Estimated Reading Time: 7 minutes

Key Takeaways:

  • State-Sponsored Aggression: Attribution of the DynoWiper malware to the Sandworm threat group targeting Polish utility sectors.
  • Critical Infrastructure Risks: Exploitation of the CVSS 9.8 heap overflow vulnerability (CVE-2024-37079) in VMware vCenter.
  • Tooling Weaponization: Misuse of legitimate Visual Studio Code features and vulnerabilities in unmaintained Python libraries for persistent access.
  • AI-Driven Evasion: The shift toward non-deterministic, polymorphic phishing pages utilizing Large Language Model (LLM) APIs to bypass signature-based detection.

Table of Contents

Sandworm Linked to Wiper Attack on Poland’s Energy Infrastructure

A coordinated cyberattack targeting Poland’s energy sector in late December 2025 serves as a data point for the ongoing targeting of critical national infrastructure by state-aligned actors. Analysis from security researchers and government officials confirms that Sandworm Linked to Wiper Attack on Poland’s Energy Infrastructure during a period of high regional tension. The operation, occurring on December 29 and 30, targeted two combined heat and power plants alongside management systems for renewable energy sources.

The attribution of this incident to Sandworm, a threat group associated with Russian intelligence services, is based on malware artifacts and operational patterns. Polish Prime Minister Donald Tusk confirmed the link following briefings with national security agencies. The primary tool identified in this intrusion is a malware variant tracked as DynoWiper.

Technical analysis indicates that DynoWiper (also tracked as Win32/KillFiles.NMO) is designed for total data destruction. The malware targets files across the host system, rendering the operating system unbootable and necessitating a full reinstallation or recovery from offline backups. During the Polish incident, the attackers attempted to deploy this wiper within the internal networks of power generation facilities.

The failure of the wiper to execute effectively is attributed to existing security controls within the Polish energy sector, which prevented the malware from reaching the execution phase on critical transmission control systems.

Utilizing a cyber threat intelligence platform is necessary to track the iteration of such wipers, as state-sponsored groups frequently modify code to bypass signature-based detection. The use of DynoWiper follows a historical trend of Sandworm utilizing destructive payloads like BlackEnergy and Industroyer against utility targets.

Critical Infrastructure Vulnerabilities: The VMware vCenter Vector

While state actors deploy custom malware, they also leverage high-impact vulnerabilities in management software to gain initial access. The Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2024-37079 to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects Broadcom VMware vCenter Server and carries a CVSS score of 9.8.

The flaw is an out-of-bounds write, or heap overflow, located in the implementation of the Distributed Computing Environment / Remote Procedure Call (DCERPC) protocol. An attacker with network access to a vCenter Server can trigger this vulnerability by sending a specifically crafted network packet. This results in Remote Code Execution (RCE) without requiring prior authentication or user interaction.

Organizations should integrate real-time ransomware intelligence to monitor if specific ransomware groups are currently favoring this vCenter exploit for initial entry. For organizations managing energy infrastructure or financial systems, an unpatched vCenter server represents a single point of failure that can be exploited for data exfiltration or the deployment of ransomware.

Weaponization of Developer Environments: Visual Studio Code and Python PLY

Adversaries are increasingly targeting the tools used to build and manage infrastructure. North Korean (DPRK) threat actors have been observed weaponizing Visual Studio Code (VS Code) to establish persistent access to networks. This campaign repurposes the legitimate VS Code “tunnels” feature to bypass firewalls, as the command-and-control (C2) traffic flows through Microsoft’s reputable infrastructure.

This “living-off-the-land” tactic makes detection difficult because the traffic is indistinguishable from legitimate developer activity. This necessitates a focus on supply-chain risk monitoring to identify when authorized tools are being used for unauthorized remote access.

Similarly, a critical RCE vulnerability has been identified in the Python PLY (Lex-Yacc) library, tracked as CVE-2025-56005 with a CVSS of 9.8. The vulnerability exists in an undocumented parameter named picklefile within the yacc() function. Because the library uses Python’s pickle.load() method to deserialize files without validation, it allows for immediate RCE. As the project is no longer maintained, no official patch is expected, highlighting the risk of “ghost” parameters in legacy libraries.

Generative AI and Polymorphic Phishing Tactics

Research from Palo Alto Networks Unit 42 has identified the emergence of “living” polymorphic phishing pages. Traditional phishing sites host static HTML that can be flagged by security scanners. The GenAI-driven approach avoids this by hosting a “clean” page that makes client-side API calls to legitimate Large Language Model (LLM) providers like Gemini or DeepSeek.

Through prompt engineering, the page instructs the LLM to generate the malicious JavaScript required to harvest credentials in real-time. Because the AI’s output is non-deterministic, the resulting code is unique for every visitor. This polymorphism ensures that signature-based breach detection tools cannot identify the threat.

Practical Takeaways for Technical Teams

  1. Memory Protection and Patching: Immediate priority must be given to patching CVE-2024-37079 in VMware vCenter. Restrict access to vCenter management interfaces to only authorized administrative IPs via micro-segmentation.
  2. Library Auditing: Scan Python environments for the PLY library. If yacc() is used, ensure that the picklefile parameter is not being passed. Consider migrating to maintained libraries like Lark.
  3. Developer Tool Monitoring: Monitor for the execution of code.exe with tunneling arguments (e.g., --tunnel). Alert on outbound connections to Microsoft’s tunneling infrastructure that do not correlate with known schedules.

Practical Takeaways for Business Leaders

PurpleOps Expertise in Infrastructure Protection

PurpleOps provides the technical depth necessary to navigate these threats through specialized services. Our team identifies vulnerabilities in third-party libraries like PLY before they can be exploited, providing comprehensive PurpleOps Solutions that look beyond simple signatures.

Through our cyber threat intelligence platform, we offer access to real-time ransomware intelligence and telegram threat monitoring. For organizations concerned about exposure, our brand leak alerting ensures that compromised credentials are neutralized.

Explore our specialized cybersecurity offerings:

Frequently Asked Questions

What is DynoWiper and why is it dangerous?
DynoWiper is a destructive malware variant attributed to the Sandworm group. It is designed to wipe files across a system, rendering the OS unbootable and forcing organizations to rely on offline backups for recovery.

How can I protect my VMware environment from CVE-2024-37079?
Organizations must apply the patches provided by Broadcom/VMware immediately. Additionally, use network segmentation to ensure the vCenter management interface is not exposed to the public internet or untrusted internal segments.

What makes GenAI-driven phishing different from traditional phishing?
Traditional phishing relies on static code that is easily recognized by signatures. GenAI phishing uses LLM APIs to generate unique, non-deterministic malicious code for every user, making it invisible to standard security filters.

Is there a patch for the Python PLY library vulnerability?
No. The PLY library is currently unmaintained. Users should audit their code to ensure the picklefile parameter is not used or migrate to modern, maintained parsing libraries.