On this weblog submit, we offer extra technical particulars associated to our earlier DynoWiper<\/a> publication.<\/p>\n Key factors of the report:<\/strong><\/p>\n Sandworm is a Russia-aligned risk group that performs damaging assaults. It’s largely identified for its assaults in opposition to Ukrainian power firms in 2015-12 and 2016-12, which resulted in energy outages. In 2017-06 Sandworm launched the NotPetya data-wiping<\/a> assault that used a supply-chain vector by compromising the Ukrainian accounting software program M.E.Doc<\/a>. In 2018-02, Sandworm launched the Olympic Destroyer data-wiping assault in opposition to organizers of the 2018 Winter Olympics in Pyeongchang.<\/p>\n The Sandworm group makes use of such superior malware as Industroyer<\/a>, which is ready to talk with gear at power firms by way of industrial management protocols. In 2022-04, CERT-UA thwarted an assault in opposition to an power firm in Ukraine the place the Sandworm group tried to deploy a brand new variant of this malware, Industroyer2<\/a>.<\/p>\n In 2020-10, the US Division of Justice printed an indictment<\/a> in opposition to six Russian pc hackers that it alleges ready and performed varied Sandworm assaults. The group is often attributed to Unit 74455 of the Russian Principal Intelligence Directorate (GRU).<\/p>\n Sandworm is a risk actor identified for conducting damaging cyberattacks, focusing on a variety of entities together with authorities businesses, logistics firms, transportation corporations, power suppliers, media organizations, grain sector firms, and telecommunications firms. These assaults usually contain the deployment of wiper malware \u2013 malicious software program designed to delete information, erase information, and render techniques unbootable.<\/p>\n Its operators have a protracted historical past of conducting such cyberattacks, and we have now documented their exercise extensively<\/a>. On this blogpost, we deal with their current operations involving data-wiping malware.<\/p>\n To evade detections by safety merchandise, Sandworm usually modifies the damaging malware it deploys \u2013 generally by introducing minor adjustments or by producing newly compiled variants from the unique supply code, and different instances by abandoning a specific wiper altogether and switching to a wholly new malware household for its operations. We hardly ever see Sandworm try and deploy a damaging malware pattern that was utilized in an earlier assault (for instance, one with a identified hash) or one that’s already detected on the time of deployment.<\/p>\n Since February 2022, we have now been totally monitoring incidents involving damaging malware and have publicly documented our findings in studies resembling A 12 months of wiper assaults in Ukraine<\/a>. Over time, Sandworm has deployed a variety of damaging malware households, together with, in roughly chronological order, HermeticWiper<\/a>, HermeticRansom<\/a>, CaddyWiper<\/a>, DoubleZero<\/a>, ARGUEPATCH<\/a>, ORCSHRED<\/a>, SOLOSHRED<\/a>, AWFULSHRED<\/a>, Status ransomware<\/a>, RansomBoggs ransomware<\/a>, SDelete-based wipers<\/a>, BidSwipe<\/a>, ROARBAT<\/a>, SwiftSlicer<\/a>, NikoWiper<\/a>, SharpNikoWiper<\/a>, ZEROLOT<\/a>, Sting wiper<\/a>, and ZOV wiper. It must be famous that a few of these malware households had been deployed a number of instances throughout quite a few incidents. In 2025, ESET investigated greater than 10 incidents involving damaging malware attributed to Sandworm, nearly all of them occurring in Ukraine.<\/p>\n We repeatedly improve our merchandise to enhance early detection of Sandworm operations \u2013 ideally figuring out exercise earlier than damaging wipers are deployed, and each time potential stopping harm even when beforehand unknown damaging malware is executed. As a result of the vast majority of Sandworm\u2019s cyberattacks at the moment goal Ukraine, we collaborate carefully with our Ukrainian companions, together with the Laptop Emergency Response Staff of Ukraine (CERT-UA<\/a>), to help each prevention and remediation efforts.<\/p>\n In addition to Ukraine, Sandworm has a decade-long historical past of focusing on firms in Poland, together with these within the power sector. Sometimes, these operations have been performed covertly for cyberespionage functions, as seen within the BlackEnergy<\/a> and GreyEnergy<\/a> circumstances. Notably, we detected the primary deployment of GreyEnergy malware at a Polish power firm again in 2015.<\/p>\n Nevertheless, because the begin of Russia\u2019s full-scale invasion of Ukraine, Sandworm has modified its techniques concerning targets in Poland. Particularly, in October 2022, it carried out a damaging assault in opposition to logistics firms in each Ukraine and Poland, disguising the operation as a Status ransomware incident. Microsoft Menace Intelligence reported<\/a> on the Status ransomware incidents, which they attributed to Seashell Blizzard (aka Sandworm). At ESET, we detected the Status ransomware household and publicly attributed<\/a> this exercise to Sandworm.<\/p>\n In December 2025, we detected the deployment of a damaging malware pattern, which we named DynoWiper<\/a>, at an power firm in Poland. The put in EDR\/XDR product, ESET PROTECT, blocked execution of the wiper, considerably limiting its influence within the surroundings. On this blogpost, we reveal extra particulars about this exercise and description our attribution course of.<\/p>\n CERT Polska did a wonderful job investigating the incident and printed an in depth evaluation in a report<\/a> accessible on its web site.<\/p>\n On December 29th<\/sup>, 2025, DynoWiper samples had been deployed to the C:inetpubpub<\/span> listing, which is probably going a shared listing within the sufferer\u2019s area, with the next filenames: schtask.exe<\/span>, schtask2.exe<\/span>, and The attackers initially deployed DynoWiper\u2019s workflow will be divided into three distinct phases, that are described later within the textual content. The schtask*.exe<\/span> samples embrace solely the primary two phases and introduce a five-second delay between them. In distinction, The wiper overwrites information utilizing a 16-byte buffer that incorporates random information generated as soon as in the beginning of the wiper\u2019s execution. Recordsdata of dimension 16 bytes or fewer are totally overwritten, with smaller information being prolonged to 16 bytes. To hurry up the destruction course of, different information (bigger than 16 bytes) have just some elements of their contents overwritten.<\/p>\n In the course of the first section, the malware recursively wipes information on all detachable and glued drives, excluding particular directories (utilizing case-insensitive comparability):<\/p>\n For The third section forces the system to reboot, finishing the destruction of the system.<\/p>\n Not like Industroyer<\/a> and Industroyer2<\/a>, the found DynoWiper samples focus solely on the IT surroundings, with no noticed performance focusing on OT (operational know-how<\/a>) industrial elements. Nevertheless, this doesn’t exclude the chance that such capabilities had been current elsewhere within the assault chain.<\/p>\n We recognized extra instruments used inside the identical community previous to deployment of the wiper.<\/p>\n In early phases of the assault, attackers tried to obtain the publicly accessible Rubeus<\/a> device. The next path was used: c:customers In early December 2025, attackers tried to dump the LSASS course of utilizing Home windows Process Supervisor. Moreover, they tried to obtain and launch a publicly accessible SOCKS5 proxy device known as rsocx<\/a>. The attackers tried to execute this proxy in reverse-connect mode utilizing the command line C:Customers We recognized a number of similarities to beforehand identified damaging malware, particularly to the wiper we have now named ZOV, which we attribute to Sandworm with excessive confidence. DynoWiper operates in a broadly comparable trend to the ZOV wiper. Notably, the exclusion of sure directories and particularly the clear separate logic current within the code for wiping smaller and bigger information can be discovered within the ZOV wiper.<\/p>\n ZOV is damaging malware that we detected being deployed in opposition to a monetary establishment in Ukraine in November 2025.<\/p>\n As soon as executed, the ZOV wiper iterates over information on all mounted drives and wipes them by overwriting their contents. It skips information in these directories:<\/p>\n How a file is wiped relies on its dimension. To destroy information as rapidly as potential, information smaller than 4,098 bytes have their whole contents overwritten; bigger information have just some elements of their contents overwritten. The buffer, which is repeatedly written to information, is of dimension 4,098 bytes, and begins with the string ZOV<\/span> (referring to the Russian navy symbols<\/a>) adopted by null bytes.<\/p>\n After finishing this fast wipe, it prints what number of directories and information had been wiped, and runs the shell command time \/t & ver & rmdir C: \/s \/q && dir && shutdown \/r<\/span> (print present native time and Home windows model, erase the contents of the C:<\/span> drive, checklist the present working listing, and initiates a system reboot).<\/p>\n Proper earlier than exiting, the wiper drops a picture from its assets to %appdatapercentLocWall.jpg<\/span> and units it because the desktop background. As proven in Determine 1, the wallpaper additionally has the ZOV image.<\/p>\n There was one other ZOV wiper case at an power firm in Ukraine, the place the attackers deployed the wiper on January 25th<\/sup>, 2024. Within the noticed pattern, the buffer that’s written to information doesn’t comprise the ZOV image. As a substitute, it incorporates the one character P adopted by null bytes. Additionally, the textual content within the dropped picture (see Determine 2) resembles a ransom observe however refers to a nonexistent Bitcoin handle.<\/p>\n Sandworm usually abuses Energetic Listing Group Coverage to deploy its data-wiping malware throughout all machines inside a compromised community. Group-wide GPO deployment typically requires Area Admin privileges and is usually staged from a website controller. This exercise underscores Sandworm\u2019s sophistication and its confirmed potential to acquire high-privilege Energetic Listing entry throughout many intrusions.<\/p>\n In the course of the incident response to the Industroyer2 assault in April 2022, CERT\u2011UA found a PowerShell script they named POWERGAP<\/a>. Sandworm had been utilizing this script continuously to deploy varied data-wiping malware throughout a number of organizations. Later, in November 2022, ESET researchers discovered that the identical script had been used to distribute the RansomBoggs<\/a> ransomware in Ukraine. Nevertheless, sooner or later Sandworm stopped utilizing this deployment script, but continued deploying damaging malware by way of Energetic Listing Group Coverage.<\/p>\n Apparently, through the evaluation of the ZOV wiper incident, we recognized a more recent PowerShell script used to deploy the ZOV wiper. This script incorporates hardcoded variables particular to the sufferer\u2019s surroundings, together with the area controller identify, area identify, Group Coverage Object (GPO) identify, deployed filename, file path, GPO hyperlink string, and scheduled process identify. As soon as executed, the script performs all essential actions to distribute the malicious binary to customers and computer systems throughout your complete area.<\/p>\n Extra considerably, a deployment script with very comparable performance, however with out sturdy code similarity, was found getting used to deploy the DynoWiper malware in a Polish power firm. In that case, nonetheless, the malicious binary was not distributed to particular person computer systems however was as a substitute executed immediately from a shared community listing.<\/p>\n As talked about above, operations of this data-wiping nature generally require a risk actor to own Area Admin privileges. As soon as a risk actor reaches this degree of entry, defending the surroundings turns into extraordinarily tough, as they will carry out practically any motion inside the area. Some organizations, significantly within the power sector, additionally deliberately section or isolate elements of their IT\/OT environments to fulfill operational and security necessities. Whereas this isolation will be an acceptable risk-management alternative, it usually reduces defender visibility and might gradual proof assortment and response workflows, which in flip can complicate incident investigation and end in lower-confidence attribution.<\/p>\n We attribute DynoWiper to Sandworm with medium confidence. The next components help our evaluation:<\/p>\n The next components contradict a Sandworm attribution:<\/p>\n Though Sandworm has beforehand focused firms in Poland, it usually did so covertly \u2013 both for cyberespionage functions solely or by disguising its data-wiping exercise as a ransomware assault, resembling within the Status ransomware incidents. It’s value noting that we solely attribute the data-wiping part of this exercise to Sandworm with medium confidence. We shouldn’t have visibility into the preliminary entry methodology used on this incident and due to this fact can’t assess how or by whom the primary steps had been carried out. Specifically, the preparatory phases main as much as the damaging exercise might have been performed by one other risk actor group collaborating with Sandworm. Notably, in 2025 we noticed<\/a> and confirmed that the UAC\u20110099 group performed preliminary entry operations in opposition to targets in Ukraine and subsequently handed off validated targets to Sandworm for follow-up exercise.<\/p>\n This incident represents a uncommon and beforehand unseen case by which a Russia-aligned risk actor deployed damaging, data-wiping malware in opposition to an power firm in Poland.<\/p>\n\n
\n
Sandworm profile<\/h2>\n
Historical past of Sandworm\u2019s damaging operations<\/h2>\n
DynoWiper<\/h2>\n
\n
Different instruments deployed<\/h3>\n
ZOV wiper<\/h2>\n
\n
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/01-26\/dynowiper\/figure-1.png\" "\\"Figure")
![\"Figure](\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/01-26\/dynowiper\/figure-2.png\" "\\"Figure")
Harmful malware deployment strategies<\/h2>\n
Attribution<\/h2>\n
\n
Conclusion<\/h2>\n
\n
IoCs<\/h2>\n
![\"\"](\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\")
<\/a><\/p>\n<\/div>\n