LazyWiper
LazyWiper is a destructive malware observed targeting a manufacturing sector company during the 2025 Poland Wiper Attacks. LazyWiper is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). LazyWiper overwrites files on the system using the C# function WriteRandomBytes() and can targets multiple specific file types by their extensions.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
LazyWiper has used PowerShell to enable data destruction on targeted systems.[1] |
| Enterprise | T1485 | Data Destruction |
LazyWiper has overwritten files with pseudorandom 32‑byte sequences written at 16‑byte intervals making the file unrecoverable.[1] |
|
| Enterprise | T1685 | Disable or Modify Tools |
LazyWiper can disable Microsoft Windows Defender Real-Time Monitoring with the |
|
| Enterprise | T1480 | Execution Guardrails |
LazyWiper can halt execution if |
|
| Enterprise | T1083 | File and Directory Discovery |
LazyWiper can specifically target multiple files by extension including: .rar, .tar.gz, .zip, .7z, .json, .bcp, .bak, .gho, .erf, .edb, .onepkg, .pst, and .ldiff.[1] |
|
| Enterprise | T1588 | .007 | Obtain Capabilities: Artificial Intelligence |
LazyWiper is believed to have been generated by a large language model (LLM) due to the non-sensical comments in the code.[1] |
| Enterprise | T1679 | Selective Exclusion |
LazyWiper can enumerate the hostname of the system to determine if it is a domain controller and exclude it from being wiped if so.[1] |
|
| Enterprise | T1082 | System Information Discovery |
LazyWiper has used |
|
Campaigns
| ID | Name | Description |
|---|---|---|
| C0063 | 2025 Poland Wiper Attacks |
LazyWiper was used to conduct destructive attacks during the 2025 Poland Wiper Attacks.[1] |