Skip to main content

Home CaddyWiper


Also known as: None

Category: Malware

Type: Wiper malware

Platform: Windows

Variants: – 

Damage potential: Malware infection, file encryption, file corruption and loss, system performance issues, network connectivity problems, and financial loss.


CaddyWiper is a relatively new data-wiping malware that targets Windows devices. It can damage computer systems in several ways, from overwriting all non-system files and disk partitions with zeros to tampering with access control entries. A CaddyWiper infection corrupts the operating system, making the device unusable. The malware was first detected in Ukraine in 2022. It appears to spread through Group Policy Objects (GPOs) when the network is already infected — the tools network admins use to configure computers.

Possible symptoms

CaddyWiper tries to avoid detection by antivirus software, making it difficult to catch it in the early stages of infection. Here are several symptoms that may suggest an infection. 

  • Unexpected file changes (names or sizes). 
  • Unusually slow computer performance. 
  • Unauthorized user access (new user accounts). 
  • Unusually high disk activity.  
  • Security software alerts. 
  • Unauthorized changes to group policies. 
  • Missing files or disk partitions. 
  • MBR corruption (for example, you can’t reboot your device). 

Sources of infection

CaddyWiper malware may spread in many ways, with attackers often using social engineering tactics. Here’s how CaddyWiper may infect networks and devices. 

  • Phishing emails. CaddyWiper may use phishing (or spear phishing) emails that target company employees.
  • Compromised downloads. Downloading and installing malicious files from untrusted sources may lead to a CaddyWiper infection.
  • Exploiting system vulnerabilities. Attackers may target unpatched security vulnerabilities in the system or network to spread CaddyWiper.
  • Malicious attachments. Employees may receive spam emails with malicious attachments that install CaddyWiper once opened. 
  • Remote Desktop Protocol (RDP) exploits. If the Remote Desktop Protocol (RDP) is left open and unsecured on the internet, attackers may use it to access the network.


CaddyWiper attacks can cause irreparable damage to network systems. Here’s how to protect networks and devices from this wiper. 

  • Back up your data. Attackers use wipers to destroy an organization’s data. Make sure you perform regular data backups to limit the long-term impact of such attacks. 
  • Provide cybersecurity training. Wipers often infect systems through spear phishing attacks. Provide company-wide training to educate employees about these threats. 
  • Improve email security. Ensure your organization uses the strongest email security measures to block potentially malicious emails and attachments. 
  • Patch up vulnerabilities. CaddyWiper and other malware may enter systems through security vulnerabilities. Ensure all your employees promptly install updates. 
  • Use NordVPN. Select NordVPN plans include Threat Protection Pro, an advanced feature that blocks malicious sites, web trackers, and annoying ads. It also checks files for malware during download to prevent malicious infections. 


Removing CaddyWiper may be challenging because it is a highly sophisticated type of malware. It’s best to work with a specialist in the field to ensure that CaddyWiper is removed from the network.