PathWiper Malware Strikes Ukrainian Infrastructure

Trenton, N.J. — A newly discovered data-wiping malware, dubbed "PathWiper," has struck critical infrastructure in Ukraine, marking a significant escalation in the ongoing cyber conflict associated with the Russia-Ukraine war. Security researchers from Cisco Talos revealed that the attack leveraged a legitimate endpoint administration framework, granting the attackers administrative console access to deploy the destructive malware across multiple endpoints within the targeted organization.

Attack Methodology and Technical Details

The PathWiper attack was orchestrated through the administrative console of an endpoint management tool, suggesting that the perpetrators had already compromised high-level access within the victim organization. Malicious commands were issued via this console, which were then executed as batch files on client endpoints. These batch files triggered a Visual Basic Script (VBScript) named "uacinstall.vbs," dropped into the Windows TEMP folder, which subsequently deployed the wiper binary under the name "sha256sum.exe".

Once executed, PathWiper systematically identifies all connected storage media—including physical drives, volume names, paths, and network drives—before creating a dedicated thread for each detected path. The malware proceeds to overwrite key disk artifacts and files with randomly generated bytes, targeting critical components such as the Master Boot Record (MBR), NTFS metadata files ($MFT, $MFTMirr, $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, $AttrDef), and attempting to dismount volumes to maximize destruction.

"Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility's console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise's environment," Cisco Talos

Cisco Talos researchers emphasized that the filenames and actions used during the PathWiper attack were crafted to mimic legitimate administrative activity, indicating a deep familiarity with the targeted environment. The incident serves as a stark reminder of the risks posed by compromised administrative tools and the growing prevalence of wiper malware as a weapon of cyber warfare.

According to Cisco Talos, the malware’s behavior resembles HermeticWiper, also known as FoxBlade or NEARMISS, and is attributed to Russia’s Sandworm group with high confidence. This assessment is based on observed tactics, techniques, and procedures that closely align with those used in previous destructive malware campaigns attributed to Russian state-sponsored actors, particularly those targeting Ukraine since the onset of the Russia-Ukraine conflict.

While similar to its predecessor HermeticWiper, PathWiper operates with more precise and systematic targeting. Both malware corrupts the MBR and NTFS-related artifacts. However, PathWiper distinguishes itself by programmatically enumerating all connected and dismounted drives and volumes for targeted overwriting, rather than simply iterating through physical drives.

The deployment of PathWiper underscores the continued evolution and sophistication of wiper malware in the ongoing Russia-Ukraine conflict. Also, the consistent targeting of Ukrainian infrastructure and the technical overlap with earlier Russian-attributed wiper attacks further reinforce the attribution to a Russia-nexus threat actor. Destructive cyberattacks have become a hallmark of modern hybrid warfare, often timed to coincide with kinetic military actions. As the conflict endures, cybersecurity experts warn that the emergence of new wiper strains like PathWiper is likely to continue, with potential ramifications not only for Ukraine but for critical infrastructure operators worldwide.