AcidPour is a destructive Linux-based wiper malware believed to be a more capable variant of AcidRain. It targets x86 devices including modems, routers, and potentially industrial control systems (ICS). AcidPour was identified wiping firmware partitions on devices in Eastern Europe in 2023.
The AcidPour binary performs a recursive overwrite of storage devices and partitions using /dev/loop and /dev/sd*. It wipes bootloaders, user data, and mounted filesystems using dd if=/dev/zero. Compared to AcidRain, it supports more targets and targets a broader range of hardware.
Attribution is not yet confirmed. However, AcidPour shares functional and structural similarities with AcidRain, which was previously linked to attacks on Ukrainian Viasat modems. Its targeting of infrastructure suggests a nation-state APT may be behind it.
e1c23a9a8ddbd2f2f42cf872e98a1e8d2c3d9910ec3cb3db4a0e5b2e4f6dddf3ap_wiper.bindd if=/dev/zero of=/dev/sda bs=4MPlatform: Linux
Permissions Required: root
Tactic: Impact
While AcidRain focused on MIPS architecture (e.g. satellite modems), AcidPour has expanded targeting to Linux x86 systems, possibly indicating a shift to more terrestrial infrastructure targets. Both operate as firmware-level wipers but AcidPour has improved resilience and more aggressive device targeting logic.