DynoWiper: ESET Links New Poland Energy Sector Wiper to Russian Sandworm Group
ESET researchers have identified DynoWiper, a new data-wiping malware used against an energy company in Poland, and attribute the attack to the Russia-aligned Sandworm group with medium confidence.
ESET researchers have identified a new data-wiping malware family, dubbed DynoWiper, used in a December 2025 attack against an energy company in Poland. The attack was detected and blocked by ESET's EDR/XDR product, ESET PROTECT, which limited the impact. The tactics, techniques, and procedures (TTPs) observed in the incident closely resemble those used in a separate attack involving the ZOV wiper in Ukraine, which also employed Russian military symbols Z, O, and V. ESET attributes DynoWiper to the Russia-aligned Sandworm group (Unit 74455 of the GRU with medium confidence, while the ZOV wiper is attributed with high confidence.
Sandworm, also known as Seashell Blizzard, is a Russian state-sponsored threat group with a long history of destructive cyberattacks. The group is infamous for the 2015 and 2016 power outages in Ukraine, the 2017 NotPetya wiper attack that spread globally via the M.E.Doc accounting software supply chain, and the 2018 Olympic Destroyer attack on the Winter Olympics in Pyeongchang. Sandworm has also deployed advanced malware like Industroyer, which targets industrial control systems at energy companies. In 2020, the US Department of Justice indicted six Russian GRU officers for their involvement in Sandworm operations.
Since the start of Russia's full-scale invasion of Ukraine in 2022, Sandworm has deployed a wide array of wiper malware families, including HermeticWiper, CaddyWiper, DoubleZero, SwiftSlicer, NikoWiper, and ZOV wiper, among others. ESET has tracked over 10 destructive malware incidents attributed to Sandworm in 2025 alone, almost all targeting Ukraine. The group frequently modifies its malware to evade detection, often generating new variants from source code or switching to entirely new families rather than reusing known samples.
While Sandworm has a decade-long history of targeting Polish entities, including energy companies, for cyberespionage (as seen with BlackEnergy and GreyEnergy), the DynoWiper incident marks a shift toward destructive operations in Poland. In October 2022, Sandworm carried out a destructive attack against logistics companies in both Ukraine and Poland, disguised as Prestige ransomware. The December 2025 DynoWiper attack represents the first known destructive wiper deployment against a Polish energy company.
On December 29, 2025, DynoWiper samples were deployed to a shared directory on the victim's domain with filenames including schtask.exe, schtask2.exe, and a redacted _update.exe. The ESET PROTECT EDR/XDR solution successfully blocked the wiper's execution, preventing widespread damage. CERT Polska conducted a detailed investigation and published its own analysis of the incident.
ESET continues to enhance its detection capabilities to identify Sandworm operations before wipers are deployed, collaborating closely with CERT-UA and other partners. The DynoWiper discovery underscores the evolving threat from Russian state-sponsored actors, who are expanding destructive cyber operations beyond Ukraine into neighboring countries like Poland.