ESET researchers detected the attack, where the malware aimed to erase data and crash systems. ESET PROTECT blocked it, limiting damage.
This marks a rare overt destructive strike on Poland’s power grid by Sandworm, known for past hits on Ukraine’s energy sector.
Sandworm, tied to Russia’s GRU Unit 74455, has a history of wiper attacks. It caused blackouts in Ukraine in 2015 and 2016 using Industroyer malware. In 2017, NotPetya wiped data via a software supply chain.
Olympic Destroyer hit the 2018 Winter Games. Since 2022, Sandworm unleashed HermeticWiper, CaddyWiper, Prestige ransomware, ZOV wiper, and more mostly in Ukraine.
In 2025 alone, ESET tracked over 10 such incidents. The group often tweaks code to dodge detection and deploys via Active Directory Group Policy after gaining domain admin access.
On December 29, 2025, attackers dropped DynoWiper samples into C:inetpubpub, a shared domain folder. Files included <redacted>_update.exe (timestamp: Dec 26), schtask.exe, and schtask2.exe (both Dec 29).
PDB strings hinted at Vagrant VM builds for testing. After failed runs, operators recompiled variants.
DynoWiper wipes in three phases. First, it overwrites files on fixed and removable drives with a 16-byte random buffer, skipping folders like system32, windows, and program files.
Small files (≤16 bytes) get fully overwritten; larger ones partially, for speed. Second phase hits root directories harder schtask2.exe deletes everything without overwrites. Third: forces reboot.
It echoes ZOV wiper from Ukraine (Nov 2025 and Jan 2024). Both skip similar folders, handle files by size, and use buffers (ZOV’s starts with “ZOV” string, drops ZOV-themed wallpaper). No OT targeting like Industroyer, but IT focus.
Pre-wiper tools: Rubeus for Kerberos attacks, LSASS dumps via Task Manager, rsocx SOCKS5 proxy to a compromised Russian server (31.172.71.5:8008).
Deployment used a PowerShell script like those for ZOV and POWERGAP, pushing from shared paths. CERT Polska’s report detailed the probe.
ESET attributes DynoWiper to Sandworm with medium confidence. Matches: wiper TTPs, GPO deployment, energy targets, Poland history welivesecurity (BlackEnergy, GreyEnergy espionage).
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 | <redacted>_update.exe | Win32/KillFiles.NMO | DynoWiper |
| 86596A5C5B05A8BFBD14876DE7404702F7D0D61B | schtask.exe | Win32/KillFiles.NMO | DynoWiper |
| 69EDE7E341FD26FA0577692B601D80CB44778D93 | schtask2.exe | Win32/KillFiles.NMO | DynoWiper |
| 9EC4C38394EA2048CA81D48B1BD66DE48D8BD4E8 | rsocx.exe | Win64/HackTool.Rsocx.A | SOCKS5 proxy |
| 410C8A57FE6E09EDBFEBABA7D5D3E4797CA80A19 | Rubeus.exe | MSIL/Riskware.Rubeus.A | Kerberos tool |
Key MITRE ATT&CK Techniques
| Tactic | ID | Name |
|---|---|---|
| Resource Development | T1584.004 | Compromise Infrastructure: Server |
| Execution | T1059.001 | PowerShell |
| Credential Access | T1003.001 | LSASS Memory |
| Impact | T1561.001 | Disk Content Wipe |
| Impact | T1529 | System Shutdown/Reboot |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post DynoWiper Wiper Malware Launches Destructive Attacks On Energy Firms appeared first on Cyber Security News.
The new portable Sonos Play includes a carrying loop and can connect via Wi-Fi or…
iRobot has announced its first new robot since the company filed for bankruptcy last December…
Google is embedding its Gemini AI assistant even more deeply within its Workspace apps. The…
Featuring a character dressed like Link and a creature that looks like Pikachu, upcoming Steam…
It’s Mario Day (MAR10), and LEGO is celebrating by announcing a new Mario Kart LEGO…
Boring filler quests, often of the "fetch" variety, used to be derided – but in…
This website uses cookies.