Threats

Sandworm Deployed New DynoWiper Malware Against Poland Energy Grid in Failed Attack

Zero Day Wire

2 min read
Sandworm Deployed New DynoWiper Malware Against Poland Energy Grid in Failed Attack

Russian state-linked threat group Sandworm targeted Poland's energy infrastructure in late 2025 with a previously undocumented data-wiping malware called DynoWiper, according to new research from ESET. Security experts have described the intrusion as one of the largest cyberattacks the country has faced in years.

The attack failed to cause power outages or permanent damage, but the incident has prompted Polish authorities to announce strengthened cybersecurity defenses and new legislation targeting critical infrastructure protection.

New Wiper Malware Identified

ESET researchers identified the malware as DynoWiper, tracked as Win32/KillFiles.NMO, a previously undocumented wiper designed to permanently destroy files and cripple affected systems. The malware's technical characteristics and operational patterns showed strong similarities to earlier Sandworm wiper campaigns, particularly those observed following Russia's invasion of Ukraine in 2022.

The attempted intrusion targeted two combined heat and power plants and a system used to manage electricity generation from renewable sources including wind and solar, according to Polish authorities who confirmed the activity on December 29, 2025.

Attribution to Russian Military Intelligence

ESET's analysis linked the operation to Sandworm, an advanced persistent threat group also known as UAC-0113, APT44, and Seashell Blizzard. Security researchers have established the group's ties to Unit 74455 of Russia's Main Intelligence Directorate (GRU), identifying it as one of the most capable state-sponsored hacking operations focused on critical infrastructure disruption.

Sandworm has been active for more than a decade and is responsible for some of the most significant cyber incidents against energy networks globally. The group's 2015 attack on Ukraine's power grid using BlackEnergy and KillDisk malware left approximately 230,000 people without power for nearly 10 days, establishing a template for infrastructure-targeting operations that continues to shape threat assessments today.

ESET noted the Poland intrusion coincided with the tenth anniversary of that historic Ukraine grid attack.

Pattern of Destructive Operations

The deployment of a custom-built wiper aligns with a broader pattern of Russian cyber operations where data-destroying malware has become a strategic tool. The use of wipers in attacks linked to Moscow increased significantly after 2022.

Sandworm's destructive campaigns include the AcidRain malware that disabled approximately 270,000 satellite modems in Ukraine to disrupt communications, as well as the 2017 NotPetya outbreak. NotPetya initially targeted Ukrainian organizations but spread globally, causing an estimated $10 billion in damage and becoming one of the most costly cyberattacks in history.

Attack Outcome Remains Under Investigation

Investigators have not determined why DynoWiper failed to trigger power outages in Poland. The investigation has left open the possibility that the operation was strategically calibrated to avoid escalation, or that defenses within Poland's energy grid prevented successful execution.

Polish Prime Minister Donald Tusk stated the attacks were directed by groups "directly linked to Russian services" and announced plans to strengthen national defenses through additional cybersecurity legislation requiring more stringent risk management, IT and OT security requirements, and incident preparedness measures. The legislation is expected to be implemented soon.

The Russian Embassy did not respond to requests for comment.

Continued Threat to European Infrastructure

Security analysts noted the attempted deployment of DynoWiper reflects continued reliance on destructive malware as a strategic tool and emphasized the importance of investing in cyber resilience, real-time monitoring, and coordinated incident response across both information technology and operational technology environments.

While the attack's failure may offer some reassurance, experts warn that similar threats are unlikely to remain confined by borders as geopolitical tensions persist. Adversaries continue to probe energy networks for weaknesses, making detection and neutralization capabilities critical for preventing future disruptions.

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire