A dangerous new data-wiping malware known as DynoWiper has emerged, targeting energy companies in Poland with destructive attacks designed to permanently erase critical data.
The malware surfaced in December 2025 when security researchers detected its deployment at a Polish energy firm.
Unlike typical ransomware that encrypts files for monetary gain, DynoWiper operates with a single destructive purpose: to overwrite and destroy data across compromised networks, rendering systems completely unbootable.
The attack represents a concerning escalation in cyber threats against critical infrastructure.
DynoWiper was deployed through multiple variants, including files named schtask.exe, schtask2.exe, and an update executable, all released on December 29, 2025.
The attackers made several attempts to execute the malware after initial failures, modifying the code each time to bypass security defenses.
However, the installed endpoint detection and response product successfully blocked execution, significantly limiting the damage.
Welivesecurity analysts identified striking similarities between DynoWiper and a previously known wiper called ZOV, which was used against Ukrainian targets earlier.
The research team attributed DynoWiper to Sandworm, a Russia-aligned threat group notorious for conducting destructive cyberattacks against energy companies.
Wallpaper dropped by the ZOV wiper (Source – Welivesecurity)
Sandworm, commonly linked to Unit 74455 of the Russian Main Intelligence Directorate (GRU), has a long history of targeting critical infrastructure across Eastern Europe.
The malware operates through a calculated three-phase destruction process. During the first phase, DynoWiper recursively searches for files on all fixed and removable drives while excluding certain system directories to maintain temporary system functionality.
The wiper uses a 16-byte buffer containing random data to overwrite file contents. Files smaller than 16 bytes are completely overwritten, while larger files have portions of their contents destroyed to speed up the destruction process.
Deployment Through Active Directory Exploitation
DynoWiper’s infection mechanism demonstrates sophisticated network penetration capabilities. The attackers exploited Active Directory Group Policy to distribute the malware across the compromised network.
This deployment method requires Domain Admin privileges, highlighting the threat group’s ability to gain high-level access to targeted organizations.
The malware was placed in a shared network directory, allowing execution across multiple machines simultaneously.
Prior to deploying the wiper, attackers used credential-stealing tools like Rubeus and attempted to dump the LSASS process memory using Windows Task Manager. They also deployed a SOCKS5 proxy tool called rsocx to establish reverse connections with external servers.
This multi-stage approach demonstrates careful planning and reconnaissance before launching the final destructive payload.
Organizations in the energy sector should implement strict access controls, network segmentation, and continuous monitoring to detect such sophisticated intrusion attempts before wipers can be deployed.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post DynoWiper Data-Wiping Malware Attacking Energy Companies to Destroy Data appeared first on Cyber Security News.
