{"description": "Enterprise techniques used by 2025 Poland Wiper Attacks, ATT&CK campaign C0063 (v1.0)", "name": "2025 Poland Wiper Attacks (C0063)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries configured the FortiGate devices to send notifications to an attacker-controlled Slack channel.  During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries had also staged tools and files on services such as Dropbox and Pastebin.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries compressed stolen files into a zip file prior to exfiltration.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries attempted to crack user passwords.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries leveraged PsExec to run `cmd.exe` commands on multiple victim machines.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries utilized the Linux `dd` command to overwrite portions of the disks with random data.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.008", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries leveraged the native CLI of the targeted FortiGate device.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries compromised infrastructure to use for C2.(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584.003", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used compromised VPS servers for C2.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584.008", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used compromised Cisco routers for network communications.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries configured a native CLI to gather a targeted elevated users password using `grep`.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1485", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries utilized wiper malware to overwrite files using a 16-byte buffer that fully overwrites files 16 bytes or smaller or partially overwrites files greater than 16 bytes to speed up the process.(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1530", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries  leveraged stolen credentials within cloud services to download targeted data from SharePoint, and Teams.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1602", "showSubtechniques": true}, {"techniqueID": "T1602.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries gathered and used the FortiGate bookmarks defined in the configuration file to include the statically defined credentials that facilitated RDP connections to jump hosts.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries compiled discovery data locally on the victim host in a file located within `C:\\Windows\\TEMP\\outlog.txt`.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries decoded a Base64-encoded ZIP archive using the built-in [certutil](https://attack.mitre.org/software/S0160).(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries observed that their malware was initially detected by the victims EDR solutions, so they modified the payload and attempted to execute the new version within the same day.(Citation: CERT Polska)(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1006", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries copied volume shadow copies through executing `vssadmin` in order to dump the `NTDS.dit` file.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1686", "showSubtechniques": true}, {"techniqueID": "T1686.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries modified security settings within the victims Fortigate device, utilizing the native CLI.  During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries also disabled network traffic logging.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries had leveraged Group Policy Objects to distribute wiper malware to victim devices through a network share.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries  leveraged stolen credentials within cloud services to gather data and email messages from Exchange services related to OT topics and technical work carried out within organizations.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries exfiltrated data to an actor-controlled infrastructure using HTTP POSTs.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.004", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries leveraged an attacker-controlled Slack channel to exfiltrate data.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1133", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), threat actors leveraged the FortiGate VPN interface that was exposed to the internet to gain access to the victim environment.(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries obtained the contents of users\u2019 directories using `dir /s /b C:\\Users` command.(Citation: CERT Polska) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1495", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), adversaries performed a factory-reset on compromised devices that hampered forensic investigations.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1590", "showSubtechniques": true}, {"techniqueID": "T1590.006", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries  obtained details on the configuration of the victim Fortinet perimeter device to include publicly disclosed details on an online forum used by criminal communities.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries downloaded malicious payloads to the victim server.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries deleted Windows Volume Shadow Copies using `vssadmin delete shadows`.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries had placed the malicious payload on an accessible network share to facilitate propagation.(Citation: CERT Polska)(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries created rules that mimicked the name of an institution already present in the network device configuration to avoid detection.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.006", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries modified two-factor settings within the FortiGate solution to `unset`.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries utilized Ping, the Advanced Port Scanner and Advanced IP Scanner to enumerate network devices.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries had created a Reverse SOCKS Proxy and communicated over the non-standard port 8008.(Citation: CERT Polska)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries utilized a Base64-encoded ZIP archive to prevent content analysis.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.007", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries generated custom script with an LLM.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries attempted to dump credentials utilizing LSASS.(Citation: CERT Polska)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries had stolen Security Account Manager (SAM) and SYSTEM registry hives.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries dumped the entire Active Directory database by extracting the contents of the ntds.dit file.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries enumerated current running processes using `tasklist`.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries utilized the rsocx tool identified as `r.exe` and `rsocx.exe` to tunnel within the internal infrastructure using a Reverse SOCKS Proxy.(Citation: CERT Polska)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries utilized Tor nodes for C2.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), adversaries utilized RDP to log into jump hosts and then moved laterally to other victim devices to include a domain controller.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries set FortiGate scheduled tasks to run the adversary generated CLI scripts weekly.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries captured screenshots of devices using nircmd console through the command nircmd.exe \u201csavescreenshot C:\\Windows\\Temp\\imagetmp.png.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries had staged tools and files for use on Dropbox and Pastebin.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries used the [Rubeus](https://attack.mitre.org/software/S1071) tool to forge a Diamond Ticket that is a modified legitimate Kerberos ticket.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries gathered network configuration details utilizing `arp -a` and  `nslookup` commands. (Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries identified network connections utilizing `netstat -nao` and `netstat -r`.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries forced victim devices to reboot to finalize destruction of impacted systems.(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries attempted to reuse password hash values to gain access to other systems.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), threat actors utilized privileged accounts to access the FortiGate VPN solution and subsequent subnets.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries  leveraged stolen credentials from on-premises environments to access cloud services.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "During the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063), the adversaries had communicated to both Dropbox and Pastebin.(Citation: CERT Polska)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by 2025 Poland Wiper Attacks", "color": "#66b1ff"}]}