MalwareUsed by 1 actor

LazyWiper

LazyWiper is a destructive PowerShell-based wiper used in the 2025 Poland wiper attacks. Reporting ties its use to coordinated sabotage operations in Poland affecting a manufacturing-sector company and, more broadly in campaign reporting, attacks against renewable energy sites and a combined heat and power facility. CERT Polska reporting cited in the content associates the broader campaign with the Russia-linked activity cluster Static Tundra (also tracked as Berserk Bear, Ghost Blizzard, and Dragonfly), while some reporting noted possible but inconclusive similarities to Sandworm-linked tradecraft.

The malware is described as a PowerShell script that targets a wide range of file types and partially overwrites files to render them unusable; other reporting in the content states it overwrites files with pseudorandom 32-byte sequences. It is characterized as a destructive component with no ransom or extortion behavior mentioned, and in some reporting as a redundant tool intended to ensure destruction if a primary payload fails. One documented capability is disabling Microsoft Windows Defender Real-Time Monitoring via the Set-MpPreference cmdlet.

In the manufacturing-company incident, LazyWiper was distributed through Active Directory Group Policy Objects to destroy business-critical data after the attackers had already obtained administrative access in the Windows domain. The broader intrusion context in the campaign included initial access through internet-exposed FortiGate perimeter/VPN devices lacking MFA, lateral movement, credential theft, and in some cases OT-focused sabotage, but LazyWiper itself is specifically described as the PowerShell wiper used for destructive file corruption. Multiple sources in the content state analysts believe parts of LazyWiper, particularly its file-overwrite function, may have been partially generated by AI or an LLM.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Dragonfly

“The destructive phase relied on a PowerShell-based wiper referred to as LazyWiper, which was distributed through Group Policy Objects with the goal of destroying business-critical data.”

via help net securityhelpnetsecurity.com

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1078Valid AccountsEvidence1

Although the intrusion itself relied on familiar techniques such as credential abuse and prolonged reconnaissance, the introduction of a custom, disposable wiper illustrates how generative approaches can be used to rapidly produce tailored payloads aligned with specific operational goals.

Execution

2 techniques

T1059Command and Scripting InterpreterEvidence1

The script follows established Konni tradecraft in terms of delivery and execution... APT36... Core logic... is repeatedly re‑implemented in different runtimes, including Nim, Zig, Crystal, Go, and .NET.

T1059.001PowerShellEvidence1

“The destructive phase relied on a PowerShell-based wiper referred to as LazyWiper...”

Persistence

1 technique

T1078Valid AccountsEvidence1

Privilege Escalation

2 techniques

T1078Valid AccountsEvidence1

T1484.001Group Policy ModificationEvidence2

“distribution of the wiper malware… carried out using GPOs” / “modification of the ‘Default Domain Policy’ GPO… DisplayName to ‘Custom Domain Policy’… defines a ScheduledTask…”

Stealth

2 techniques

T1070.004File DeletionEvidence1

The wiper was designed to erase system files and disrupt operational environments rather than establish long‑term access... such payloads... focus on a narrow set of actions such as file deletion, configuration corruption, or device destabilization.

T1078Valid AccountsEvidence1

Defense Impairment

1 technique

T1484.001Group Policy ModificationEvidence2

Impact

1 technique

T1485Data DestructionEvidence2

The wiper was designed to erase system files and disrupt operational environments rather than establish long‑term access.

Other

2 techniques

T1562Impair DefensesEvidence1

The content repeatedly describes threat actors and malware disabling or modifying security tools, EDR/AV, logging, firewall rules, integrity checkers, and security settings; e.g., 'Agrius used several mechanisms to try to disable security tools' and 'BlackByte disabled security tools such as Windows Defender and the Raccine anti-ransomware tool during operations.'

T1562.001Disable or Modify ToolsEvidence1

Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app2 months ago

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

nozomi networks blogNews

May 5, 2026

Artificial Intelligence in modern Cybersecurity: From Payloads to APT Ops

A destructive PowerShell wiper used to erase system files and disrupt operations, reportedly generated with AI assistance for a targeted sabotage campaign.

mitre attack websiteNews

Apr 22, 2026

2025 Poland Wiper Attacks, 2025 Poland Wiper Campaign, Campaign C0063 | MITRE ATT&CK®

Wiper malware used to destroy data at a manufacturing-sector victim during the 2025 Poland Wiper Attacks.

help net securityNews

Feb 6, 2026

Poland's energy control systems were breached through exposed VPN access - Help Net Security

PowerShell-based destructive wiper used to overwrite/destroy business-critical data; distributed via Active Directory Group Policy Objects (GPO).

security online infoNews

Feb 3, 2026

Grid Sabotage: "Static Tundra" Hits Poland's Energy Sector with DynoWiper

Destructive wiper malware used alongside DynoWiper in attacks on Poland’s energy-sector OT; appears to be an alternate/redundant destructive payload to ensure disruption if the primary wiper fails.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.