S9039: LazyWiper
LazyWiper is a destructive malware observed targeting a manufacturing sector company during the 2025 Poland Wiper Attacks. LazyWiper is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). LazyWiper overwrites files on the system using the C# function `WriteRandomBytes()` and can target multiple specific file types by their extensions.[1]
Analyst context for executives and security teams
LazyWiper matters because it is described as destructive Windows malware that overwrites files, not just encrypts or exfiltrates them. For business leaders, the key risk is availability: a PowerShell-based destructive script can turn an endpoint or operational support system into a recovery problem, especially where manufacturing or energy operations depend on Windows systems and timely data access.
Executive priority
Prioritize LazyWiper as an operational resilience and incident readiness concern. The ATT&CK relationship ties it to the 2025 Poland Wiper Attacks campaign, which involved energy infrastructure and a manufacturing company, so leaders should validate whether backup, restoration, endpoint logging, PowerShell governance, and crisis decision processes would hold up during destructive activity. This is also useful compliance evidence: prove that destructive malware scenarios are covered by logging, response playbooks, and recovery testing rather than relying only on prevention claims.
Technical view
SOC and IR teams should treat this as a Windows destructive-malware scenario involving PowerShell execution, system and file discovery, execution guardrails, selective targeting/exclusion of file types, possible defense impairment, and data destruction. Validate visibility into PowerShell script execution, file enumeration, targeted extension handling, high-volume file overwrite behavior, and attempts to modify or degrade security tooling. Because MITRE provides no official detection text, local detections should be tested against the related ATT&CK techniques rather than assumed from the LazyWiper software entry alone.
Likely telemetry
- Windows endpoint telemetry, especially PowerShell process and script activity
- PowerShell logging where enabled, such as script block, module, and command-line evidence
- File system telemetry showing enumeration, extension-based targeting, and unusual overwrite/write volume
- EDR or host logs for security tool tampering, service stops, process kills, or configuration changes
- System information discovery evidence from host commands, scripts, or API activity
Detection direction
- Tune for suspicious PowerShell execution on Windows, especially scripts that enumerate files and perform broad write operations.
- Look for sequencing: system discovery, file and directory discovery, guardrail-like environment checks, then destructive file writes.
- Detect file overwrite behavior and unusual write bursts by script interpreters, not only file deletion or ransomware-style renaming.
- Include false-positive review for administrative scripts, backup tools, software deployment, and legitimate bulk file processing.
- Validate whether EDR, PowerShell logging, and file telemetry remain available if tooling is disabled or modified.
Mitigation priorities
- Restrict and monitor PowerShell use according to administrative need on Windows systems.
- Harden endpoint security controls and alert on attempts to disable or modify defensive tools.
- Maintain tested, offline or otherwise resilient backups for systems where file overwrite would disrupt operations.
- Segment and prioritize monitoring for manufacturing, energy, and other operationally critical Windows environments.
- Exercise destructive-malware incident response playbooks, including containment, restoration, evidence preservation, and executive escalation.
Analyst notes and limits
The most decision-useful context is the combination of destructive file overwrite behavior, Windows PowerShell implementation, and the relationship to a campaign affecting energy infrastructure and a manufacturing company. The LLM-generated assessment is from the official description and should be treated as development context, not as a reliable detection attribute by itself.
MITRE provides no official detection guidance for LazyWiper and lists no tactics directly on the malware object. Several related techniques have broader platform lists than the LazyWiper object; the malware platform supplied here is Windows, so platform assumptions should remain Windows-focused unless local evidence expands scope. Confidence depends on validating telemetry and recovery readiness in the organization’s own environment.
LazyWiper
LazyWiper is a destructive malware observed targeting a manufacturing sector company during the 2025 Poland Wiper Attacks. LazyWiper is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). LazyWiper overwrites files on the system using the C# function `WriteRandomBytes()` and can target multiple specific file types by their extensions.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | LazyWiper can specifically target multiple files by extension including: .rar, .tar.gz, .zip, .7z, .json, .bcp, .bak, .gho, .erf, .edb, .onepkg, .pst, and .ldiff.CitationCERT Polska |
| Enterprise | T1679 | Selective Exclusion | LazyWiper can enumerate the hostname of the system to determine if it is a domain controller and exclude it from being wiped if so.CitationCERT Polska |
| Enterprise | T1685 | Disable or Modify Tools | LazyWiper can disable Microsoft Windows Defender Real-Time Monitoring with the `Set-MpPreference` cmdlet.CitationCERT Polska |
| Enterprise | T1059.001 | PowerShell Sub-technique | LazyWiper has used PowerShell to enable data destruction on targeted systems.CitationCERT Polska |
| Enterprise | T1480 | Execution Guardrails | LazyWiper can halt execution if `[System.Net.Dns]::GetHostName()` or `$env:COMPUTERNAME` contains `“pe-dc”`.CitationCERT Polska |
| Enterprise | T1082 | System Information Discovery | LazyWiper has used `[System.Net.Dns]::GetHostName()` and `$env:COMPUTERNAME` to enumerate the hostname of a system and determine if it is a domain controller.CitationCERT Polska |
| Enterprise | T1485 | Data Destruction | LazyWiper has overwritten files with pseudorandom 32‑byte sequences written at 16‑byte intervals making the file unrecoverable.CitationCERT Polska |
| Enterprise | T1588.007 | Artificial Intelligence Sub-technique | LazyWiper is believed to have been generated by a large language model (LLM) due to the non-sensical comments in the code.CitationCERT Polska |
Groups, software, and campaigns
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 29d149a38f0d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CERT Polska
CERT Polska. (2026, January 30). Energy Sector Incident Report – 29 December. Retrieved April 22, 2026.
Open source URL -
[2]
mitre-attack S9039Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.