• Under the Hood of DynoWiper [This is a Guest Diary contributed by John Moutos] Overview In this post, I’m going over my analysis of DynoWiper, a wiper family that was discovered during attacks against Polish energy companies in late December of 2025. • ESET Research [1] and CERT Polska [2] have linked the activity and supporting malware to infrastructure and tradecraft associated with Russian state-aligned threat actors, with ESET assessing the campaign as consistent with operations attributed to Russian APT Sandworm [3], who are notorious for attacking Ukrainian companies and infrastructure, with major incidents spanning throughout years 2015, 2016, 2017, 2018, and 2022. • For more insight into Sandworm or the chain of compromise leading up to the deployment of DynoWiper, ESET and CERT Polska published their findings in great detail, and I highly recommend reading them for context. • IOCs The sample analyzed in this post is a 32-bit Windows executable, and is version A of DynoWiper. • SHA-256 835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5 [4] Initial Inspection To start, I ran the binary straight through DIE [5] (Detect It Easy) catch any quick wins regarding packing or obfuscation, but this sample does not appear to utilize either (unsurprising for wiper malware). • Figure 1: Detect It Easy PRNG Setup Jumping right past the CRT setup to the WinMain function, DynoWiper first initializes a Mersenne Twister PRNG (MT19937) context, with the fixed seed

Under the Hood of DynoWiper [This is a Guest Diary contributed by John Moutos] Overview In this post, I’m going over my analysis of DynoWiper, a wiper family that was discovered during attacks against Polish energy companies in late December of 2025.

Article Summaries:

  • In late December 2025, a wiper malware dubbed DynoWiper was identified during attacks on Polish energy firms. Security teams at ESET and CERT Polska linked the campaign to Russian‑aligned threat actors, specifically the APT group Sandworm, known for targeting Ukrainian infrastructure. A 32‑bit Windows sample (SHA‑256 835b0d87…) was dissected: it initializes a Mersenne‑Twister PRNG, enumerates all fixed and removable drives, and recursively walks directories while skipping critical system folders. Files are corrupted by writing 16‑byte junk blocks at the start and at random offsets, up to 4,096 writes per file, before proceeding to delete the damaged data. The analysis confirms DynoWiper’s destructive tactics and its association with state‑backed actors.
  • Under the Hood of DynoWiper [This is a Guest Diary contributed by John Moutos] Overview In this post, I’m going over my analysis of DynoWiper, a wiper family that was discovered during attacks against Polish energy companies in late December of 2025. ESET Research [1] and CERT Polska [2] have linked the activity and supporting malware to infrastructure and tradecraft associated with Russian state-aligned threat actors, with ESET assessing the campaign as consistent with operations attributed to Russian APT Sandworm [3], who are notorious for attacking Ukrainian companies and infrastructure, wi

Sources: