A new and destructive data-wiping malware, dubbed DynoWiper, has been identified targeting energy companies in Poland. The malware surfaced in December 2025 and is characterized by its intent to permanently erase critical data, a stark departure from typical ransomware operations. Unlike threats that aim for financial gain through encryption, DynoWiper’s sole purpose is to destroy operational data, rendering compromised systems unbootable.
The attack represents a significant escalation in sophisticated cyber threats aimed at critical infrastructure. Researchers detected the deployment of DynoWiper at a Polish energy firm late last year. The attackers deployed multiple variants of the malware, including executables named schtask.exe and schtask2.exe, along with an update file, all released on December 29, 2025. Despite several attempts to execute the malware after initial failures, and subsequent code modifications to circumvent security measures, the installed endpoint detection and response (EDR) product successfully blocked its execution, thereby limiting the potential damage.
DynoWiper Data-Wiping Malware and Its Affiliation
Analysis by Welivesecurity analysts has revealed striking similarities between DynoWiper and a previously identified wiper known as ZOV. ZOV was notably used against targets in Ukraine. The research team indicates that DynoWiper is likely the work of Sandworm, a Russia-aligned threat group with a well-documented history of conducting destructive cyberattacks, particularly against energy sector organizations. Sandworm is often associated with Unit 74455 of the Russian Main Intelligence Directorate (GRU) and has a long track record of targeting critical infrastructure in Eastern Europe.
The ZOV wiper was known to drop a specific wallpaper upon successful infection, showcasing the group’s modus operandi and leaving a digital signature. While DynoWiper’s specific payload in this instance didn’t involve a similar visual element being widely reported, its destructive capability aligns with Sandworm’s established pattern of highly disruptive cyber operations.
Deployment Through Active Directory Exploitation
DynoWiper’s infection vector demonstrates advanced network penetration capabilities, capitalizing on Active Directory Group Policy for malware distribution across a compromised network. This deployment method requires Domain Admin privileges, underscoring the attackers’ ability to achieve deep system access within targeted organizations. The malware was strategically placed in a shared network directory, facilitating simultaneous execution across multiple machines.
Prior to the deployment of the wiper, the attackers reportedly employed credential-stealing tools such as Rubeus. They also attempted to dump the LSASS process memory using Windows Task Manager, a common technique to extract user credentials. Furthermore, a SOCKS5 proxy tool, identified as rsocx, was deployed to establish reverse connections with external servers. This multi-stage approach indicates careful planning and extensive reconnaissance before the final destructive payload was unleashed.
The malware operates through a calculated three-phase destruction process. In the initial phase, DynoWiper recursively searches for files on all fixed and removable drives. It notably excludes certain system directories, likely to maintain temporary system functionality for continued operation or deeper infiltration. The wiper utilizes a 16-byte buffer containing random data to overwrite file contents. Files smaller than 16 bytes are completely overwritten, while larger files have portions of their content destroyed to expedite the destruction process.
Implications and Defense Strategies
The emergence of DynoWiper highlights the persistent and evolving threat landscape facing critical infrastructure. Unlike ransomware, which is often foiled by backups, data wipers aim for irreversible destruction, making recovery significantly more challenging. Organizations within the energy sector and other critical infrastructure industries must prioritize robust cybersecurity measures.
Key defensive strategies include the implementation of strict access controls, particularly for administrative privileges. Network segmentation can also limit the lateral movement of malware once an initial compromise occurs. Continuous and proactive network monitoring is essential to detect sophisticated intrusion attempts and anomalous activities before destructive payloads can be deployed. Organizations should also ensure their incident response plans are up-to-date and regularly tested to address wiper attacks effectively.
The successful blocking of DynoWiper by an EDR solution demonstrates the value of advanced threat detection tools. However, the attackers’ persistence and adaptation in modifying their code to bypass defenses mean that a layered security approach is paramount. The ongoing threat of Sandworm and similar groups necessitates sustained vigilance and investment in cybersecurity resilience for critical national infrastructure.