A new data-wiping malware dubbed DynoWiper, deployed against an energy company in Poland in late December 2025.
The malware’s tactics, techniques, and procedures closely mirror those observed in earlier ZOV wiper incidents in Ukraine, prompting ESET to attribute DynoWiper to Sandworm with medium confidence.
Unlike ZOV, which carries a high-confidence Sandworm attribution, the lower confidence rating reflects limited visibility into DynoWiper’s initial access methodology.
Sandworm represents a Russia-aligned threat group known for conducting destructive cyberattacks against critical infrastructure, particularly energy companies.
The group gained prominence through its 2015-2016 attacks against Ukrainian energy firms, causing widespread power outages.
Since then, Sandworm has deployed an extensive arsenal of destructive malware including NotPetya, Industroyer, Olympic Destroyer, and most recently, DynoWiper and ZOV wipers.
The U.S. Department of Justice has charged six Russian GRU officers affiliated with Unit 74455 for conducting these operations.
DynoWiper Malware
The DynoWiper attack unfolded across three distinct phases. On December 29th, 2025, three samples were deployed to C:inetpubpub schtask.exe, schtask2.exe, and an update executable.
Analysis of PDB paths revealed references to a Vagrant username, suggesting attackers tested the malware on virtual machines before deploying it.
The first deployment attempt failed; attackers subsequently modified the wiper code and recompiled it twice within hours. All three variants were ultimately blocked by ESET PROTECT, an EDR/XDR solution installed on targeted systems.
DynoWiper’s operational workflow overwrites files using a 16-byte random buffer generated at execution start. Files smaller than 16 bytes are completely overwritten; larger files have only portions destroyed to accelerate the process.
The first phase recursively wipes files across removable and fixed drives while excluding critical system directories including System32, Windows, Program Files, and AppData.
The second phase exhibits variable behavior across variants some skip excluded directories in root locations, while the final schtask2.exe variant deletes all files via DeleteFileW without restrictions. The third phase forces system reboot, completing data destruction.
Unlike Industroyer and Industroyer2, which target operational technology environments, DynoWiper focuses exclusively on IT infrastructure.
ESET notes that successful destructive malware deployment typically requires Domain Admin privileges, achieved through compromised Active Directory infrastructure.
However, ESET cannot exclude the possibility that OT-targeting capabilities existed elsewhere in the attack chain.
Mitigations
Notably, attackers deployed additional tools within the victim’s network prior to wiper execution. Early attack phases involved attempts to download Rubeus, a publicly available Kerberos exploitation utility, and rsocx, a SOCKS5 proxy tool configured for reverse-connect mode to 31.172.71[.]5:8008.
DynoWiper demonstrates significant operational similarities to ZOV, including comparable directory exclusion logic and differentiated file-wiping approaches based on file size.
Attackers also attempted LSASS process dumping via Windows Task Manager. The proxy server traced to ProGame, a programming school in Vladivostok, Russia, suggesting compromise of this infrastructure.
ZOV, detected during November 2025 operations against Ukrainian financial institutions, writes a distinctive 4,098-byte buffer prefixed with “ZOV” and null bytes.
After data destruction, ZOV executes command sequences to delete remaining drive contents and forces system reboot while displaying a desktop wallpaper bearing Russian military symbols.
Attribution analysis identifies multiple supporting factors: operational overlap with Sandworm’s historical TTPs, targeting alignment with the group’s critical infrastructure focus, and Poland’s demonstrated history as a Sandworm objective.
However, counterarguments note Sandworm’s historical preference for covert operations or disguised ransomware attacks in Poland, rather than overt destructive campaigns.
Additionally, limited initial access visibility prevents comprehensive threat actor attribution of preparatory stages.
This attack exemplifies Sandworm’s demonstrated capability to obtain and maintain high-privilege access across intrusions. CERT Polska conducted the incident investigation and published detailed analysis of this significant threat activity.
IOCs
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 472CA448F82A7FF6F373A32FDB9586FD7C38B631 | TMP_Backup.tmp.exe | Win32/KillFiles.NMJ | ZOV wiper. |
| 4F8E9336A784A196353023133E0F8FA54F6A92E2 | TS_5WB.tmp.exe | Win32/KillFiles.NMJ | ZOV wiper. |
| 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 | Win32/KillFiles.NMO | DynoWiper. | |
| 86596A5C5B05A8BFBD14876DE7404702F7D0D61B | schtask.exe | Win32/KillFiles.NMO | DynoWiper. |
| 69EDE7E341FD26FA0577692B601D80CB44778D93 | schtask2.exe | Win32/KillFiles.NMO | DynoWiper. |
| 9EC4C38394EA2048CA81D48B1BD66DE48D8BD4E8 | rsocx.exe | Win64/HackTool.Rsocx.A | rsocx SOCKS5 proxy tool. |
| 410C8A57FE6E09EDBFEBABA7D5D3E4797CA80A19 | Rubeus.exe | MSIL/Riskware.Rubeus.A | Rubeus toolset for Kerberos attacks. |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.