DynoWiper Update: Technical Analysis and Attribution

Sandworm has built a reputation for high‑impact wiper attacks, from NotPetya in 2017 to the recent ZOV incidents. The emergence of DynoWiper signals the group’s continued refinement of destructive tools, targeting the IT layer of critical infrastructure rather than directly compromising OT systems. By reusing code patterns—such as directory‑exclusion logic and phased file overwriting—Sandworm reduces development time while preserving the ability to cause rapid data loss, a tactic that keeps defenders on their heels.

The DynoWiper campaign showcases sophisticated deployment methods. Attackers leveraged a custom PowerShell script to push the malicious binaries via Active Directory Group Policy, a technique that requires domain‑admin privileges and enables rapid lateral movement across an organization. Three variants—_update.exe, schtask.exe, and schtask2.exe—were iteratively rebuilt within hours, indicating a test‑and‑retry approach likely conducted in virtualized environments. ESET PROTECT’s real‑time blocking prevented the payload from executing, underscoring the value of next‑generation endpoint solutions that can intercept unknown malware before it reaches critical assets.

For energy providers and other high‑value sectors, the DynoWiper episode reinforces the necessity of layered defenses. Continuous monitoring for privileged credential abuse, strict segmentation between IT and OT networks, and regular validation of Group Policy changes are essential controls. Moreover, threat‑intelligence sharing—exemplified by collaboration between ESET, CERT‑Polska, and industry partners—helps organizations anticipate Sandworm’s evolving tactics and implement proactive mitigations before destructive wipers can inflict damage.