DynoWiper update: Technical analysis
Essential information
- Published
- 30/01/2026 18:42
- Modified
- 02/02/2026 11:06
- Tags
- 2026-01-30 arguepatch awfulshred bidswipe caddywiper cyberattack data destruction doublezero dynowiper energy sector hermeticransom hermeticwiper industroyer industroyer2 nikowiper orcshred poland prestige ransomboggs roarbat russia-aligned sharpnikowiper soloshred sting wiper swiftslicer wiper malware zerolot zov wiper
- Related entities
- 7 observables, 1 intrusion sets (apt), 8 techniques (mitre), 21 malware, 4 others
Description
ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.