New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector - The Hacker News

New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector Ravie LakshmananJan 24, 2026Malware / Critical Infrastructure The Russian nation-state hacking group known as Sandworm has been attributed to what has been described as the "largest cyber attack" targeting Poland's power system in the last week of December 2025. The attack was unsuccessful, the country's energy minister, Milosz Motyka, said last week. "The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on the energy infrastructure in years," Motyka was quoted as saying. According to a new report by ESET, the attack was the work of Sandworm, which deployed a previously undocumented wiper malware codenamed DynoWiper (aka Win32/KillFiles.NMO). The links to Sandworm are based on overlaps with prior wiper activity associated with the adversary, particularly in the aftermath of Russia's military invasion of Ukraine in February 2022. The Slovakian cybersecurity company, which identified the use of the wiper as part of the attempted disruptive attack aimed at the Polish energy sector on December 29, 2025, said there is no evidence of successful disruption. The December 29 and 30, 2025, attacks targeted two combined heat and power (CHP) plants, as well as a system enabling the management of electricity generated from renewable energy sources such as wind turbines and photovoltaic farms, the Polish government said. "Everything indicates that these attacks were prepared by groups directly linked to the Russian services," Prime Minister Donald Tusk said, adding the government is readying extra safeguards, including a key cybersecurity legislation that will impose strict requirements on risk management, protection of information technology (IT) and operational technology (OT) systems, and incident response. It's worth noting that the activity occurred on the tenth anniversary of the Sandworm's attack against the Ukrainian power grid in December 2015, which led to the deployment of the BlackEnergy malware, plunging parts of the Ivano-Frankivsk region of Ukraine into darkness. The trojan, which was used to plant a wiper malware dubbed KillDisk, caused a 4–6 hour power outage for approximately 230,000 people. "Sandworm has a long history of disruptive cyber attacks, especially on Ukraine's critical infrastructure," ESET said. "Fast forward a decade and Sandworm continues to target entities operating in various critical infrastructure sectors." In June 2025, Cisco Talos said a critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper that shares some level of functional overlap with Sandworm's HermeticWiper. The Russian hacking group has also been observed deploying data-wiping malware, such as ZEROLOT and Sting, in a Ukrainian university network, followed by serving multiple data-wiping malware variants against Ukrainian entities active in the governmental, energy, logistics, and grain sectors between June and September 2025. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  critical infrastructure, cyber espionage, cybersecurity, Industrial Control Systems, Malware Trending News Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks Load More ▼ Popular Resources [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats Detect AI-Driven Threats Faster With Full Network Visibility