ESET researchers detected the attack, where the malware aimed to erase data and crash systems. ESET PROTECT blocked it, limiting damage.
This marks a rare overt destructive strike on Poland’s power grid by Sandworm, known for past hits on Ukraine’s energy sector.
Sandworm, tied to Russia’s GRU Unit 74455, has a history of wiper attacks. It caused blackouts in Ukraine in 2015 and 2016 using Industroyer malware. In 2017, NotPetya wiped data via a software supply chain.
Olympic Destroyer hit the 2018 Winter Games. Since 2022, Sandworm unleashed HermeticWiper, CaddyWiper, Prestige ransomware, ZOV wiper, and more mostly in Ukraine.
In 2025 alone, ESET tracked over 10 such incidents. The group often tweaks code to dodge detection and deploys via Active Directory Group Policy after gaining domain admin access.
On December 29, 2025, attackers dropped DynoWiper samples into C:inetpubpub, a shared domain folder. Files included <redacted>_update.exe (timestamp: Dec 26), schtask.exe, and schtask2.exe (both Dec 29).
PDB strings hinted at Vagrant VM builds for testing. After failed runs, operators recompiled variants.
DynoWiper wipes in three phases. First, it overwrites files on fixed and removable drives with a 16-byte random buffer, skipping folders like system32, windows, and program files.
Small files (≤16 bytes) get fully overwritten; larger ones partially, for speed. Second phase hits root directories harder schtask2.exe deletes everything without overwrites. Third: forces reboot.
It echoes ZOV wiper from Ukraine (Nov 2025 and Jan 2024). Both skip similar folders, handle files by size, and use buffers (ZOV’s starts with “ZOV” string, drops ZOV-themed wallpaper). No OT targeting like Industroyer, but IT focus.
Pre-wiper tools: Rubeus for Kerberos attacks, LSASS dumps via Task Manager, rsocx SOCKS5 proxy to a compromised Russian server (31.172.71.5:8008).
Deployment used a PowerShell script like those for ZOV and POWERGAP, pushing from shared paths. CERT Polska’s report detailed the probe.
ESET attributes DynoWiper to Sandworm with medium confidence. Matches: wiper TTPs, GPO deployment, energy targets, Poland history welivesecurity (BlackEnergy, GreyEnergy espionage).
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 | <redacted>_update.exe | Win32/KillFiles.NMO | DynoWiper |
| 86596A5C5B05A8BFBD14876DE7404702F7D0D61B | schtask.exe | Win32/KillFiles.NMO | DynoWiper |
| 69EDE7E341FD26FA0577692B601D80CB44778D93 | schtask2.exe | Win32/KillFiles.NMO | DynoWiper |
| 9EC4C38394EA2048CA81D48B1BD66DE48D8BD4E8 | rsocx.exe | Win64/HackTool.Rsocx.A | SOCKS5 proxy |
| 410C8A57FE6E09EDBFEBABA7D5D3E4797CA80A19 | Rubeus.exe | MSIL/Riskware.Rubeus.A | Kerberos tool |
Key MITRE ATT&CK Techniques
| Tactic | ID | Name |
|---|---|---|
| Resource Development | T1584.004 | Compromise Infrastructure: Server |
| Execution | T1059.001 | PowerShell |
| Credential Access | T1003.001 | LSASS Memory |
| Impact | T1561.001 | Disk Content Wipe |
| Impact | T1529 | System Shutdown/Reboot |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post DynoWiper Wiper Malware Launches Destructive Attacks On Energy Firms appeared first on Cyber Security News.
ROCKFORD, Ill. (WTVO) — Keep Northern Illinois Beautiful recognized those who are helping keep and…
FORT WAYNE, IND. (WOWO) WOWO’S Town Hall Debate between incumbent District 15 Senator Liz Brown and…
FORT WAYNE, IND. (WOWO) WOWO’S Town Hall Debate between incumbent District 15 Senator Liz Brown and…
INDIANAPOLIS, Ind. (WOWO) — A man was shot and killed on the northeast side of…
INDIANAPOLIS, Ind. (WOWO) — A man was shot and killed on the northeast side of…
With the weather finally getting nicer, you’re probably doing a bit of spring cleaning. In…
This website uses cookies.