Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actors

DynoWiper

DynoWiper is a destructive data-wiping malware first documented by ESET during a late-December 2025 cyber incident affecting Poland’s energy sector and critical infrastructure. It is also detected as Win32/KillFiles.NMO. Reporting describes it as a previously undocumented custom wiper used to damage systems and render them inoperable rather than for espionage, theft, or financial gain.

High-confidence reporting states DynoWiper was used during the 29–30 December 2025 attacks against Poland’s energy infrastructure, including renewable-energy environments and a combined heat and power plant. During that campaign, it was deployed via Group Policy Objects from a domain controller and accessible network shares after attackers had already obtained elevated privileges and moved laterally through victim networks. It was used alongside built-in commands to destroy data on Windows HMI workstations and OT-related assets including Mikronika RTUs and Hitachi Relion protection and control relays; a separate PowerShell wiper, LazyWiper, was also observed in related activity.

Technical reporting indicates DynoWiper enumerates logical drives, including fixed and removable drives, and overwrites file contents to make recovery difficult or impossible. One analyzed variant corrupts file headers with random data and, for larger files, overwrites multiple random offsets before deleting file entries. Reported exclusions include system-critical directories such as Windows, System32, Program Files, AppData, Temp, Boot, and Recycle Bin paths, apparently to preserve enough system stability to complete destructive actions. Some reporting states DynoWiper forces a reboot after wiping by enabling shutdown privileges and invoking ExitWindowsEx, while another documented version removed the shutdown behavior and inserted a short delay between corruption and deletion phases. Additional reporting describes targeting of Windows boot configuration and use of commands such as vssadmin delete shadows and bcdedit /set to inhibit recovery.

Attribution in the provided content is mixed. ESET attributed DynoWiper to Sandworm with medium confidence based on overlaps in tactics, coding patterns, and similarities to prior Sandworm-linked wipers such as ZOV/ZOVWiper. Other reporting and CERT Polska linked the broader Poland campaign to the Russia-linked cluster Static Tundra, also tracked as Berserk Bear, Ghost Blizzard, and Dragonfly, with Hunt.io noting infrastructure overlaps involving DynoWiper activity. The malware is therefore associated in the content with Russian state-linked destructive operations against Polish energy infrastructure, but actor attribution is not uniform across sources.

Known indicators directly mentioned in the content include SHA-1 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 and SHA-256 835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Sandworm

A decade later, the same group demonstrated that this capability now extends to NATO territory, deploying DynoWiper malware against Poland’s energy infrastructure in December 2025.

via eclecticiq blogblog.eclecticiq.com
Dragonfly

Malware Family DYNOWIPER Destructive wiper malware attributed to ENERGETIC BEAR; hosted on CLODO CLOUD SERVICE (UAE)

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1190Exploit Public-Facing ApplicationEvidence1

“The following are the TTPs … Initial Access T1190 Exploit Public-Facing Application” (DynoWiper section).

T1566PhishingEvidence1

“Initial Access T1566 Phishing” (DynoWiper section).

Execution

3 techniques
T1053.005Scheduled TaskEvidence1

“Distribution of the wiper within the domain using a Scheduled Task” / “defines a ScheduledTask that executes with NT AUTHORITY\SYSTEM… deletes itself…”

T1059Command and Scripting InterpreterEvidence1

“Execution T1059 Command and Scripting Interpreter” (Sicarii section) and “Execution T1059 Command and Scripting Interpreter” (DynoWiper section).

T1204User ExecutionEvidence1

“Execution T1204 User Execution” (DynoWiper section).

Persistence

1 technique
T1053.005Scheduled TaskEvidence1

“Distribution of the wiper within the domain using a Scheduled Task” / “defines a ScheduledTask that executes with NT AUTHORITY\SYSTEM… deletes itself…”

Privilege Escalation

2 techniques
T1053.005Scheduled TaskEvidence1

“Distribution of the wiper within the domain using a Scheduled Task” / “defines a ScheduledTask that executes with NT AUTHORITY\SYSTEM… deletes itself…”

T1484.001Group Policy ModificationEvidence2

“DynoWiper was later deployed using Group Policy Objects distributed from a domain controller.” / “LazyWiper... was distributed through Group Policy Objects...”

Stealth

2 techniques
T1070Indicator RemovalEvidence1

“Defense Evasion T1070 Indicator Removal” (Sicarii) and “Defense Evasion T1070 Indicator Removal on Host” (DynoWiper).

T1070.004File DeletionEvidence1

“removes the files ‘C:\Windows\Temp\manifest.xml’, ‘C:\Windows\Temp\{$backupId}\*’.”

Defense Impairment

1 technique
T1484.001Group Policy ModificationEvidence2

“DynoWiper was later deployed using Group Policy Objects distributed from a domain controller.” / “LazyWiper... was distributed through Group Policy Objects...”

Discovery

1 technique
T1083File and Directory DiscoveryEvidence1

“Discovery T1083 File and Directory Discovery” (Sicarii) and “Discovery T1083 File and Directory Discovery” (DynoWiper).

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1

“Command and Control T1071 Application Layer Protocol” (Sicarii) and “Command and control T1071 Application Layer Protocol” (DynoWiper).

Impact

4 techniques
T1485Data DestructionEvidence13

Sandworm... deploying DynoWiper malware against Poland’s energy infrastructure... Iran-linked hackers have wiped the data of over 50 small Israeli companies since the war began... used Microsoft Intune to remotely wipe nearly 80,000 devices.

T1490Inhibit System RecoveryEvidence2

The references include multiple wiper campaigns and destructive malware operations such as NotPetya, SwiftSlicer, AcidRain, AcidPour, and DynoWiper associated with Sandworm/APT44.

T1529System Shutdown/RebootEvidence2

Designed to overwrite files and force a system reboot... Analysis revealed a dedicated file-overwriting payload that systematically targeted drives and rebooted systems to complete destruction.

T1561Disk WipeEvidence1

“Impact T1561 Disk Wipe” (DynoWiper section).

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha1●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

42 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

42 SOURCESView more in app
eclecticiq blogNews
Jun 11, 2026
The Escalating Cyber Risk Landscape in Regional Conflicts & Strategic Actions for 2026

A destructive wiper malware deployed against energy infrastructure to disrupt operations and potentially cause physical consequences.

Read more
cyber security newsNews
May 22, 2026
Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations

A destructive wiper malware attributed in the content to ENERGETIC BEAR and hosted on UAE infrastructure.

Read more
security affairsNews
May 22, 2026
One Telecom Provider Hosted Most of the Middle East ’s Active C2 Infrastructure

Wiper malware linked to attacks targeting Poland's energy sector.

Read more
mitre attack websiteNews
Apr 22, 2026
2025 Poland Wiper Attacks, 2025 Poland Wiper Campaign, Campaign C0063 | MITRE ATT&CK®

Wiper malware used to destroy data on OT/ICS assets including RTUs, protection relays, and HMI workstations during the 2025 Poland Wiper Attacks.

Read more
+38 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.