Analytics Story: DynoWiper
Description
DynoWiper is a newly documented data-wiping malware identified by ESET researchers during a destructive cyber incident targeting an energy company in a critical infrastructure. Designed to overwrite files and force a system reboot, DynoWiper erases data across removable and fixed drives, rendering systems inoperable if unprotected. ESET attributes the malware to the Russia-aligned threat group Sandworm with medium confidence, noting shared tactics and coding patterns with previous destructive wiper families like ZOV. Endpoint defenses successfully blocked execution, highlighting the need for robust detection.
Why it matters
In late December 2025, ESET responded to a destructive malware incident involving a previously unseen wiper dubbed DynoWiper deployed within an energy sector environment. Analysis revealed a dedicated file-overwriting payload that systematically targeted drives and rebooted systems to complete destruction. Drawing parallels to prior Sandworm wiper operations such as ZOV.
Detections
| Name | Technique | Type |
|---|---|---|
| Executables Or Script Creation In Suspicious Path | Masquerading | Anomaly |
| Windows High File Deletion Frequency | Data Destruction | Anomaly |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 11 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 23 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 26 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
Source: GitHub | Version: 1