#BREAKING #ESETresearch provides technical details on #DynoWiper, a data‑wiping malware used in a data‑destruction incident on December 29, 2025, affecting a company in Poland’s energy sector.
https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/
@CERT_Polska_en did an excellent job investigating the incident and published a detailed analysis in a report:
https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/
#ESETresearch attributes the attack to the 🇷🇺 Russia‑aligned #Sandworm APT group with medium confidence, based on strong overlaps in behavior and TTPs with multiple earlier Sandworm attacks. Specifically, DynoWiper operates in a broadly similar fashion to the ZOV wiper, which we attribute to Sandworm with high confidence.
IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/dynowiper

#BREAKING #ESETresearch identified the wiper #DynoWiper used in an attempted disruptive cyberattack against the Polish energy sector on Dec 29, 2025. At this point, no successful disruption is known, but the malware’s design clearly indicates destructive intent.
#ESETresearch attributes the attack to the Russia‑aligned #Sandworm APT group with medium confidence, based on strong overlaps in behavior and TTPs with multiple earlier Sandworm-linked wiper operations investigated by our team.
The attack struck during peak winter and the 10‑year anniversary of Sandworm’s 2015 attack on Ukraine’s power grid - the first malware-driven blackout, leaving ~230,000 people without electricity.
#ESET detects DynoWiper as Win32/KillFiles.NMO. Customers of our private ESET Threat Intelligence APT reports have already received additional technical details and IOCs to support rapid detection and response. IoC: 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6
We continue to investigate the incident and broader implications. As new evidence or links to additional Sandworm activity emerge, we will share further updates to help defenders protect critical sectors.