Skip to content

Hide Navigation Hide TOC

LazyWiper - S9039 (e4160979-b9bc-4f58-acbe-1d921ebbc122)

LazyWiper is a destructive malware observed targeting a manufacturing sector company during the 2025 Poland Wiper Attacks. LazyWiper is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). LazyWiper overwrites files on the system using the C# function WriteRandomBytes() and can targets multiple specific file types by their extensions.(Citation: CERT Polska)

Cluster A Galaxy A Cluster B Galaxy B Level
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern LazyWiper - S9039 (e4160979-b9bc-4f58-acbe-1d921ebbc122) Malware 1
LazyWiper - S9039 (e4160979-b9bc-4f58-acbe-1d921ebbc122) Malware Artificial Intelligence - T1588.007 (0cc222f5-c3ff-48e6-9f52-3314baf9d37e) Attack Pattern 1
LazyWiper - S9039 (e4160979-b9bc-4f58-acbe-1d921ebbc122) Malware Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 1
LazyWiper - S9039 (e4160979-b9bc-4f58-acbe-1d921ebbc122) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Selective Exclusion - T1679 (9b00925a-7c4b-4e53-bfc8-9a6a806fde03) Attack Pattern LazyWiper - S9039 (e4160979-b9bc-4f58-acbe-1d921ebbc122) Malware 1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern LazyWiper - S9039 (e4160979-b9bc-4f58-acbe-1d921ebbc122) Malware 1
LazyWiper - S9039 (e4160979-b9bc-4f58-acbe-1d921ebbc122) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
LazyWiper - S9039 (e4160979-b9bc-4f58-acbe-1d921ebbc122) Malware Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 1
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Artificial Intelligence - T1588.007 (0cc222f5-c3ff-48e6-9f52-3314baf9d37e) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2