsed by 2 actors

AcidPour

AcidPour is a destructive Linux wiper malware and a novel variant of AcidRain, first reported by SentinelLABS/SentinelOne in March 2024 after a sample was uploaded from Ukraine. It is an ELF 32-bit x86 binary written in C and is assessed to be technically connected to AcidRain through shared reboot logic, recursive directory wiping, and an IOCTL-based device wiping mechanism. Unlike AcidRain, which targeted MIPS-based modems and routers, AcidPour is compiled for x86 and expands destructive capability with support for Linux UBI and Device Mapper paths, improving its ability to wipe embedded flash-based systems, RAID arrays, large storage devices, LVM, software RAID, disk-encrypted volumes, and other attached storage. Reported target classes include Linux x86 IoT devices, network devices, storage arrays, and potentially industrial control or OT-adjacent systems running Linux x86 distributions. Its behavior includes in-depth wiping of filesystems and attached storage via direct overwrites or IOCTL erase operations, overwriting victim devices with buffer contents, rebooting the system after wiping, and self-deleting from disk after execution and loading into memory. SentinelLABS stated it could not confirm use in the ongoing March 2024 disruptions affecting Ukrainian ISPs, but the timing and capabilities were consistent with such operations. The activity was attributed by CERT-UA to UAC-0165, described as a Sandworm subcluster, and broader reporting links AcidPour/AcidRain to the Russian GRU-linked Sandworm cluster, also referred to as ELECTRUM, Razing Ursa, and Voodoo Bear. High-confidence sample indicators mentioned in the content are filename tmphluyl8zn, MD5 1bde1e4ecc8a85cffef1cd4e5379aa44, SHA1 b5de486086eb2579097c141199d13b0838e7b631, and SHA256 6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Sandworm

ELECTRUM ... специализируется на OT-impact - ей атрибутируется применение вайпера AcidPour в 2024 году.

via codebycodeby.net
UAC-0165

SentinelLABS has discovered a novel malware variant of AcidRain... The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices.

via sentinelone labssentinelone.com
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1106Native APIEvidence1

AcidPour is programmed in C without relying on statically-compiled libraries or imports. Most functionality is implemented via direct syscalls, many called through the use of inline assembly and opcodes.

Stealth

2 techniques
T1036MasqueradingEvidence1

Executables Or Script Creation In Temp Path ... T1036

T1070.004File DeletionEvidence5

Perhaps as a response to the discovery of AcidRain, this new version now kicks off with a self-delete function. It maps the original file into memory, then overwrites it with a sequence of bytes ranging from 0-255 followed by a polite Ok.

Discovery

3 techniques
T1082System Information DiscoveryEvidence3

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

T1083File and Directory DiscoveryEvidence3

Notably, AcidRain was a hamfisted wiper rather than a specifically tailored solution. It operates by iterating over all possible devices in hardcoded paths, wiping each, before wiping essential directories.

T1120Peripheral Device DiscoveryEvidence1

Impact

6 techniques
T1485Data DestructionEvidence5

"AcidPour includes functionality to overwrite victim devices with the content of a buffer to wipe disk content."

T1490Inhibit System RecoveryEvidence1

The references include multiple wiper campaigns and destructive malware operations such as NotPetya, SwiftSlicer, AcidRain, AcidPour, and DynoWiper associated with Sandworm/APT44.

T1529System Shutdown/RebootEvidence3

Notable similarities include the use of the same reboot mechanism, the exact logic of the recursive directory wiping, and most importantly the use of the same IOCTL-based wiping mechanism used by both AcidRain and the VPNFilter plugin ‘dstr’.

T1561Disk WipeEvidence2

SentinelLABS has discovered a novel malware variant of AcidRain... The new malware, which we call AcidPour, expands upon AcidRain’s capabilities and destructive potential to now include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic, better targeting RAID arrays and large storage devices.

T1561.001Disk Content WipeEvidence3

Depending on the device type, a different wiping mechanism is engaged, overwriting the device repeatedly with the contents of a 256kb buffer.

T1561.002Disk Structure WipeEvidence1

This malware is capable of wiping and deleting non-standard linux files and overwriting storage device files that might related to router, ssd card and many more.

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in app1 year ago
hash.sha1●●●●●●●●●●●●View more in app1 year ago
hash.sha256●●●●●●●●●●●●View more in app1 year ago
ip.v4●●●●●●●●●●●●View more in app1 year ago
domain●●●●●●●●●●●●View more in app1 year ago
domain●●●●●●●●●●●●View more in app1 year ago
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.