Skip to main content

Home Swiftslicer


Also known as: - 

Category: Malware

Type: Wiper

Platform: Windows

Variants: -

Damage potential: Capable of causing significant data loss and operational disruption. It erases, overwrites, or modifies key system files, deletes shadow copies, and renders the computer inoperable.


The Swiftslicer malware was identified in early 2023, during cyberattacks targeting Ukrainian organizations. This wiper malware is attributed to a state-backed hacking group associated with Russia’s GRU (General Staff Main Intelligence Directorate). Swiftslicer overwrites key system files, making the infected machines inoperable. It typically targets critical infrastructure and governmental networks, disrupting operations and data integrity.

Possible symptoms

If Swiftslicer infects your device, you might start experiencing frequent crashes or blue screen errors when the malware disrupts essential system processes and files. You might also find it impossible to access key system files because they are being overwritten.

Other symptoms of Swiftslicer malware may include:

  • Data corruption. Swiftslicer erases or modifies files on the targeted system, resulting in extensive data loss and corruption.
  • Unusual disk activity. If you use performance monitoring tools, you might notice high levels of disk activity as the malware rapidly overwrites data.
  • Inability to access network resources. Aside from being unable to access system files, you might also be unable to access network resources due to the corruption of network configuration files and settings.
  • System reboots. You might encounter repeated system restarts, because Swiftslicer forces the infected system to reboot after wiping the data.
  • Shadow copy deletion. Swiftslicer deletes backup copies of files and volumes, preventing data recovery.
  • Active Directory Group policy changes. This wiper malware enforces Active Directory Group policy changes and spreads across all devices within the Windows network.

Sources of the infection

Like most wiper malware, Swiftslicer is typically delivered through several common methods, each aimed at infiltrating the target system and executing the destructive payload:

  • Phishing emails. You might receive malicious emails containing infected attachments or links that execute the malware on your machine when you open them.
  • Known or zero-day vulnerabilities. Hackers might exploit vulnerabilities in your software or network services to gain unauthorized access and deploy Swiftslicer.
  • Compromised software updates. Attackers might insert the malware into legitimate software updates, often through supply chain attacks, to spread the infection to multiple systems.
  • Remote access tools. Cybercriminals might compromise and utilize remote access tools to infiltrate networks and manually deploy the malware.
  • Lateral movement techniques. Hackers might use techniques such as exploiting weak credentials or misconfigured network settings in order to spread Swiftslicer from already infected machines within a network to other devices.
  • Compromised Active Directory Environments. If an attacker infects your network and gets administrative privileges within the Active Directory, they can execute commands or scripts across all devices that are connected to the network.


To stop the fast-acting and ruthless Swiftslicer, you’ll have to implement both proactive and reactive security measures to protect your computers and networks:

  • Be cautious with emails from unknown senders, avoid clicking on links or attachments.
  • Enable multi-factor authentication (MFA) for extra protection against unauthorized access.
  • Regularly update and patch all software and systems to fix vulnerabilities.
  • Implement endpoint security solutions that include antivirus, anti-malware, and behavior analysis.
  • Apply network segmentation to limit the spread of malware within the network. Isolate critical systems and data from other network segments.
  • Maintain regular, secure backups of all critical data. Store the backups offline or in secure cloud storage.
  • Prevent Swiftslicer from infecting your device by using NordVPN’s Threat Protection Pro tool that scans files for malware during download. 

Swiftslicer malware removal

To handle Swiftslicer removal yourself, you’ll have to contain and eradicate the malware, then take steps to recover from the infection:

  • Isolate and physically disconnect affected machines from the network.
  • Scan all network segments and devices for signs of the malware. Identify infected systems and potential entry points.
  • Run scans with anti-malware tools on infected systems to detect and remove the wiper malware. You might need to manually remove the infection.
  • Restore data and configurations from clean, offline backups.
  • Review logs and other forensic data to understand how the malware entered the system and spread.
  • Update security policies and protocols.