SandWorm GRU Unit 74455 Red-Team Wiper Released as Training Sample
Published
Key Takeaways
- Advanced simulation: A new red-team tool, SandWorm11-24-25.exe, has been released, replicating the destructive techniques of the GRU Unit 74455 (Sandworm).
- LotL: The AI-generated Go binary uses only native Windows utilities to execute its functions, making it a powerful example of living-off-the-land malware.
- High impact TTPs: The tool demonstrates 121 MITRE ATT&CK techniques, including inhibiting system recovery (T1490) and clearing event logs (T1070.001).
A new open-source wiper, SandWorm11-24-25.exe, has been released by red-team operator Andres Mercado as a powerful cybersecurity training tool. The malware is designed to emulate the destructive kill chain used by sophisticated threat actors like the Russian GRU Unit 74455, also known as Sandworm.Â
Written in just 90 lines of AI-generated Go code, the tool is notable for its reliance on "living-off-the-land" (LotL) methods, using only built-in Windows binaries to achieve its objectives on a fully patched Windows 11 system. This approach avoids dropping external payloads like Mimikatz or Cobalt Strike, making detection significantly more challenging.
Analysis of Key MITRE ATT&CK Techniques
The SandWorm red-team wiper executes a sequence of high-impact Tactics, Techniques, and Procedures (TTPs) within a single binary. It demonstrates how an attacker can achieve complete system destruction and inhibit recovery.Â
Key techniques include T1490 (Inhibit System Recovery), using vssadmin and bcdedit to delete shadow copies and disable recovery options.Â
It also performs disk content wipes (T1561.001) with cipher and fsutil to make forensic recovery nearly impossible.Â
Furthermore, it showcases credential access through LSASS memory dumping (T1003.001) and defense evasion by disabling Windows Defender (T1562.001) and clearing event logs (T1070.001), effectively blinding security operations centers.
Implications for Cybersecurity Defensive Training
The release of this tool serves as a critical resource for blue teams and cybersecurity professionals. Andres Mercado said it provides a tangible artifact for security teams to:
- Detonate in a lab environment,Â
- Map the attack chain,Â
- Develop robust detection methods for real-world GRU Unit 74455 techniques.Â
By training on this sample, Mercado said defenders can build the "muscle memory" needed to respond to a fast-moving, destructive attack where every second counts.Â
The malware’s sequence—using native command-line tools like cmd, vssadmin, bcdedit, and cipher—is what organizations are likely to face in a real state-sponsored cyberattack, making hands-on analysis an essential preparatory step.
Active since at least 2009, Sandworm operates under Russia's Military Unit 74455 of the Main Intelligence Directorate (GRU), focusing on destructive and disruptive cyberattacks predominantly targeting Ukraine – with a cyber espionage campaign that distributed trojanized Microsoft KMS activation tools that disseminate DarkCrystal RAT (DcRAT) earlier this year.
In October, the open-source Red Team tool Adaptix was exploited by cybercriminals with Russian Ties, including Akira Ransomware.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular