DynoWiper is a wiper malware family identified during attacks against Polish energy companies in December 2025, linked to Russian state-aligned threat actors, specifically the Sandworm APT group known for targeting Ukrainian and regional infrastructure. The malware is a 32-bit Windows executable that initializes a Mersenne Twister (MT19937) pseudorandom number generator (PRNG) seeded initially with a fixed value and then reseeded with a random value from std::random_device. This PRNG generates a 16-byte junk data buffer used to overwrite files. DynoWiper enumerates all logical drives on the infected host, filtering for fixed and removable drives, and recursively traverses directories while excluding critical OS folders such as system32, windows, program files, and user profile directories to avoid system instability. For each target file, it clears file attributes, opens a handle, and writes the 16-byte junk buffer at the file start and at multiple pseudo-random offsets within the file, with a maximum of 4096 such overwrites depending on file size. After corrupting files, it performs a deletion phase where it recursively deletes files on the same drives. Finally, DynoWiper escalates privileges by adjusting its process token to enable SeShutdownPrivilege and forces a system reboot using ExitWindowsEx(), ensuring the system restarts in a corrupted state. The malware’s behavior maps to MITRE ATT&CK techniques including local storage discovery, file and directory discovery and permissions modification, access token manipulation for privilege escalation, data destruction, and system shutdown. While no known exploits are currently active in the wild, the malware’s destructive nature and targeting of critical infrastructure sectors pose a serious threat to operational continuity and data integrity.

The primary impact of DynoWiper is severe data destruction and operational disruption on infected Windows hosts, particularly within critical infrastructure sectors such as energy. By corrupting and deleting files across fixed and removable drives, the malware can cause irreversible data loss, potentially crippling business operations and recovery efforts. The forced system reboot after corruption ensures that systems restart in an unusable state, increasing downtime and complicating incident response. Organizations affected may face significant financial losses, reputational damage, and risks to national security if critical infrastructure is targeted. The malware’s selective avoidance of OS directories reduces the chance of immediate system failure but prolongs the destructive impact on user and operational data. Given the attribution to a sophisticated state-aligned threat actor, the campaign may be part of broader geopolitical conflict, increasing the likelihood of targeted attacks against high-value entities. The lack of known exploits in the wild currently limits widespread impact, but the potential for future deployment remains high.

To mitigate the threat posed by DynoWiper, organizations should implement the following specific measures: 1) Employ robust endpoint detection and response (EDR) solutions capable of detecting unusual file access patterns, recursive file enumeration, and unauthorized privilege escalations indicative of wiper activity. 2) Harden access controls on critical systems by enforcing the principle of least privilege, restricting write and delete permissions on sensitive file shares and removable media. 3) Monitor for the use of SeShutdownPrivilege and unusual process token adjustments that may indicate privilege escalation attempts. 4) Maintain comprehensive, offline, and immutable backups of critical data to enable recovery from destructive attacks. 5) Segment networks to isolate critical infrastructure systems and limit lateral movement opportunities for attackers. 6) Conduct regular threat hunting exercises focused on indicators of compromise related to Sandworm and DynoWiper, including monitoring for the specific SHA-256 hash provided. 7) Apply strict application whitelisting to prevent execution of unauthorized binaries, especially unknown or unsigned executables. 8) Educate staff on phishing and social engineering tactics that may be used to deliver initial access. 9) Collaborate with national CERTs and cybersecurity agencies for timely threat intelligence sharing and incident response support. 10) Implement system integrity monitoring to detect unauthorized file modifications and deletions promptly.