Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

ZOV

ZOV is a destructive wiper malware family attributed by ESET to the Russia-aligned Sandworm threat group with high confidence. It has been used against Ukrainian targets, including a Ukrainian energy company on January 25, 2024, and a financial institution in Ukraine in November 2025. Reporting states that ZOV wipes files on fixed drives, skips specific directories, and uses size-based overwrite logic. ESET also notes that Sandworm typically deploys ZOV via Active Directory Group Policy using a PowerShell deployment script from a shared network directory, an approach that generally requires Domain Admin privileges. ZOV is described as closely related in tactics and coding patterns to the later DynoWiper malware, with analysts highlighting strong similarities between the two families. The available content does not provide specific ZOV file hashes or broader IOC sets beyond these behavioral characteristics and victimology.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Sandworm

ESET attributes the malware to the Russia-aligned threat group Sandworm with medium confidence, noting shared tactics and coding patterns with previous destructive wiper families like ZOV.

via splunk researchresearch.splunk.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1485Data DestructionEvidence1

Designed to overwrite files and force a system reboot, DynoWiper erases data across removable and fixed drives, rendering systems inoperable if unprotected.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
splunk researchNews
Feb 12, 2026
Analytics Story: DynoWiper | Splunk Security Content

A previous destructive wiper family referenced as sharing tactics and coding patterns with DynoWiper.

Read more
cyber security newsNews
Feb 2, 2026
DynoWiper Data-Wiping Malware Attacking Energy Companies to Destroy Data

Previously observed destructive wiper used against Ukrainian targets; referenced as similar to DynoWiper (including a dropped wallpaper artifact).

Read more
eset welivesecurity blogNews
Jan 31, 2026
DynoWiper update: Technical analysis and attribution

Destructive wiper that iterates over files on fixed drives and overwrites contents (full overwrite for smaller files; partial overwrite for larger files) using a buffer (commonly starting with the string 'ZOV'), then executes commands to remove files/directories and reboot; also drops a wallpaper image.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.