In late December 2025, new wiper malware known as DynoWiper was used by Sandworm group hackers with ties to Russia to target a Polish energy company. The attack, in which the malware sought to destroy data and crash systems, was discovered by ESET researchers. Damage was limited because ESET PROTECT blocked it.

Sandworm, which has previously targeted Ukraine's energy industry, has launched an uncommon overt destructive attack on Poland's power grid. Sandworm has a history of wiper attacks and is associated with Russia's GRU Unit 74455. In 2015 and 2016, it used Industroyer malware to cause blackouts in Ukraine. NotPetya used a software supply chain to erase data in 2017.

Olympic Destroyer made an appearance at the Winter Games in 2018. HermeticWiper, CaddyWiper, Prestige ransomware, ZOV wiper, and more have been released by Sandworm since 2022, primarily in Ukraine.

ESET monitored more than ten of these incidents in 2025 alone. After obtaining domain admin access, the group frequently modifies code to evade detection and deploys via Active Directory Group Policy. Technical Failure of DynoWiper Attackers dropped DynoWiper samples into the shared domain folder C:\inetpub\pub on December 29, 2025.

Among the files were schtask.exe, schtask2.exe, and \redacted>_update.exe (timestamp: Dec 26 and Dec 29). PDB strings alluded to testing Vagrant virtual machine builds. Operators recompiled variants following unsuccessful runs. DynoWiper uses three stages for wiping.

First, it uses a 16-byte random buffer to replace files on fixed and removable drives, omitting folders such as system32, Windows, and program files. Larger files are partially overwritten for speed, while smaller files (≤16 bytes) are completely overwritten. The second phase targets the more difficult task of root directories.2.exe removes everything without making any overwrites.

Third: compels a restart. The ZOV wiper from Ukraine (November 2025 and January 2024) is echoed. Both use buffers (ZOV's start with "ZOV" string, drop ZOV-themed wallpaper), handle files by size, and skip similar folders.

IT focus instead of OT targeting like Industroyer. Pre-wiper tools include rsocx SOCKS5 proxy to a compromised Russian server (31.172.71.5:8008), LSASS dumps via Task Manager, and Rubeus for Kerberos attacks. PowerShell scripts similar to those for ZOV and POWERGAP were used for deployment, pushing from shared paths. The investigation was described in detail in CERT Polska's report.

Responsibility and Consequences ESET characteristics With a medium level of confidence, use DynoWiper to Sandworm. Matches include energy targets, GPO deployment, wiper TTPs, and Poland's history of weliving security (BlackEnergy, GreyEnergy espionage).

Description of SHA-1 Filename Detection Win32/KillFiles \redacted>_update.exe 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6.NMO DynoWiper 86596A5C5B05A8BFBD14876DE7404702F7D0D61B schtask.exe KillFiles/Win32.NMO DynoWiper 69EDE7E341FD26FA0577692B601D80CB44778D93 task2.exe Win32/KillFiles.NMO DynoWiper 9EC4C38394EA2048CA81D48B1BD66DE48D8BD4E8 rsocx.exe Win64/HackTool.Rsocx.A SOCKS5 proxy 410C8A57FE6E09EDBFEBABA7D5D3E4797CA80A19 Rubeus.exe Riskware/MSIL.Rubeus.A tool for Kerberos Important MITRE ATT&CK Methods Resource Development T1584.004 is the tactic ID name. Infrastructure Compromise: Server Execution T1059.001 PowerShell Credential Access T1003.001 LSASS Memory Impact T1561.001 Disk Content Wipe Impact T1529 System Shutdown/Reboot Set Cyberpress as a Preferred Source in Google