{ "type": "MD5", "indicator": "c4379da51e8b9e86ec3de934f9373f4a", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "c4379da51e8b9e86ec3de934f9373f4a", "validation": [], "base_indicator": { "id": 4193021696, "indicator": "c4379da51e8b9e86ec3de934f9373f4a", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69f32ac81834d5a878e8fac0", "name": "Energy Sector Incident Report", "description": "On December 29, 2025, coordinated destructive cyberattacks targeted Poland's energy infrastructure during severe winter weather. Approximately 30 wind and solar farms, a manufacturing company, and a combined heat and power plant serving nearly 500,000 customers were affected. Attackers exploited vulnerable FortiGate perimeter devices using stolen credentials and default passwords to access industrial control systems. Multiple types of wiper malware, including DynoWiper and LazyWiper, were deployed to destroy data across IT and OT environments. While renewable facilities lost communication with distribution operators without affecting electricity generation, the incidents demonstrated significant capability to cause physical disruption. Infrastructure analysis revealed connections to threat clusters known as Static Tundra, Ghost Blizzard, and potentially Sandworm, marking a notable escalation in cyber-sabotage operations.", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:11:20.255000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 386443, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697cfb85ac8b88be3162c26c", "name": "DynoWiper update: Technical analysis", "description": "ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.", "modified": "2026-03-01T18:00:46.183000", "created": "2026-01-30T18:42:13.717000", "tags": [ "poland", "sting wiper", "dynowiper", "sharpnikowiper", "roarbat", "swiftslicer", "zov wiper", "arguepatch", "orcshred", "industroyer", "energy sector", "soloshred", "hermeticwiper", "zerolot", "hermeticransom", "nikowiper", "prestige", "cyberattack", "russia-aligned", "bidswipe", "caddywiper", "doublezero", "wiper malware", "data destruction", "industroyer2", "ransomboggs", "awfulshred" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "ZOV wiper", "display_name": "ZOV wiper", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "HermeticWiper - S0697", "display_name": "HermeticWiper - S0697", "target": null }, { "id": "Trojan.Killdisk", "display_name": "Trojan.Killdisk", "target": null }, { "id": "DriveSlayer", "display_name": "DriveSlayer", "target": null }, { "id": "HermeticRansom", "display_name": "HermeticRansom", "target": null }, { "id": "CaddyWiper - S0693", "display_name": "CaddyWiper - S0693", "target": null }, { "id": "DoubleZero", "display_name": "DoubleZero", "target": null }, { "id": "ARGUEPATCH", "display_name": "ARGUEPATCH", "target": null }, { "id": "ORCSHRED", "display_name": "ORCSHRED", "target": null }, { "id": "SOLOSHRED", "display_name": "SOLOSHRED", "target": null }, { "id": "AWFULSHRED", "display_name": "AWFULSHRED", "target": null }, { "id": "Prestige - S1058", "display_name": "Prestige - S1058", "target": null }, { "id": "RansomBoggs", "display_name": "RansomBoggs", "target": null }, { "id": "BidSwipe", "display_name": "BidSwipe", "target": null }, { "id": "ROARBAT", "display_name": "ROARBAT", "target": null }, { "id": "SwiftSlicer", "display_name": "SwiftSlicer", "target": null }, { "id": "NikoWiper", "display_name": "NikoWiper", "target": null }, { "id": "SharpNikoWiper", "display_name": "SharpNikoWiper", "target": null }, { "id": "ZEROLOT", "display_name": "ZEROLOT", "target": null }, { "id": "Sting wiper", "display_name": "Sting wiper", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386452, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f3bd5aef3274f6820fabc7", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:42.625000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f3bd6814568df21249e586", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:56.263000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f82582e230f0f8170c97fa", "name": "Energy Sector Incident Report", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-05-04T04:50:10.429000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6988eb095842667bcf8e076e", "name": "DynoWiper test", "description": "", "modified": "2026-03-10T00:01:34.213000", "created": "2026-02-08T19:59:05.655000", "tags": [ "poland", "sting wiper", "dynowiper", "sharpnikowiper", "roarbat", "swiftslicer", "zov wiper", "arguepatch", "orcshred", "industroyer", "energy sector", "soloshred", "hermeticwiper", "zerolot", "hermeticransom", "nikowiper", "prestige", "cyberattack", "russia-aligned", "bidswipe", "caddywiper", "doublezero", "wiper malware", "data destruction", "industroyer2", "ransomboggs", "awfulshred" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "ZOV wiper", "display_name": "ZOV wiper", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "HermeticWiper - S0697", "display_name": "HermeticWiper - S0697", "target": null }, { "id": "Trojan.Killdisk", "display_name": "Trojan.Killdisk", "target": null }, { "id": "DriveSlayer", "display_name": "DriveSlayer", "target": null }, { "id": "HermeticRansom", "display_name": "HermeticRansom", "target": null }, { "id": "CaddyWiper - S0693", "display_name": "CaddyWiper - S0693", "target": null }, { "id": "DoubleZero", "display_name": "DoubleZero", "target": null }, { "id": "ARGUEPATCH", "display_name": "ARGUEPATCH", "target": null }, { "id": "ORCSHRED", "display_name": "ORCSHRED", "target": null }, { "id": "SOLOSHRED", "display_name": "SOLOSHRED", "target": null }, { "id": "AWFULSHRED", "display_name": "AWFULSHRED", "target": null }, { "id": "Prestige - S1058", "display_name": "Prestige - S1058", "target": null }, { "id": "RansomBoggs", "display_name": "RansomBoggs", "target": null }, { "id": "BidSwipe", "display_name": "BidSwipe", "target": null }, { "id": "ROARBAT", "display_name": "ROARBAT", "target": null }, { "id": "SwiftSlicer", "display_name": "SwiftSlicer", "target": null }, { "id": "NikoWiper", "display_name": "NikoWiper", "target": null }, { "id": "SharpNikoWiper", "display_name": "SharpNikoWiper", "target": null }, { "id": "ZEROLOT", "display_name": "ZEROLOT", "target": null }, { "id": "Sting wiper", "display_name": "Sting wiper", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "697cfb85ac8b88be3162c26c", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "antonioamador", "id": "381590", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69823fe0f4fc9f6487e0ffe4", "name": "DynoWiper Data Wiping Malware Targeting Energy Companies", "description": "DynoWiper is a destructive malware group used in an attack on a Polish energy company in December 2025. It is meant to destroy data and shutdown systems not to make money.", "modified": "2026-03-05T18:00:48.990000", "created": "2026-02-03T18:35:12.649000", "tags": [], "references": [], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "698050bc6e6a312f449dde78", "name": "DynoWiper update: Technical analysis and attribution", "description": "ESET researchers have identified a recent data destruction incident involving a new wiper malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm. Sandworm is notorious for its destructive cyber operations targeting various sectors, including energy, transportation, and government, as exemplified by past attacks such as NotPetya and Olympic Destroyer.\n\nDynoWiper was deployed on December 29, 2025, in the shared directory C:\\inetpub\\pub\\, using executable filenames like schtask.exe and schtask2.exe. Notably, the references to a Visual Studio project path suggest that the malware may have been developed in an environment utilizing the Vagrant tool for managing virtual machines. This indicates that Sandworm possibly tested DynoWiper on virtual machines before unleashing it within the target organization\u2019s network.", "modified": "2026-03-04T07:02:58.010000", "created": "2026-02-02T07:22:36.796000", "tags": [ "sandworm", "strong", "zov wiper", "dynowiper", "ukraine", "eset research", "poland", "eset", "group policy", "december", "industroyer", "industroyer2", "blackenergy", "greyenergy", "wallpaper", "tips", "notpetya", "february", "hermeticwiper", "caddywiper", "doublezero", "arguepatch", "roarbat", "swiftslicer", "april", "first", "execution", "powershell", "shell", "rubeus", "impact", "wiper", "uac\u20110099", "zov", "prestige", "socks5 proxy", "rubeus toolset", "kerberos", "network ip", "domain hosting", "details", "na fornex", "socks5 server" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine", "Russian Federation", "Pakistan" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null } ], "attack_ids": [ { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy", "Industrial", "Government", "Logistics", "Transportation", "Media", "Telecommunications", "Financial" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 1, "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "698044170014d36c06191d62", "name": "IOC - DynoWiper update: Technical analysis and attribution", "description": "Sandworm is a Russia-aligned threat group that performs destructive attacks. It is mostly known for its attacks against Ukrainian energy companies in 2015-12 and 2016-12, which resulted in power outages. In 2017-06 Sandworm launched the NotPetya data-wiping attack that used a supply-chain vector by compromising the Ukrainian accounting software M.E.Doc. In 2018-02, Sandworm launched the Olympic Destroyer data-wiping attack against organizers of the 2018 Winter Olympics in Pyeongchang.", "modified": "2026-03-04T06:02:39.413000", "created": "2026-02-02T06:28:39.335000", "tags": [ "zov wiper", "socks5 proxy", "rubeus toolset", "kerberos", "network ip", "domain hosting", "first", "details", "na fornex", "socks5 server", "wiper" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/#iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "wiper", "display_name": "wiper", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "87 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697717160b5f9564b40ceb0f", "name": "OpenCTI_Export_2026-01", "description": "Automated export from OpenCTI for 2026-01", "modified": "2026-03-02T17:00:28.656000", "created": "2026-01-26T07:26:12.492000", "tags": [ "OpenCTI", "Automated", "2026-01" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "info@watchtower365.com", "id": "67692", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10866, "FileHash-SHA256": 960, "domain": 86 }, "indicator_count": 11912, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69819ed2aa96447a18300c7d", "name": "DynoWiper update: Technical analysis", "description": "", "modified": "2026-03-01T18:00:46.183000", "created": "2026-02-03T07:08:02.689000", "tags": [ "poland", "sting wiper", "dynowiper", "sharpnikowiper", "roarbat", "swiftslicer", "zov wiper", "arguepatch", "orcshred", "industroyer", "energy sector", "soloshred", "hermeticwiper", "zerolot", "hermeticransom", "nikowiper", "prestige", "cyberattack", "russia-aligned", "bidswipe", "caddywiper", "doublezero", "wiper malware", "data destruction", "industroyer2", "ransomboggs", "awfulshred" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "ZOV wiper", "display_name": "ZOV wiper", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "HermeticWiper - S0697", "display_name": "HermeticWiper - S0697", "target": null }, { "id": "Trojan.Killdisk", "display_name": "Trojan.Killdisk", "target": null }, { "id": "DriveSlayer", "display_name": "DriveSlayer", "target": null }, { "id": "HermeticRansom", "display_name": "HermeticRansom", "target": null }, { "id": "CaddyWiper - S0693", "display_name": "CaddyWiper - S0693", "target": null }, { "id": "DoubleZero", "display_name": "DoubleZero", "target": null }, { "id": "ARGUEPATCH", "display_name": "ARGUEPATCH", "target": null }, { "id": "ORCSHRED", "display_name": "ORCSHRED", "target": null }, { "id": "SOLOSHRED", "display_name": "SOLOSHRED", "target": null }, { "id": "AWFULSHRED", "display_name": "AWFULSHRED", "target": null }, { "id": "Prestige - S1058", "display_name": "Prestige - S1058", "target": null }, { "id": "RansomBoggs", "display_name": "RansomBoggs", "target": null }, { "id": "BidSwipe", "display_name": "BidSwipe", "target": null }, { "id": "ROARBAT", "display_name": "ROARBAT", "target": null }, { "id": "SwiftSlicer", "display_name": "SwiftSlicer", "target": null }, { "id": "NikoWiper", "display_name": "NikoWiper", "target": null }, { "id": "SharpNikoWiper", "display_name": "SharpNikoWiper", "target": null }, { "id": "ZEROLOT", "display_name": "ZEROLOT", "target": null }, { "id": "Sting wiper", "display_name": "Sting wiper", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "697cfb85ac8b88be3162c26c", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 282, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6996f32e4e12e23b1542b3be", "name": "DynoWiper", "description": "", "modified": "2026-02-19T11:25:34.946000", "created": "2026-02-19T11:25:34.946000", "tags": [ "DynoWiper" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VirTool:Win32/Kekeo.A!MTB", "display_name": "VirTool:Win32/Kekeo.A!MTB", "target": "/malware/VirTool:Win32/Kekeo.A!MTB" }, { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "Win64:TrojanX-gen\\ [Trj]", "display_name": "Win64:TrojanX-gen\\ [Trj]", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "100 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6981b2b8c9a037ad8d3a655c", "name": "Malware | 2026-01-31", "description": "Malware indicators. Date: 2026-01-31. Total: 571 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-02-03T08:32:56.404000", "created": "2026-02-03T08:32:56.404000", "tags": [ "malware", "malwarebazaar" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 571 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "116 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.2.csv", "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf", "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/#iocs", "https://ltna.com.au/cyber", "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/", "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution", "IOCs.csv" ], "related": { "alienvault": { "adversary": [ "Sandworm", "Static Tundra" ], "malware_families": [ "Sharpnikowiper", "Zerolot", "Dynowiper", "Ransomboggs", "Rubeus", "Roarbat", "Arguepatch", "Doublezero", "Impacket", "Driveslayer", "Soloshred", "Bidswipe", "Prestige - s1058", "Sting wiper", "Awfulshred", "Caddywiper - s0693", "Zov wiper", "Lazywiper", "Trojan.killdisk", "Hermeticwiper - s0697", "Industroyer2 - s1072", "Nikowiper", "Hermeticransom", "Orcshred", "Swiftslicer" ], "industries": [ "Energy", "Manufacturing" ] }, "other": { "adversary": [ "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "N/A", "Static Tundra", "Sandworm", "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares" ], "malware_families": [ "Sharpnikowiper", "Zerolot", "Dynowiper", "Ransomboggs", "Rubeus", "Roarbat", "Arguepatch", "Doublezero", "Impacket", "Virtool:win32/kekeo.a!mtb", "Driveslayer", "Soloshred", "Bidswipe", "Prestige - s1058", "Sting wiper", "Awfulshred", "Caddywiper - s0693", "Win64:trojanx-gen\\ [trj]", "Zov wiper", "Wiper", "Lazywiper", "Trojan.killdisk", "Hermeticwiper - s0697", "Industroyer2 - s1072", "Nikowiper", "Hermeticransom", "Orcshred", "Swiftslicer" ], "industries": [ "Logistics", "Industrial", "Transportation", "Energy", "Manufacturing", "Media", "Telecommunications", "Government", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69f32ac81834d5a878e8fac0", "name": "Energy Sector Incident Report", "description": "On December 29, 2025, coordinated destructive cyberattacks targeted Poland's energy infrastructure during severe winter weather. Approximately 30 wind and solar farms, a manufacturing company, and a combined heat and power plant serving nearly 500,000 customers were affected. Attackers exploited vulnerable FortiGate perimeter devices using stolen credentials and default passwords to access industrial control systems. Multiple types of wiper malware, including DynoWiper and LazyWiper, were deployed to destroy data across IT and OT environments. While renewable facilities lost communication with distribution operators without affecting electricity generation, the incidents demonstrated significant capability to cause physical disruption. Infrastructure analysis revealed connections to threat clusters known as Static Tundra, Ghost Blizzard, and potentially Sandworm, marking a notable escalation in cyber-sabotage operations.", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:11:20.255000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 386443, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697cfb85ac8b88be3162c26c", "name": "DynoWiper update: Technical analysis", "description": "ESET researchers provide technical details on a recent data destruction incident affecting a Polish energy company. They identified new data-wiping malware named DynoWiper, attributed to the Russia-aligned threat group Sandworm with medium confidence. The tactics, techniques, and procedures observed during the DynoWiper incident resemble those seen earlier in an incident involving the ZOV wiper in Ukraine. Sandworm has a history of destructive cyberattacks, targeting various entities including energy providers. The DynoWiper samples focus on the IT environment, with no observed functionality targeting OT industrial components. The attackers deployed additional tools and attempted to use a SOCKS5 proxy. The incident represents a rare case of a Russia-aligned threat actor deploying destructive malware against an energy company in Poland.", "modified": "2026-03-01T18:00:46.183000", "created": "2026-01-30T18:42:13.717000", "tags": [ "poland", "sting wiper", "dynowiper", "sharpnikowiper", "roarbat", "swiftslicer", "zov wiper", "arguepatch", "orcshred", "industroyer", "energy sector", "soloshred", "hermeticwiper", "zerolot", "hermeticransom", "nikowiper", "prestige", "cyberattack", "russia-aligned", "bidswipe", "caddywiper", "doublezero", "wiper malware", "data destruction", "industroyer2", "ransomboggs", "awfulshred" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "ZOV wiper", "display_name": "ZOV wiper", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "HermeticWiper - S0697", "display_name": "HermeticWiper - S0697", "target": null }, { "id": "Trojan.Killdisk", "display_name": "Trojan.Killdisk", "target": null }, { "id": "DriveSlayer", "display_name": "DriveSlayer", "target": null }, { "id": "HermeticRansom", "display_name": "HermeticRansom", "target": null }, { "id": "CaddyWiper - S0693", "display_name": "CaddyWiper - S0693", "target": null }, { "id": "DoubleZero", "display_name": "DoubleZero", "target": null }, { "id": "ARGUEPATCH", "display_name": "ARGUEPATCH", "target": null }, { "id": "ORCSHRED", "display_name": "ORCSHRED", "target": null }, { "id": "SOLOSHRED", "display_name": "SOLOSHRED", "target": null }, { "id": "AWFULSHRED", "display_name": "AWFULSHRED", "target": null }, { "id": "Prestige - S1058", "display_name": "Prestige - S1058", "target": null }, { "id": "RansomBoggs", "display_name": "RansomBoggs", "target": null }, { "id": "BidSwipe", "display_name": "BidSwipe", "target": null }, { "id": "ROARBAT", "display_name": "ROARBAT", "target": null }, { "id": "SwiftSlicer", "display_name": "SwiftSlicer", "target": null }, { "id": "NikoWiper", "display_name": "NikoWiper", "target": null }, { "id": "SharpNikoWiper", "display_name": "SharpNikoWiper", "target": null }, { "id": "ZEROLOT", "display_name": "ZEROLOT", "target": null }, { "id": "Sting wiper", "display_name": "Sting wiper", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386452, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f3bd5aef3274f6820fabc7", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:42.625000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f3bd6814568df21249e586", "name": "\"E:\\CTIA-Tools\\CTIA Module 05 Data Analysis\\Microsoft Threat Modeling Tool\\TMT7.application\"", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T20:36:56.263000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "olivershippy", "id": "401750", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f82582e230f0f8170c97fa", "name": "Energy Sector Incident Report", "description": "", "modified": "2026-05-30T10:03:42.474000", "created": "2026-05-04T04:50:10.429000", "tags": [ "energy sector", "cve-2024-2617", "rubeus", "dynowiper", "lazywiper", "destructive operations", "fortigate exploitation", "combined heat power", "impacket", "renewable energy", "poland infrastructure", "industrial control systems", "wiper attack" ], "references": [ "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf" ], "public": 1, "adversary": "Static Tundra", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "LazyWiper", "display_name": "LazyWiper", "target": null }, { "id": "Impacket", "display_name": "Impacket", "target": null }, { "id": "Rubeus", "display_name": "Rubeus", "target": null } ], "attack_ids": [], "industries": [ "Energy", "Manufacturing" ], "TLP": "white", "cloned_from": "69f32ac81834d5a878e8fac0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "URL": 5 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "8 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69b8f03b3216aa326067f7a0", "name": "HANDALA-Iranian Nexus Actor", "description": "", "modified": "2026-04-18T12:01:34.910000", "created": "2026-03-17T06:10:03.844000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 127, "FileHash-SHA1": 92, "FileHash-SHA256": 117, "URL": 19, "domain": 27, "hostname": 4 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "78 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6988eb095842667bcf8e076e", "name": "DynoWiper test", "description": "", "modified": "2026-03-10T00:01:34.213000", "created": "2026-02-08T19:59:05.655000", "tags": [ "poland", "sting wiper", "dynowiper", "sharpnikowiper", "roarbat", "swiftslicer", "zov wiper", "arguepatch", "orcshred", "industroyer", "energy sector", "soloshred", "hermeticwiper", "zerolot", "hermeticransom", "nikowiper", "prestige", "cyberattack", "russia-aligned", "bidswipe", "caddywiper", "doublezero", "wiper malware", "data destruction", "industroyer2", "ransomboggs", "awfulshred" ], "references": [ "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution" ], "public": 1, "adversary": "Sandworm", "targeted_countries": [ "Poland", "Ukraine" ], "malware_families": [ { "id": "DynoWiper", "display_name": "DynoWiper", "target": null }, { "id": "ZOV wiper", "display_name": "ZOV wiper", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "Industroyer2 - S1072", "display_name": "Industroyer2 - S1072", "target": null }, { "id": "HermeticWiper - S0697", "display_name": "HermeticWiper - S0697", "target": null }, { "id": "Trojan.Killdisk", "display_name": "Trojan.Killdisk", "target": null }, { "id": "DriveSlayer", "display_name": "DriveSlayer", "target": null }, { "id": "HermeticRansom", "display_name": "HermeticRansom", "target": null }, { "id": "CaddyWiper - S0693", "display_name": "CaddyWiper - S0693", "target": null }, { "id": "DoubleZero", "display_name": "DoubleZero", "target": null }, { "id": "ARGUEPATCH", "display_name": "ARGUEPATCH", "target": null }, { "id": "ORCSHRED", "display_name": "ORCSHRED", "target": null }, { "id": "SOLOSHRED", "display_name": "SOLOSHRED", "target": null }, { "id": "AWFULSHRED", "display_name": "AWFULSHRED", "target": null }, { "id": "Prestige - S1058", "display_name": "Prestige - S1058", "target": null }, { "id": "RansomBoggs", "display_name": "RansomBoggs", "target": null }, { "id": "BidSwipe", "display_name": "BidSwipe", "target": null }, { "id": "ROARBAT", "display_name": "ROARBAT", "target": null }, { "id": "SwiftSlicer", "display_name": "SwiftSlicer", "target": null }, { "id": "NikoWiper", "display_name": "NikoWiper", "target": null }, { "id": "SharpNikoWiper", "display_name": "SharpNikoWiper", "target": null }, { "id": "ZEROLOT", "display_name": "ZEROLOT", "target": null }, { "id": "Sting wiper", "display_name": "Sting wiper", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1561.001", "name": "Disk Content Wipe", "display_name": "T1561.001 - Disk Content Wipe" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" } ], "industries": [ "Energy" ], "TLP": "white", "cloned_from": "697cfb85ac8b88be3162c26c", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "antonioamador", "id": "381590", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69823fe0f4fc9f6487e0ffe4", "name": "DynoWiper Data Wiping Malware Targeting Energy Companies", "description": "DynoWiper is a destructive malware group used in an attack on a Polish energy company in December 2025. It is meant to destroy data and shutdown systems not to make money.", "modified": "2026-03-05T18:00:48.990000", "created": "2026-02-03T18:35:12.649000", "tags": [], "references": [], "public": 1, "adversary": "N/A", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 6 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 503, "modified_text": "86 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "c4379da51e8b9e86ec3de934f9373f4a", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "c4379da51e8b9e86ec3de934f9373f4a", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780165575.03096 }