{ "type": "SHA256", "indicator": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5", "validation": [], "base_indicator": { "id": 4190216980, "indicator": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 24, "pulses": [ { "id": "69f32ac81834d5a878e8fac0", "name": "Energy Sector Incident Report", "description": "On December 29, 2025, coordinated destructive cyberattacks targeted Poland's energy infrastructure during severe winter weather. Approximately 30 wind and solar farms, a manufacturing company, and a combined heat and power plant serving nearly 500,000 customers were affected. Attackers exploited vulnerable FortiGate perimeter devices using stolen credentials and default passwords to access industrial control systems. Multiple types of wiper malware, including DynoWiper and LazyWiper, were deployed to destroy data across IT and OT environments. While renewable facilities lost communication with distribution operators without affecting electricity generation, the incidents demonstrated significant capability to cause physical disruption. Infrastructure analysis revealed connections to threat clusters known as Static Tundra, Ghost Blizzard, and potentially Sandworm, marking a notable escalation in cyber-sabotage operations.", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:11:20.255000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 386443, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "697cfb85ac8b88be3162c26c", "name": "DynoWiper update: Technical analysis", "description": "ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.", "modified": "2026-03-01T18:00:46.183000", "created": "2026-01-30T18:42:13.717000", "tags": [ "poland", "sting wiper", "dynowiper", "sharpnikowiper", "roarbat", "swiftslicer", "zov wiper", "arguepatch", "orcshred", "industroyer", "energy sector", "soloshred", "hermeticwiper", "zerolot", "hermeticransom", "nikowiper", "prestige", "cyberattack", "russia-aligned", "bidswipe", "caddywiper", "doublezero", "wiper malware", "data destruction", "industroyer2", "ransomboggs", "awfulshred" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "ZOV wiper", "display_name": "ZOV wiper", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "HermeticWiper - S0697", "display_name": "HermeticWiper - S0697", "target": null }, { "id": "Trojan.Killdisk", "display_name": "Trojan.Killdisk", "target": null }, { "id": "DriveSlayer", "display_name": "DriveSlayer", "target": null }, { "id": "HermeticRansom", "display_name": "HermeticRansom", "target": null }, { "id": "CaddyWiper - S0693", "display_name": "CaddyWiper - S0693", "target": null }, { "id": "DoubleZero", "display_name": "DoubleZero", "target": null }, { "id": "ARGUEPATCH", "display_name": "ARGUEPATCH", "target": null }, { "id": "ORCSHRED", "display_name": "ORCSHRED", "target": null }, { "id": "SOLOSHRED", "display_name": "SOLOSHRED", "target": null }, { "id": "AWFULSHRED", "display_name": "AWFULSHRED", "target": null }, { "id": "Prestige - S1058", "display_name": "Prestige - S1058", "target": null }, { "id": "RansomBoggs", "display_name": "RansomBoggs", "target": null }, { "id": "BidSwipe", "display_name": "BidSwipe", "target": null }, { "id": "ROARBAT", "display_name": "ROARBAT", "target": null }, { "id": "SwiftSlicer", "display_name": "SwiftSlicer", "target": null }, { "id": "NikoWiper", "display_name": "NikoWiper", "target": null }, { "id": "SharpNikoWiper", "display_name": "SharpNikoWiper", "target": null }, { "id": "ZEROLOT", "display_name": "ZEROLOT", "target": null }, { "id": "Sting wiper", "display_name": "Sting wiper", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386452, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6973fa6df457081a422f550e", "name": "Sandworm behind cyberattack on Poland's power grid in late 2025", "description": "In late 2025, Poland's energy system was targeted by a major cyberattack, now attributed to the Russia-aligned APT group Sandworm by ESET Research. The attack involved data-wiping malware named DynoWiper, detected as Win32/KillFiles.NMO. While the full impact is still under investigation, researchers noted the attack's timing coincided with the 10th anniversary of Sandworm's 2015 attack on Ukraine's power grid. Sandworm continues to target critical infrastructure, particularly in Ukraine, with regular wiper attacks. The group's history of disruptive cyberattacks and the similarities in tactics, techniques, and procedures led to a medium-confidence attribution of this latest incident to Sandworm.", "modified": "2026-01-23T22:57:59.767000", "created": "2026-01-23T22:47:09.688000", "tags": [ "critical infrastructure", "apt", "russia-aligned", "power grid", "poland", "blackenergy", "dynowiper", "wiper" ], "references": [ "https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69f82582e230f0f8170c97fa", "name": "Energy Sector Incident Report", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-05-04T04:50:10.429000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f3bd6814568df21249e586", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:56.263000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f3bd5aef3274f6820fabc7", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:42.625000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69992eb9829358043ee493e5", "name": "Twitter Feed - skocherhan - 20-02-2026", "description": "", "modified": "2026-03-23T04:01:15.910000", "created": "2026-02-21T04:04:09.015000", "tags": [ "Kimsuky", "phishing", "opendir" ], "references": [ "https://x.com/skocherhan/status/2024666788496122021", "https://x.com/skocherhan/status/2024667465804837163", "https://x.com/skocherhan/status/2024671209221132614", "https://x.com/skocherhan/status/2024682042286289319", "https://x.com/skocherhan/status/2024695835380916514", "https://x.com/skocherhan/status/2024726925449597293", "https://x.com/skocherhan/status/2024728035962810766", "https://x.com/skocherhan/status/2024744194091184380", "https://x.com/skocherhan/status/2024754886177333482", "https://x.com/skocherhan/status/2024756075774238900", "https://x.com/skocherhan/status/2024758460303180041", "https://x.com/skocherhan/status/2024759097191452672", "https://x.com/skocherhan/status/2024761922193633460", "https://x.com/skocherhan/status/2024762029072908710", "https://x.com/skocherhan/status/2024770367336673502", "https://x.com/skocherhan/status/2024774467969221108", "https://x.com/skocherhan/status/2024777427541487862", "https://x.com/skocherhan/status/2024781731329450103", "https://x.com/skocherhan/status/2024782744614494569", "https://x.com/skocherhan/status/2024805213249413191", "https://x.com/skocherhan/status/2024840605134709054", "https://x.com/skocherhan/status/2024935967514116324", "https://x.com/skocherhan/status/2024968341635436722", "https://x.com/skocherhan/status/2024984133210976583" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 30, "URL": 57, "domain": 19, "FileHash-MD5": 7, "FileHash-SHA256": 2 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6988eb095842667bcf8e076e", "name": "DynoWiper test", "description": "", "modified": "2026-03-10T00:01:34.213000", "created": "2026-02-08T19:59:05.655000", "tags": [ "poland", "sting wiper", "dynowiper", "sharpnikowiper", "roarbat", "swiftslicer", "zov wiper", "arguepatch", "orcshred", "industroyer", "energy sector", "soloshred", "hermeticwiper", "zerolot", "hermeticransom", "nikowiper", "prestige", "cyberattack", "russia-aligned", "bidswipe", "caddywiper", "doublezero", "wiper malware", "data destruction", "industroyer2", "ransomboggs", "awfulshred" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "ZOV wiper", "display_name": "ZOV wiper", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "HermeticWiper - S0697", "display_name": "HermeticWiper - S0697", "target": null }, { "id": "Trojan.Killdisk", "display_name": "Trojan.Killdisk", "target": null }, { "id": "DriveSlayer", "display_name": "DriveSlayer", "target": null }, { "id": "HermeticRansom", "display_name": "HermeticRansom", "target": null }, { "id": "CaddyWiper - S0693", "display_name": "CaddyWiper - S0693", "target": null }, { "id": "DoubleZero", "display_name": "DoubleZero", "target": null }, { "id": "ARGUEPATCH", "display_name": "ARGUEPATCH", "target": null }, { "id": "ORCSHRED", "display_name": "ORCSHRED", "target": null }, { "id": "SOLOSHRED", "display_name": "SOLOSHRED", "target": null }, { "id": "AWFULSHRED", "display_name": "AWFULSHRED", "target": null }, { "id": "Prestige - S1058", "display_name": "Prestige - S1058", "target": null }, { "id": "RansomBoggs", "display_name": "RansomBoggs", "target": null }, { "id": "BidSwipe", "display_name": "BidSwipe", "target": null }, { "id": "ROARBAT", "display_name": "ROARBAT", "target": null }, { "id": "SwiftSlicer", "display_name": "SwiftSlicer", "target": null }, { "id": "NikoWiper", "display_name": "NikoWiper", "target": null }, { "id": "SharpNikoWiper", "display_name": "SharpNikoWiper", "target": null }, { "id": "ZEROLOT", "display_name": "ZEROLOT", "target": null }, { "id": "Sting wiper", "display_name": "Sting wiper", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "697cfb85ac8b88be3162c26c", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "antonioamador", "id": "381590", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69823fe0f4fc9f6487e0ffe4", "name": "DynoWiper Data Wiping Malware Targeting Energy Companies", "description": "DynoWiper is a destructive malware group used in an attack on a Polish energy company in December 2025. It is meant to destroy data and shutdown systems not to make money.", "modified": "2026-03-05T18:00:48.990000", "created": "2026-02-03T18:35:12.649000", "tags": [], "references": [], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "698050bc6e6a312f449dde78", "name": "DynoWiper update: Technical analysis and attribution", "description": "ESET researchers have identified a recent data destruction incident involving a new wiper malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm. Sandworm is notorious for its destructive cyber operations targeting various sectors, including energy, transportation, and government, as exemplified by past attacks such as NotPetya and Olympic Destroyer.\n\nDynoWiper was deployed on December 29, 2025, in the shared directory C:\\inetpub\\pub\\, using executable filenames like schtask.exe and schtask2.exe. Notably, the references to a Visual Studio project path suggest that the malware may have been developed in an environment utilizing the Vagrant tool for managing virtual machines. This indicates that Sandworm possibly tested DynoWiper on virtual machines before unleashing it within the target organization\u2019s network.", "modified": "2026-03-04T07:02:58.010000", "created": "2026-02-02T07:22:36.796000", "tags": [ "sandworm", "strong", "zov wiper", "dynowiper", "ukraine", "eset research", "poland", "eset", "group policy", "december", "industroyer", "industroyer2", "blackenergy", "greyenergy", "wallpaper", "tips", "notpetya", "february", "hermeticwiper", "caddywiper", "doublezero", "arguepatch", "roarbat", "swiftslicer", "april", "first", "execution", "powershell", "shell", "rubeus", "impact", "wiper", "uac\u20110099", "zov", "prestige", "socks5 proxy", "rubeus toolset", "kerberos", "network ip", "domain hosting", "details", "na fornex", "socks5 server" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine", "Russian Federation", "Pakistan" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null } ], "attack_ids": [ { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy", "Industrial", "Government", "Logistics", "Transportation", "Media", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 1, "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "698044170014d36c06191d62", "name": "IOC - DynoWiper update: Technical analysis and attribution", "description": "Sandworm is a Russia-aligned threat group that performs destructive attacks. It is mostly known for its attacks against Ukrainian energy companies in 2015-12 and 2016-12, which resulted in power outages. In 2017-06 Sandworm launched the NotPetya data-wiping attack that used a supply-chain vector by compromising the Ukrainian accounting software M.E.Doc. In 2018-02, Sandworm launched the Olympic Destroyer data-wiping attack against organizers of the 2018 Winter Olympics in Pyeongchang.", "modified": "2026-03-04T06:02:39.413000", "created": "2026-02-02T06:28:39.335000", "tags": [ "zov wiper", "socks5 proxy", "rubeus toolset", "kerberos", "network ip", "domain hosting", "first", "details", "na fornex", "socks5 server", "wiper" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/#iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "wiper", "display_name": "wiper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "697717160b5f9564b40ceb0f", "name": "OpenCTI_Export_2026-01", "description": "Automated export from OpenCTI for 2026-01", "modified": "2026-03-02T17:00:28.656000", "created": "2026-01-26T07:26:12.492000", "tags": [ "OpenCTI", "Automated", "2026-01" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "info@watchtower365.com", "id": "67692", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10866, "FileHash-SHA256": 960, "domain": 86 }, "indicator_count": 11912, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69819ed2aa96447a18300c7d", "name": "DynoWiper update: Technical analysis", "description": "", "modified": "2026-03-01T18:00:46.183000", "created": "2026-02-03T07:08:02.689000", "tags": [ "poland", "sting wiper", "dynowiper", "sharpnikowiper", "roarbat", "swiftslicer", "zov wiper", "arguepatch", "orcshred", "industroyer", "energy sector", "soloshred", "hermeticwiper", "zerolot", "hermeticransom", "nikowiper", "prestige", "cyberattack", "russia-aligned", "bidswipe", "caddywiper", "doublezero", "wiper malware", "data destruction", "industroyer2", "ransomboggs", "awfulshred" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "ZOV wiper", "display_name": "ZOV wiper", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "HermeticWiper - S0697", "display_name": "HermeticWiper - S0697", "target": null }, { "id": "Trojan.Killdisk", "display_name": "Trojan.Killdisk", "target": null }, { "id": "DriveSlayer", "display_name": "DriveSlayer", "target": null }, { "id": "HermeticRansom", "display_name": "HermeticRansom", "target": null }, { "id": "CaddyWiper - S0693", "display_name": "CaddyWiper - S0693", "target": null }, { "id": "DoubleZero", "display_name": "DoubleZero", "target": null }, { "id": "ARGUEPATCH", "display_name": "ARGUEPATCH", "target": null }, { "id": "ORCSHRED", "display_name": "ORCSHRED", "target": null }, { "id": "SOLOSHRED", "display_name": "SOLOSHRED", "target": null }, { "id": "AWFULSHRED", "display_name": "AWFULSHRED", "target": null }, { "id": "Prestige - S1058", "display_name": "Prestige - S1058", "target": null }, { "id": "RansomBoggs", "display_name": "RansomBoggs", "target": null }, { "id": "BidSwipe", "display_name": "BidSwipe", "target": null }, { "id": "ROARBAT", "display_name": "ROARBAT", "target": null }, { "id": "SwiftSlicer", "display_name": "SwiftSlicer", "target": null }, { "id": "NikoWiper", "display_name": "NikoWiper", "target": null }, { "id": "SharpNikoWiper", "display_name": "SharpNikoWiper", "target": null }, { "id": "ZEROLOT", "display_name": "ZEROLOT", "target": null }, { "id": "Sting wiper", "display_name": "Sting wiper", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "697cfb85ac8b88be3162c26c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 282, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "697a90cf98e96f46136e0f35", "name": "EbeeJan2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-28T19:01:39.239000", "created": "2026-01-28T22:42:23.436000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "Sandworm, Vortex Werewolf (SkyCloak), PureRAT, npm Package Deploys G_Wagon, HoneyMyte", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 115, "CVE": 13, "FileHash-MD5": 122, "FileHash-SHA1": 112, "FileHash-SHA256": 267, "domain": 103, "email": 5, "hostname": 49 }, "indicator_count": 786, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6996f32e4e12e23b1542b3be", "name": "DynoWiper", "description": "", "modified": "2026-02-19T11:25:34.946000", "created": "2026-02-19T11:25:34.946000", "tags": [ "DynoWiper" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:Win32/Kekeo.A!MTB", "display_name": "VirTool:Win32/Kekeo.A!MTB", "target": "/malware/VirTool:Win32/Kekeo.A!MTB" }, { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "Win64:TrojanX-gen\\ [Trj]", "display_name": "Win64:TrojanX-gen\\ [Trj]", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "100 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69899c09ba84d1552b0f6615", "name": "Sandworm behind cyberattack on Polands power grid in late 2025", "description": "", "modified": "2026-02-09T08:34:17.679000", "created": "2026-02-09T08:34:17.679000", "tags": [ "eset research", "eset", "research", "sandworm", "poland", "eset security", "ukraine", "strong", "english espaol", "ukraine crisis", "tips", "fast", "april" ], "references": [ "https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Poland" ], "malware_families": [], "attack_ids": [ { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" } ], "industries": [ "Energy", "Critical Infrastructure" ], "TLP": "green", "cloned_from": "697724aac1c13d8a1551d07a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA1": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "110 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69877a61929f0ce5b06a7cfb", "name": "DynoWiper: From Russia with Love", "description": "DynoWiper is a wiper malware discovered in December 2025 during cyberattacks on Polish energy companies, which have been attributed to Russian state-aligned threat actors. ESET Research and CERT Polska have linked these activities to the notorious Sandworm group, known for similar operations against Ukrainian infrastructure in previous years. The malware's design and operational techniques align with those observed in past Sandworm campaigns.\n\nUpon analysis, the DynoWiper binary did not utilize packing or obfuscation, which is typical for wiper malware. The discovery process began with analysis tools such as DIE (Detect It Easy), quickly transitioning to more in-depth examination with IDA, which revealed the operational mechanics of the malware.", "modified": "2026-02-07T17:46:09.581000", "created": "2026-02-07T17:46:09.581000", "tags": [ "dynowiper", "prng setup", "data corruption", "data deletion", "ck mapping", "cert polska", "eset", "access token", "overview iocs", "mitre att", "easy", "logic", "wiper" ], "references": [ "https://t0asts.com/dynowiper" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "wiper", "display_name": "wiper", "target": null } ], "attack_ids": [ { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "display_name": "T1222.001 - Windows File and Directory Permissions Modification" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "112 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6981b2b8c9a037ad8d3a655c", "name": "Malware | 2026-01-31", "description": "Malware indicators. Date: 2026-01-31. Total: 571 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-02-03T08:32:56.404000", "created": "2026-02-03T08:32:56.404000", "tags": [ "malware", "malwarebazaar" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 571 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "116 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6977261e9b7dc176af163076", "name": "Russian State - Sponsored Hackers Target Poland's Energy Systems with Destructive Malware", "description": "A recent cyberattack targeting Poland's power grid has been linked to the Russian state-sponsored hacking group Sandworm. The attack, which occurred in late December 2025, attempted to deploy a new destructive data-wiping malware known as DynoWiper. Sandworm, also tracked as UAC-0113, APT44, and Seashell Blizzard, is a notorious Russian nation-state hacking group that has been active since 2009 and is believed to be part of Russia's Military Unit 74455 of the Main Intelligence Directorate (GRU)....", "modified": "2026-01-26T08:30:22.692000", "created": "2026-01-26T08:30:22.692000", "tags": [ "initial-access", "execution", "impact", "T1190", "T1204", "high", "vta", "threat-intelligence" ], "references": [ "https://www.bleepingcomputer.com/news/security/sandworm-hackers-linked-to-failed-wiper-attack-on-polands-energy-systems/", "https://www.gov.pl/web/primeminister/poland-stops-cyberattacks-on-energy-infrastructure/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 61, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "697724aac1c13d8a1551d07a", "name": "Sandworm behind cyberattack on Polands power grid in late 2025", "description": "In late 2025, Poland's power grid experienced a significant cyberattack, identified by ESET Research as the largest of its kind targeting the nation in several years. The attack was attributed to the Russia-aligned advanced persistent threat (APT) group known as Sandworm. This group, recognized for its history of aggressive cyber operations, employed a sophisticated malware known as DynoWiper during the incident.\n\nDynoWiper functions as data-wiping malware, aimed at erasing critical information and disrupting operations within the affected systems. This tactic not only aims to incapacitate infrastructure but also to inflict reputational damage and sow chaos. The attack underscores the ongoing threats posed by state-sponsored cyber actors, particularly those aligned with geopolitical interests, targeting essential services and infrastructure.", "modified": "2026-01-26T08:24:10.744000", "created": "2026-01-26T08:24:10.744000", "tags": [ "eset research", "eset", "research", "sandworm", "poland", "eset security", "ukraine", "strong", "english espaol", "ukraine crisis", "tips", "fast", "april" ], "references": [ "https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine", "Poland" ], "malware_families": [], "attack_ids": [ { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" } ], "industries": [ "Energy", "Critical Infrastructure" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA1": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6976fb12433099e6fae6af59", "name": "Sandworm behind cyberattack on Poland's power grid in late 2025", "description": "", "modified": "2026-01-26T05:26:42.750000", "created": "2026-01-26T05:26:42.750000", "tags": [ "critical infrastructure", "apt", "russia-aligned", "power grid", "poland", "blackenergy", "dynowiper", "wiper" ], "references": [ "https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "6973fa6df457081a422f550e", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 } ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf", "IOCs.csv", "https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/", "https://x.com/skocherhan/status/2024666788496122021", "https://x.com/skocherhan/status/2024759097191452672", "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/", "https://x.com/skocherhan/status/2024781731329450103", "https://x.com/skocherhan/status/2024777427541487862", "IOCs.2026.2.csv", "https://x.com/skocherhan/status/2024667465804837163", "https://x.com/skocherhan/status/2024782744614494569", "https://x.com/skocherhan/status/2024682042286289319", "https://x.com/skocherhan/status/2024726925449597293", "https://x.com/skocherhan/status/2024754886177333482", "https://www.bleepingcomputer.com/news/security/sandworm-hackers-linked-to-failed-wiper-attack-on-polands-energy-systems/", "https://x.com/skocherhan/status/2024728035962810766", "https://x.com/skocherhan/status/2024671209221132614", "https://x.com/skocherhan/status/2024840605134709054", "https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025", "https://x.com/skocherhan/status/2024770367336673502", "https://x.com/skocherhan/status/2024756075774238900", "https://x.com/skocherhan/status/2024762029072908710", "https://x.com/skocherhan/status/2024935967514116324", "https://x.com/skocherhan/status/2024984133210976583", "https://x.com/skocherhan/status/2024968341635436722", "https://x.com/skocherhan/status/2024761922193633460", "https://www.gov.pl/web/primeminister/poland-stops-cyberattacks-on-energy-infrastructure/", "https://t0asts.com/dynowiper", "https://x.com/skocherhan/status/2024695835380916514", "https://x.com/skocherhan/status/2024744194091184380", "https://x.com/skocherhan/status/2024758460303180041", "https://ltna.com.au/cyber", "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/#iocs", "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution", "https://x.com/skocherhan/status/2024774467969221108", "https://x.com/skocherhan/status/2024805213249413191" ], "related": { "alienvault": { "adversary": [ "Sandworm", "Static Tundra" ], "malware_families": [ "Swiftslicer", "Roarbat", "Ransomboggs", "Hermeticwiper - s0697", "Industroyer2 - s1072", "Awfulshred", "Zerolot", "Lazywiper", "Caddywiper - s0693", "Sharpnikowiper", "Sting wiper", "Bidswipe", "Trojan.killdisk", "Impacket", "Arguepatch", "Driveslayer", "Prestige - s1058", "Doublezero", "Dynowiper", "Orcshred", "Hermeticransom", "Nikowiper", "Zov wiper", "Rubeus", "Soloshred" ], "industries": [ "Manufacturing", "Energy" ] }, "other": { "adversary": [ "N/A", "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "Sandworm", "Sandworm, Vortex Werewolf (SkyCloak), PureRAT, npm Package Deploys G_Wagon, HoneyMyte", "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "Static Tundra" ], "malware_families": [ "Swiftslicer", "Roarbat", "Ransomboggs", "Win64:trojanx-gen\\ [trj]", "Hermeticwiper - s0697", "Industroyer2 - s1072", "Awfulshred", "Zerolot", "Lazywiper", "Caddywiper - s0693", "Virtool:win32/kekeo.a!mtb", "Sharpnikowiper", "Sting wiper", "Bidswipe", "Trojan.killdisk", "Impacket", "Arguepatch", "Driveslayer", "Prestige - s1058", "Doublezero", "Dynowiper", "Orcshred", "Hermeticransom", "Nikowiper", "Zov wiper", "Rubeus", "Wiper", "Soloshred" ], "industries": [ "Critical infrastructure", "Transportation", "Manufacturing", "Financial", "Logistics", "Industrial", "Telecommunications", "Government", "Energy", "Media" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 24, "pulses": [ { "id": "69f32ac81834d5a878e8fac0", "name": "Energy Sector Incident Report", "description": "On December 29, 2025, coordinated destructive cyberattacks targeted Poland's energy infrastructure during severe winter weather. Approximately 30 wind and solar farms, a manufacturing company, and a combined heat and power plant serving nearly 500,000 customers were affected. Attackers exploited vulnerable FortiGate perimeter devices using stolen credentials and default passwords to access industrial control systems. Multiple types of wiper malware, including DynoWiper and LazyWiper, were deployed to destroy data across IT and OT environments. While renewable facilities lost communication with distribution operators without affecting electricity generation, the incidents demonstrated significant capability to cause physical disruption. Infrastructure analysis revealed connections to threat clusters known as Static Tundra, Ghost Blizzard, and potentially Sandworm, marking a notable escalation in cyber-sabotage operations.", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:11:20.255000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 386443, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "697cfb85ac8b88be3162c26c", "name": "DynoWiper update: Technical analysis", "description": "ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.", "modified": "2026-03-01T18:00:46.183000", "created": "2026-01-30T18:42:13.717000", "tags": [ "poland", "sting wiper", "dynowiper", "sharpnikowiper", "roarbat", "swiftslicer", "zov wiper", "arguepatch", "orcshred", "industroyer", "energy sector", "soloshred", "hermeticwiper", "zerolot", "hermeticransom", "nikowiper", "prestige", "cyberattack", "russia-aligned", "bidswipe", "caddywiper", "doublezero", "wiper malware", "data destruction", "industroyer2", "ransomboggs", "awfulshred" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "ZOV wiper", "display_name": "ZOV wiper", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "HermeticWiper - S0697", "display_name": "HermeticWiper - S0697", "target": null }, { "id": "Trojan.Killdisk", "display_name": "Trojan.Killdisk", "target": null }, { "id": "DriveSlayer", "display_name": "DriveSlayer", "target": null }, { "id": "HermeticRansom", "display_name": "HermeticRansom", "target": null }, { "id": "CaddyWiper - S0693", "display_name": "CaddyWiper - S0693", "target": null }, { "id": "DoubleZero", "display_name": "DoubleZero", "target": null }, { "id": "ARGUEPATCH", "display_name": "ARGUEPATCH", "target": null }, { "id": "ORCSHRED", "display_name": "ORCSHRED", "target": null }, { "id": "SOLOSHRED", "display_name": "SOLOSHRED", "target": null }, { "id": "AWFULSHRED", "display_name": "AWFULSHRED", "target": null }, { "id": "Prestige - S1058", "display_name": "Prestige - S1058", "target": null }, { "id": "RansomBoggs", "display_name": "RansomBoggs", "target": null }, { "id": "BidSwipe", "display_name": "BidSwipe", "target": null }, { "id": "ROARBAT", "display_name": "ROARBAT", "target": null }, { "id": "SwiftSlicer", "display_name": "SwiftSlicer", "target": null }, { "id": "NikoWiper", "display_name": "NikoWiper", "target": null }, { "id": "SharpNikoWiper", "display_name": "SharpNikoWiper", "target": null }, { "id": "ZEROLOT", "display_name": "ZEROLOT", "target": null }, { "id": "Sting wiper", "display_name": "Sting wiper", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386452, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "6973fa6df457081a422f550e", "name": "Sandworm behind cyberattack on Poland's power grid in late 2025", "description": "In late 2025, Poland's energy system was targeted by a major cyberattack, now attributed to the Russia-aligned APT group Sandworm by ESET Research. The attack involved data-wiping malware named DynoWiper, detected as Win32/KillFiles.NMO. While the full impact is still under investigation, researchers noted the attack's timing coincided with the 10th anniversary of Sandworm's 2015 attack on Ukraine's power grid. Sandworm continues to target critical infrastructure, particularly in Ukraine, with regular wiper attacks. The group's history of disruptive cyberattacks and the similarities in tactics, techniques, and procedures led to a medium-confidence attribution of this latest incident to Sandworm.", "modified": "2026-01-23T22:57:59.767000", "created": "2026-01-23T22:47:09.688000", "tags": [ "critical infrastructure", "apt", "russia-aligned", "power grid", "poland", "blackenergy", "dynowiper", "wiper" ], "references": [ "https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1565", "name": "Data Manipulation", "display_name": "T1565 - Data Manipulation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 386448, "modified_text": "126 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69f82582e230f0f8170c97fa", "name": "Energy Sector Incident Report", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-05-04T04:50:10.429000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f3bd6814568df21249e586", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:56.263000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f3bd5aef3274f6820fabc7", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:42.625000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69992eb9829358043ee493e5", "name": "Twitter Feed - skocherhan - 20-02-2026", "description": "", "modified": "2026-03-23T04:01:15.910000", "created": "2026-02-21T04:04:09.015000", "tags": [ "Kimsuky", "phishing", "opendir" ], "references": [ "https://x.com/skocherhan/status/2024666788496122021", "https://x.com/skocherhan/status/2024667465804837163", "https://x.com/skocherhan/status/2024671209221132614", "https://x.com/skocherhan/status/2024682042286289319", "https://x.com/skocherhan/status/2024695835380916514", "https://x.com/skocherhan/status/2024726925449597293", "https://x.com/skocherhan/status/2024728035962810766", "https://x.com/skocherhan/status/2024744194091184380", "https://x.com/skocherhan/status/2024754886177333482", "https://x.com/skocherhan/status/2024756075774238900", "https://x.com/skocherhan/status/2024758460303180041", "https://x.com/skocherhan/status/2024759097191452672", "https://x.com/skocherhan/status/2024761922193633460", "https://x.com/skocherhan/status/2024762029072908710", "https://x.com/skocherhan/status/2024770367336673502", "https://x.com/skocherhan/status/2024774467969221108", "https://x.com/skocherhan/status/2024777427541487862", "https://x.com/skocherhan/status/2024781731329450103", "https://x.com/skocherhan/status/2024782744614494569", "https://x.com/skocherhan/status/2024805213249413191", "https://x.com/skocherhan/status/2024840605134709054", "https://x.com/skocherhan/status/2024935967514116324", "https://x.com/skocherhan/status/2024968341635436722", "https://x.com/skocherhan/status/2024984133210976583" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 30, "URL": 57, "domain": 19, "FileHash-MD5": 7, "FileHash-SHA256": 2 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "68 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780165601.0434353 }