AcidRain malware wiped out Ukraine’s KA-SAT satellite modems

AcidRain Malware Ukraine KA-SAT Satellite Modems Viasat Telecom

Another data wiper malware dubbed AcidRain was recently discovered by cybersecurity experts that attacked a telecommunication satellite called KA-SAT, owned by the Viasat company. The attack has impacted thousands of Ukrainian citizens alongside various countries in Europe.

The new sophisticated wiper malware was found in the middle of March and can brute-force file names and wipe all files present in a targeted device; thus, redeployment is easier in succeeding attacks. Once the threat actors launch it, it will go directly into the filesystem of the compromised modem or router and wipe out memory cards and other virtual block devices existing.

According to analysts, the malware can destroy all files inside a compromised machine by overwriting files with 0x40000 data bytes or using input/output control (IOCTL), such as MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB. The compromised devices will be unusable after the data wiping processes are finished.


Experts also presumed that the AcidRain malware must have been designed exclusively for operations to attack Ukraine that caused the outage in KA-SAT.


The wiper overwrote the modems and routers data in KA-SAT, which has rendered it inoperable.

Previously, a Viasat incident report has stated that they have found no evidence of compromise on any of their modem software or firmware images and any interference to their supply chain, which has been proved wrong since the attack has been confirmed.

A separate security researcher has also confirmed the initial investigation concerning the wiper malware, which experts seconded since it matches AcidRain’s output in its overwriting procedure.

Viasat added that they would be sharing further details upon completing their forensic investigations.

Since the Russia-Ukraine conflict began, seven data wiper malware attacks have been recorded targeting Ukraine. Ukrainian companies were first targeted by a wiper called DoubleZero, followed by HermeticWiper, alongside other ransomware decoys. Then, another one called IsaacWiper was deployed, following the fourth one named CaddyWiper.

The fifth malware launched by threat actors was WhisperKill, followed by the sixth one called WhisperGate malware – a data wiping payload masquerading as ransomware.

About the author

Leave a Reply