SwiftSlicer: a Malware Developed During Russia-Ukraine War

Researchers at CloudSEK’s Threat Intelligence Team came across a malware strain dubbed ‘Swiftslicer’ linked with APT SandWorm.
Updated on
April 19, 2023
Published on
February 21, 2023
Subscribe to the latest industry news, threats and resources.
  • Category: Adversary Intelligence
  • Industry: Multiple   
  • Motivation:State Sponsored 
  • Region: Ukraine
  • Source:A1

Executive Summary

Researchers at CloudSEK’s Threat Intelligence Team came across a malware strain dubbed ‘Swiftslicer’ linked with APT SandWorm.  SwiftSlicer was first discovered in late January 2023 by researchers at ESET and is considered amongst the set of malware groups that were developed to target Ukraine during the Russia-Ukraine war, such as HermeticWiper and CaddyWiper

Open Web Analysis

Based on the tweet by ESET, the malware was planted in the networks of Ukrainian systems using Active Directory Group Policy, which is the likely initial attack vector. However, while writing this report, no organizations outside of Ukraine were known to be targeted by Swiftslicer.

Behavior & Attributions

The following characteristics have been attributed to the Swiftslicer malware:

  • The malware is written in GO language.
  • It attempts to delete the shadow files, which is a known behavior of ransomware groups.
    (Command: wmic shadowcopy delete
  • Drops a binary file in the Desktop directory.

Relation Between Swiftslicer & Sandworm

Sandworm is a known APT group operating actively out of Russia and attributed to General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.

APT Sandworm has been actively targeting carefully chosen industries based in Ukraine. In September 2022, Sandworm deployed malware in telecommunications entities. Their known TTPs also include exploiting Active Directories of the victims. 

Indicators of Compromise (IOCs)

Based on the results from VirusTotal and Triage, the following are the known IOCs for Swiftslicer malware.










Known AV Signature

W32/Malicious_Behavior.VEX (Fortiguard)


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations