1. Home
  2. Software
  3. DynoWiper

DynoWiper

DynoWiper is a destructive malware associated with the 2025 Poland Wiper Attacks in December of 2025. DynoWiper is a native Windows binary that is distributed by a PowerShell script and overwrites files using data generated by the Mersenne Twister algorithm before they are deleted from the system. Multiple variants of DynoWiper have been identified, with the primary differences being that one variant shuts down the system after completing its destructive operations, and another introduces a time delay between file overwriting and deletion.[1][2]

ID: S9038
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 April 2026
Last Modified: 23 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1485 Data Destruction

DynoWiper has overwritten files with 16-byte sequences of random data generated by the Mersenne Twister algorithm using the Microsoft Windows native CreateFileW() function to open the file and the SetFilePointerEx() and WriteFile() functions to overwrite the file.[1] Additionally, versions of DynoWiper can also delete files using the DeleteFileW API.[2]
Enterprise T1678 Delay Execution

DynoWiper has utilized a five-second delay using Sleep(5000) between two of the three phases of the attack that involves file overwriting, file deletion, and system reboot.[1][2]
Enterprise T1083 File and Directory Discovery

DynoWiper has used the Microsoft Windows native FindFirstFile() and FindNextFile() to recursively enumerate directories and files on the system.[1]
Enterprise T1680 Local Storage Discovery

DynoWiper has used the Microsoft Windows native GetLogicalDrives() and GetDriveType() functions to enumerate all the drives visible to the system.[1]
Enterprise T1036 Masquerading

DynoWiper has been named after well-known files schtask.exe, schtask2.exe, and _update.exe.[1][2]
Enterprise T1106 Native API

DynoWiper has used multiple native Windows functions, such as GetLogicalDrives and FindNextFile for discovery and file deletion.[1][2]
Enterprise T1120 Peripheral Device Discovery

DynoWiper has enumerated and overwritten files on all removeable and fixed drives.[3]

Enterprise T1679 Selective Exclusion

DynoWiper has recursively enumerated directories with the exception of the following: System32, Windows, Program Files, Program Files(x86), Temp, Recycle.Bin, $Recycle.Bin, Boot, PerfLogs, AppData, Documents and Settings.[1][2]
Enterprise T1529 System Shutdown/Reboot

DynoWiper has used the Microsoft Windows native ExitWindowsEx() function to log off the interactive user and shutdown the system.[1]

Campaigns

ID Name Description
C0063 2025 Poland Wiper Attacks

DynoWiper was used for destructive attacks during the 2025 Poland Wiper Attacks.[1][3]

References

  1. CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
  2. ESET. (2026, January 30). DynoWiper update: Technical analysis and attribution. Retrieved April 22, 2026.
  1. ESET. (2026, January 30). Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers. Retrieved April 22, 2026.