A new variant of the AcidRain malware [3] [4], known as AcidPour, has been discovered by SentinelLabs [2] [4]. This variant [4], attributed to the Sandworm subgroup UAC-0165 believed to be operated by Russia’s GRU [2], poses a significant threat to a wider range of devices.


AcidPour expands its capabilities to target NAS storage, networking [1] [3] [4], IoT [1] [4], and Linux x86 distributions [1] [2] [4]. It is designed for x86 systems and shares approximately 30 percent of its codebase with AcidRain [3]. Both variants have the ability to wipe data from target devices [3], with AcidPour specifically targeting systems that rely on flash memory [3]. NSA Director Rob Joyce has expressed concern over AcidPour’s power and coverage of hardware and operating system types [2]. The transition from AcidRain to AcidPour indicates a strategic intent to cause significant operational impact by disrupting critical infrastructure and communications [2] [4]. AcidPour’s modifications make it suitable for a broader range of targets [3], with key changes including the ability to target different types of memory [3], making analysis more challenging [3]. While AcidPour has not been directly attributed to any specific threat group, its connection to Russian military intelligence and disruptions in Ukrainian telecommunication networks suggest a link to threat clusters associated with this entity. SentinelLabs continues to monitor these activities and seeks support from the research community [4].


The emergence of AcidPour highlights the evolving threat landscape and the need for enhanced cybersecurity measures. Organizations must be vigilant in protecting their systems against such advanced malware. Collaboration between security researchers and industry experts is crucial in identifying and mitigating potential risks. The implications of AcidPour’s capabilities on critical infrastructure and communications underscore the importance of proactive defense strategies to safeguard against cyber threats.


[1] https://cybersocialhub.com/csh/russian-hackers-target-ukrainian-telecoms-with-upgraded-acidpour-malware/
[2] https://www.infosecurity-magazine.com/news/acidpour-wiper-linux-ukraine/
[3] https://duo.com/decipher/new-acidpour-wiper-malware-found-in-ukraine
[4] https://www.globalsecuritymag.com/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine.html