S9038: DynoWiper
DynoWiper is a destructive malware associated with the 2025 Poland Wiper Attacks in December of 2025. DynoWiper is a native Windows binary that is distributed by a PowerShell script and overwrites files using data generated by the Mersenne Twister algorithm before they are deleted from the system. Multiple variants of DynoWiper have been identified, with the primary differences being that one variant shuts down the system after completing its destructive operations, and another introduces a time delay between file overwriting and deletion.[1][2]
Analyst context for executives and security teams
DynoWiper matters because it is destructive Windows malware, not simply espionage tooling. The supplied ATT&CK description says it overwrites files with generated data and then deletes them, with variants that can delay execution or shut down the system afterward. For leaders, the practical question is whether the organization could detect and contain rapid file destruction before it becomes a business-continuity event, especially in operational environments where Windows systems support communications or energy operations.
Executive priority
Prioritize DynoWiper as a resilience and incident-readiness use case: confirm recovery objectives, backup integrity, destructive-malware escalation paths, and evidence that Windows endpoint telemetry can show PowerShell delivery, mass file overwrite/delete activity, discovery, and shutdown behavior. The relationship to the 2025 Poland Wiper Attacks, which ATT&CK describes as affecting Polish energy infrastructure and disrupting communications between facilities and the distribution system operator, makes this especially relevant for organizations with cyber-physical dependencies or distributed operational sites. Do not treat this as a routine malware alert; it is a scenario for continuity planning, SOC triage speed, IR authority, and restoration evidence.
Technical view
ATT&CK identifies DynoWiper as a native Windows binary distributed by a PowerShell script. Related behaviors include Masquerading, File and Directory Discovery, Native API use, Peripheral Device Discovery, Data Destruction, System Shutdown/Reboot, Delay Execution, Selective Exclusion, and Local Storage Discovery. SOC and IR teams should validate whether they can correlate a PowerShell-launched Windows binary with file and directory enumeration, local storage discovery, high-volume file overwrites and deletes, possible exclusion patterns, delayed destructive activity, and shutdown or reboot events. Because ATT&CK provides no official detection text, coverage should be proven through local telemetry review and controlled defensive validation rather than assumed from signature coverage.
Likely telemetry
- PowerShell script execution logs and command-line/process ancestry showing script-to-binary launch paths
- Windows process creation telemetry, including executable path, parent process, command line, hash, and user context
- Endpoint file activity showing rapid overwrite, rename, delete, or high-volume write/delete sequences across directories or volumes
- File and directory enumeration events where available from EDR, Sysmon-style telemetry, or operating system auditing
- Local drive, disk, volume, and peripheral discovery indicators collected by endpoint or system management telemetry
Detection direction
- Build correlation around PowerShell spawning or staging an unusual native Windows binary followed by discovery and high-volume file overwrite/delete behavior.
- Tune for destructive sequences rather than single events: enumeration of files or storage followed by bulk writes, deletes, and possible shutdown/reboot is more meaningful than any one behavior alone.
- Account for variant behavior described by ATT&CK: one variant shuts down after destructive operations, and another introduces a time delay between overwriting and deletion.
- Look for selective exclusion patterns, such as files, folders, or components avoided during tampering, while recognizing exclusions alone may be benign without destructive context.
- Review masquerading coverage for suspicious executable names, paths, or metadata that appear legitimate but do not match expected software inventory.
Mitigation priorities
- Validate offline, immutable, or otherwise tamper-resistant backups and perform restore testing for critical Windows systems and operational dependencies.
- Harden PowerShell use with appropriate logging, script control, and administrative restrictions consistent with business operations.
- Use application control or allowlisting where feasible to limit execution of unapproved native binaries, especially from user-writable or script-staging locations.
- Ensure least-privilege access to file shares, local administrative rights, and systems that support operational communications or critical services.
- Prepare incident response runbooks for destructive malware, including rapid isolation, evidence preservation, shutdown/reboot handling, and restoration decision points.
Analyst notes and limits
This take is based on the supplied ATT&CK S9038 object and relationships. The most decision-relevant facts are that DynoWiper is described as a Windows destructive malware distributed by PowerShell, associated with the 2025 Poland Wiper Attacks campaign, and mapped to discovery, stealth, execution, and impact behaviors. The relationship context supports cyber-physical risk discussion because the related campaign description names Polish energy infrastructure and disrupted communications, but local exposure depends on each organization’s architecture and telemetry.
ATT&CK provides no official detection section for DynoWiper in the supplied object. The object lists Windows as the platform, but several related technique platform lists are broader or do not include Windows; defensive planning here is therefore anchored to the malware description and the explicit Windows platform field. No claim is made that DynoWiper is currently active in any customer environment, that any control guarantees detection, or that any organization is exposed without local evidence.
DynoWiper
DynoWiper is a destructive malware associated with the 2025 Poland Wiper Attacks in December of 2025. DynoWiper is a native Windows binary that is distributed by a PowerShell script and overwrites files using data generated by the Mersenne Twister algorithm before they are deleted from the system. Multiple variants of DynoWiper have been identified, with the primary differences being that one variant shuts down the system after completing its destructive operations, and another introduces a time delay between file overwriting and deletion.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1529 | System Shutdown/Reboot | DynoWiper has used the Microsoft Windows native `ExitWindowsEx()` function to log off the interactive user and shutdown the system.CitationCERT Polska |
| Enterprise | T1485 | Data Destruction | DynoWiper has overwritten files with 16-byte sequences of random data generated by the Mersenne Twister algorithm using the Microsoft Windows native `CreateFileW()` function to open the file and the `SetFilePointerEx()` and `WriteFile()` functions to overwrite the file.CitationCERT Polska Additionally, versions of DynoWiper can also delete files using the `DeleteFileW` API.CitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1679 | Selective Exclusion | DynoWiper has recursively enumerated directories with the exception of the following: System32, Windows, Program Files, Program Files(x86), Temp, Recycle.Bin, $Recycle.Bin, Boot, PerfLogs, AppData, Documents and Settings.CitationCERT PolskaCitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1680 | Local Storage Discovery | DynoWiper has used the Microsoft Windows native `GetLogicalDrives()` and `GetDriveType()` functions to enumerate all the drives visible to the system.CitationCERT Polska |
| Enterprise | T1083 | File and Directory Discovery | DynoWiper has used the Microsoft Windows native `FindFirstFile()` and `FindNextFile()` to recursively enumerate directories and files on the system.CitationCERT Polska |
| Enterprise | T1106 | Native API | DynoWiper has used multiple native Windows functions, such as `GetLogicalDrives` and `FindNextFile` for discovery and file deletion.CitationCERT PolskaCitationESET DynoWiper Update JAN 2026 |
| Enterprise | T1120 | Peripheral Device Discovery | DynoWiper has enumerated and overwritten files on all removeable and fixed drives.CitationESET DynoWiper JAN 2026 |
| Enterprise | T1036 | Masquerading | DynoWiper has been named after well-known files schtask.exe, schtask2.exe, and |
| Enterprise | T1678 | Delay Execution | DynoWiper has utilized a five-second delay using `Sleep(5000)` between two of the three phases of the attack that involves file overwriting, file deletion, and system reboot.CitationCERT PolskaCitationESET DynoWiper Update JAN 2026 |
Groups, software, and campaigns
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d7b3b82962cd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CERT Polska
CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
Open source URL -
[2]
ESET DynoWiper Update JAN 2026
ESET. (2026, January 30). DynoWiper update: Technical analysis and attribution. Retrieved April 22, 2026.
Open source URL -
[3]
mitre-attack S9038Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.