Wiper malware variant linked to Viasat attack during the Ukraine conflict sparks fresh concerns

Wiper malware variant linked to Viasat attack during the Ukraine conflict sparks fresh concerns

Corporate stakeholders are increasingly interested in understanding the risk calculus of their technology stacks, with a particular focus on whether they are potential targets. This concern has been heightened by the emergence of a new variant of the AcidRain wiper malware, named AcidPour.

Security researchers have discovered AcidPour, an advanced and actively detected malware strain specialised in destructive data wiping attacks. It targets critical infrastructure, including satellite communications and Internet of Things (IoT) devices, with a specific focus on disrupting these systems.

AcidPour builds upon the capabilities of its predecessor, AcidRain, by enhancing targeting and operational resilience. This new variant poses a significant threat to space-edge systems and networked devices.

AcidRain originally gained notoriety for disabling ground satellite modems, such as those for the KA-SAT satellite network, leading to widespread communication outages. AcidPour, observed as of mid-2025, continues this destructive trend by enabling deletion or corruption of critical file systems and initialization components, notably impacting Linux-based systems used in infrastructure.

The operational threat posed by AcidPour includes:

1. Satellite communications disruption: AcidPour targets ground stations and modems that link satellite constellations to terrestrial networks, effectively silencing or impairing satellite communication capabilities. This is critical since space-edge systems rely on uninterrupted data flows for navigation, telemetry, and command functions.
2. IoT and industrial systems: AcidPour can compromise Linux init systems and other control components in IoT or industrial devices, leading to wide-scale operational denial or physical damage through loss of control commands or system resets.
3. Broad destructive capabilities: As a wiper, AcidPour permanently deletes data rather than merely encrypting it, resulting in irreversible damage without backups. This characteristic heightens recovery complexity for targeted organisations.

Mitigation efforts against AcidPour focus on implementing zero trust security frameworks, especially in satellite and space-edge architectures. These measures include container security, fine-grained workload policies, and kernel-level enforcement to isolate and contain attacks. These measures align with compliance standards such as NIST SP 800-207 and include adversarial testing frameworks like MITRE ATT&CK and CALDERA to validate defenses against such state-of-the-art wipers.

Tom Hegel, a principal threat researcher, stated that the intent of AcidPour is to impact Ukrainian operations at a larger scale and continue to disrupt key infrastructure and communication abilities for their targets. The advent of AcidPour shows that Russia-linked actors are continuing to evolve their tactics and capabilities.

In 2023, the White House launched an effort to focus cyber resilience efforts on space, due to growing concerns about the ability of malicious attacks against satellite communications and other critical technologies. The Ukraine invasion has led to concerns about malicious cyber activity targeting critical infrastructure in NATO member countries, including the U.S. In 2022, the White House warned about possible retaliatory cyberattacks against U.S. targets in retaliation for economic sanctions imposed during the war.

AcidPour has capabilities beyond AcidRain, posing a risk to embedded devices such as IoT, networking, large storage, and industrial control systems running Linux x86 distributions. The malicious cyberthreat activity disrupted thousands of satellite broadband customers in Ukraine and tens of thousands of fixed broadband customers across Europe, coinciding with the disruption of multiple telecom networks in Ukraine, which have been offline since March 13.

In summary, AcidPour is a current, formidable variant of the AcidRain wiper malware that leverages destructive deletion tactics primarily against satellite ground infrastructure and Linux-based IoT systems. Its capabilities threaten the integrity and availability of critical communication and control systems, necessitating robust zero trust security measures in affected sectors.

1. The rising interest among corporate stakeholders in understanding the risk calculus of their technology stacks is rooted in the realization that their systems could potentially become targets, as demonstrated by the emergence of the destructive data-wiping malware, AcidPour.
2. The intensifying focus on cybersecurity in politics and general news can be attributed to the expanding destructive capabilities of malware strains like AcidPour, which pose a significant threat to critical infrastructure technologies such as satellite communications and IoT devices.

Read also: