← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
DynoWiper update: Technical analysis
WHITE Sandworm AlienVault 2026-01-30 Modified: 2026-03-01
20
IOCs
MEDIUM VOLUME
ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.
polandsting wiperdynowipersharpnikowiperroarbatswiftslicerzov wiperarguepatchorcshredindustroyerenergy sectorsoloshredhermeticwiperzerolothermeticransomnikowiperprestigecyberattackrussia-alignedbidswipecaddywiperdoublezerowiper malwaredata destructionindustroyer2ransomboggsawfulshred
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
DynoWiper ZOV wiper Industroyer2 - S1072 Industroyer2 - S1072 HermeticWiper - S0697 Trojan.Killdisk DriveSlayer HermeticRansom CaddyWiper - S0693 DoubleZero ARGUEPATCH ORCSHRED SOLOSHRED AWFULSHRED Prestige - S1058 RansomBoggs BidSwipe ROARBAT SwiftSlicer NikoWiper SharpNikoWiper ZEROLOT Sting wiper
Indicators of Compromise (6 / 20 total)
All domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 40a4b5e54fecce52c9d8ef5b2fa3973a3dd748c5bcedd7bde1154aa4a936c2e1 SHA256 of 410c8a57fe6e09edbfebaba7d5d3e4797ca80a19 2026-02-02
FileHash-SHA256 60c70cdcb1e998bffed2e6e7298e1ab6bb3d90df04e437486c04e77c411cae4b SHA256 of 86596a5c5b05a8bfbd14876de7404702f7d0d61b 2026-02-02
FileHash-SHA256 648c2067ef3d59eb94b54c43e798707b030e0383b3651bcc6840dae41808d3a9 SHA256 of 9ec4c38394ea2048ca81d48b1bd66de48d8bd4e8 2026-02-02
FileHash-SHA256 835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5 SHA256 of 4ec3c90846af6b79ee1a5188eefa3fd21f6d4cf6 2026-02-02
FileHash-SHA256 bfda142bc5c44913eed9ef1cf2a8ad07b7a71312a26e4c7c519bf1a3fedeb6a0 SHA256 of 472ca448f82a7ff6f373a32fdb9586fd7c38b631 2026-02-02
FileHash-SHA256 d1389a1ff652f8ca5576f10e9fa2bf8e8398699ddfc87ddd3e26adb201242160 SHA256 of 69ede7e341fd26fa0577692b601d80cb44778d93 2026-02-02
References (1)
↗ https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution