{
	"id": "dd665b70-d601-445a-ae9e-f5004353593b",
	"created_at": "2026-04-29T08:23:04.700347Z",
	"updated_at": "2026-04-29T10:41:52.848348Z",
	"deleted_at": null,
	"sha1_hash": "7a4f0997458d80c7b397cb7722643169f630fe7b",
	"title": "Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50485,
	"plain_text": "Russian Sandworm group attacks energy company in Poland with\r\nDynoWiper, ESET Research discovers\r\nArchived: 2026-04-29 07:13:15 UTC\r\nESET researchers identified new data-wiping malware that ESET named DynoWiper, used against an\r\nenergy company in Poland.\r\nThe TTPs observed during the DynoWiper incident closely resemble those seen previously in an incident\r\ninvolving another data wiper, ZOV, in Ukraine.\r\nESET Research attributes DynoWiper to the Russia-aligned threat group Sandworm with medium\r\nconfidence.\r\nThe incident is a rare and unreported case in which a Russia-aligned threat actor deployed destructive,\r\ndata-wiping malware against an energy company in Poland.\r\nBRATISLAVA — January 30, 2026 — ESET researchers identified new data-wiping malware that they named\r\nDynoWiper, used against an energy company in Poland. The tactics, techniques, and procedures (TTPs) observed\r\nduring the DynoWiper incident closely resembles the previous one involving the ZOV wiper in Ukraine: Z, O, and\r\nV are Russian military symbols. ESET Research attributes DynoWiper to Russia-aligned threat group Sandworm\r\nwith medium confidence.\r\nThis incident represents a rare and previously undocumented case in which a Russia-aligned threat actor deployed\r\ndestructive, data-wiping malware against an energy company in Poland. In 2025, ESET investigated more than 10\r\nincidents involving destructive malware attributed to Sandworm, almost all of them occurring in Ukraine.\r\nThe installed EDR/XDR product, ESET PROTECT, blocked execution of the wiper, significantly limiting its\r\nimpact in the environment. CERT Polska did an excellent job investigating the incident and published a detailed\r\nanalysis in a report available on its website.\r\nOn December 29th, 2025, DynoWiper samples were deployed to what probably is a shared directory in the\r\nvictim’s domain. It is possible that Sandworm operators first tested the operation on virtual machines before\r\ndeploying the malware in the target organization. Three distinct samples were deployed and all attempts failed.\r\nThe wiper overwrites files using a 16-byte buffer that contains random data generated  at a single instance  at the\r\nstart of the wiper’s execution. On an unprotected machine, files of size 16 bytes or fewer are fully overwritten. To\r\nspeed up the destruction process, files larger than 16 bytes have only some parts of their contents overwritten.\r\nDynoWiper wipes files on all removable and fixed drives and finally forces the system to reboot, completing the\r\ndestruction of the system.\r\nUnlike other Sandworm malware including Industroyer and Industroyer2, the newly discovered DynoWiper\r\nsamples focus solely on the IT environment, with no observed functionality targeting operational technology\r\nindustrial components. However, this does not exclude the possibility that such capabilities were present\r\nelsewhere in the attack chain.\r\nhttps://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/\r\nPage 1 of 2\n\nESET Research identified several similarities to previously known destructive malware, specifically to the wiper\r\nZOV, which ESET attributes to Sandworm with high confidence. DynoWiper operates in a broadly similar fashion\r\nto the ZOV wiper. Notably, the exclusion of certain directories and especially the clear separate logic present in\r\nthe code for wiping smaller and larger files can also be found in the ZOV wiper. ZOV is destructive malware that\r\nwe detected being deployed against a financial institution in Ukraine in November 2025. Once executed, the ZOV\r\nwiper iterates over files on all fixed drives and wipes them by overwriting their contents. There was another ZOV\r\nwiper case at an energy company in Ukraine, where the attackers deployed the wiper on January 25th, 2024. \r\nSandworm is a Russia-aligned threat group that performs destructive attacks, targeting a wide range of entities\r\nincluding government agencies, logistics companies, transportation firms, energy providers, media organizations,\r\ngrain sector companies, and telecommunications companies. These attacks typically involve the deployment of\r\nwiper malware – malicious software designed to delete files, erase data, and render systems unbootable.\r\nBesides Ukraine, the group has a decade-long history of targeting companies in Poland, including those in the\r\nenergy sector. In October 2022, it carried out a destructive attack against logistics companies in both Ukraine and\r\nPoland, disguising the operation as a Prestige ransomware incident. Because the majority of Sandworm’s\r\ncyberattacks currently target Ukraine, we collaborate closely with our Ukrainian partners, including the Computer\r\nEmergency Response Team of Ukraine (CERT-UA), to support both prevention and remediation efforts.\r\nFor a more detailed analysis of DynoWiper and Sandworm, check out the latest ESET Research blogpost\r\n“DynoWiper update: Technical analysis and attribution” on WeLiveSecurity.com. Make sure to follow ESET\r\nResearch on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.\r\nWallpaper dropped by the ZOV wiper\r\nAbout ESET\r\nESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI\r\nand human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown—securing\r\nbusinesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust\r\ndetection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and\r\nstrong local support, we keep users safe and businesses running without interruption. The ever-evolving digital\r\nlandscape demands a progressive approach to security: ESET is committed to world-class research and powerful\r\nthreat intelligence, backed by R\u0026D centers and a strong global partner network. For more information, visit\r\nwww.eset.com or follow our social media, podcasts, and blogs.\r\nSource: https://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowip\r\ner/\r\nhttps://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/"
	],
	"report_names": [
		"eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-29T10:39:53.05711Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"APT44",
				"VOODOO BEAR",
				"TEMP.Noble",
				"IRON VIKING",
				"ELECTRUM",
				"IRIDIUM",
				"Blue Echidna",
				"UAC-0082",
				"Quedagh",
				"G0034",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-29T10:39:55.501548Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1777450984,
	"ts_updated_at": 1777459312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a4f0997458d80c7b397cb7722643169f630fe7b.pdf",
		"text": "https://archive.orkl.eu/7a4f0997458d80c7b397cb7722643169f630fe7b.txt",
		"img": "https://archive.orkl.eu/7a4f0997458d80c7b397cb7722643169f630fe7b.jpg"
	}
}