ESET Uncovers DynoWiper Malware Targeting Polish Energy Sector
ESET researchers have identified a new data-wiping malware named DynoWiper that recently targeted an energy company in Poland. This attack shares similarities with previous incidents involving Sandworm and the ZOV wiper malware.
DynoWiper was deployed on December 29, 2025, using executables named _update.exe, schtask.exe, and schtask2.exe, which were housed in likely accessible shared directories. Attempts to execute the malware were blocked by ESET PROTECT, significantly mitigating damage. The wiper operates in three phases, focused solely on wiping data from IT environments without targeting operational technology systems. Its file-wiping mechanism employs a 16-byte buffer to overwrite file contents selectively, allowing large files to retain some original data. The deliberate exclusion of critical system directories, like System32, in the initial phase indicates a somewhat refined approach to destruction.
Sandworm, a Russia-aligned threat actor group known for its destructive tactics, has a history of targeting energy companies, especially since Russia’s invasion of Ukraine. Initially, their operations in Poland were conducted covertly for cyberespionage, but have more recently escalated towards outright disruptions. The use of Active Directory Group Policy for malware deployment underscores Sandworm’s capability to access high-level network permissions, making defense challenging.
This incident highlights increasing risks for energy sector organizations, particularly against the backdrop of geopolitical tensions. The sophistication and evolving tactics employed by Sandworm emphasize the need for enhanced vigilance and preparedness among cybersecurity teams.
Implementing comprehensive threat intelligence solutions, SIEM tools, and effective monitoring strategies can significantly mitigate risks posed by advanced threat actors like Sandworm, enhancing early detection and response capabilities.
Indicators of Compromise (IOCs)
DynoWiper Samples:
- _update.exe: SHA-1 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6
- schtask.exe: SHA-1 86596A5C5B05A8BFBD14876DE7404702F7D0D61B
- schtask2.exe: SHA-1 69EDE7E341FD26FA0577692B601D80CB44778D93
ZOV Wiper Samples:
- TMP_Backup.tmp.exe: SHA-1 472CA448F82A7FF6F373A32FDB9586FD7C38B631
- TS_5WB.tmp.exe: SHA-1 4F8E9336A784A196353023133E0F8FA54F6A92E2
Additional Tool:
- Rubeus.exe: SHA-1 410C8A57FE6E09EDBFEBABA7D5D3E4797CA80A19 (used for Kerberos attacks)
- rsocx.exe: SHA-1 9EC4C38394EA2048CA81D48B1BD66DE48D8BD4E8 (SOCKS5 proxy)
