Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

Dustman

Dustman is a destructive wiper malware in the Iranian wiper ecosystem and is described as a variant or successor closely related to ZeroCleare. Public reporting in the provided content states that Dustman was identified as a new variant similar to ZeroCleare and that both families mirrored Shamoon’s use of modified legitimate drivers to achieve destructive effects. The malware is tied in the content to Iranian state-aligned activity, particularly APT34/OilRig, and is also referenced more broadly as part of Iran’s arsenal of more than 15 wiper families. Dustman was reportedly deployed heavily against energy and industrial sector targets, including Saudi energy-sector targeting, and is mentioned alongside operations affecting Bahrain’s Bapco in late 2019 and early 2020. The content further notes that infrastructure associated with the Fox Kitten campaign could potentially be used to spread and activate destructive malware such as ZeroCleare and Dustman. High-confidence behavioral detail in the provided material is limited, but the core described capability is destructive wiping using modified legitimate drivers in a manner similar to Shamoon/ZeroCleare. No specific indicators of compromise are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
OilRig

“...it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman, tied to APT34.”

via clearsky blogclearskysec.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

1 technique
T1218System Binary Proxy ExecutionEvidence1

ZeroCleare and Dustman mirrored Shamoon’s reliance on modified legitimate drivers to achieve destructive effects.

Impact

2 techniques
T1485Data DestructionEvidence3

Instead, they opted for rapid, recursive file-level destruction, overwriting targeted files with 4096-byte blocks of random data.

T1561Disk WipeEvidence1

These attacks utilized spearphishing to gain initial access, eventually relying on the Eldos RawDisk driver to bypass Windows APIs and overwrite the master boot record (MBR).

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
palo alto networks unit 42 blogNews
Mar 16, 2026
Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization

A successor to ZeroCleare, Dustman is a destructive wiper that uses modified legitimate drivers to achieve destructive effects.

Read more
cybercenter space blogNews
Mar 14, 2026
THE DIGITAL FRONTLINES OF THE IRAN WAR: - Center for Cyber Diplomacy and International Security

An Iran-linked wiper malware family mentioned as part of a set of destructive tools designed to wipe data and disrupt operations.

Read more
cso onlineNews
Mar 4, 2026
Iranian cyberattacks fail to materialize but threat remains acute | CSO Online

Destructive wiper malware family referenced as part of Iran-aligned wiper tooling.

Read more
securelistNews
Apr 30, 2020
APT trends report Q1 2020

A Zerocleare-like destructive wiper variant assessed as prepared for deployment in targeted attacks, with indications of focus on Saudi Arabia’s energy sector.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.