A new wiper malware known as PathWiper has been used in a destructive cyber-attack against a Ukrainian critical infrastructure organization.
The attack was executed using a legitimate endpoint management tool, suggesting the attackers had access to the administrative console, which they used to push malicious commands to connected systems.
PathWiper represents an evolution in destructive malware, with capabilities that enable it to erase critical system data across multiple storage volumes.
Cisco Talos, which uncovered and analyzed the attack, has attributed it with high confidence to a Russian advanced persistent threat (APT) actor. Their assessment is based on similar tactics and wiper behavior in previous malware campaigns linked to Russian state-sponsored groups targeting Ukraine.
The malware deployment was orchestrated via the endpoint administration framework. The console issued commands mimicking routine activity but executed a VBScript file. This script then wrote the wiper executable to the system’s disk and ran it, beginning the destruction process.
Once launched, PathWiper scans the system to identify all attached storage media, including:
-
Physical drives
-
Volume names and paths
-
Network shares, including those no longer active
It does this using system APIs and registry queries to locate shared drives.
After mapping the storage environment, it spawns a thread for each discovered volume and begins overwriting key filesystem components with random data.
Targeted artifacts include essential NTFS structures such as the master boot record (MBR), $MFT and $LogFile.
Before beginning the overwrite process, PathWiper attempts to dismount volumes to avoid file locks. This approach is particularly damaging as it ensures that both active and inactive drives are corrupted beyond easy recovery.
According to Cisco Talos, the malware’s behavior resembles HermeticWiper, a 2022 wiper linked to Russia’s Sandworm group, but with more precise and systematic targeting.
While HermeticWiper blindly targeted drives from 0 to 100, PathWiper carefully validates drive labels and volumes before executing its destructive routine.
Cisco Talos emphasized that the use of a legitimate administrative console and the attacker’s familiarity with the tool’s operations point to a high level of sophistication and prior access.
To defend against similar threats, organizations should regularly audit access controls, segment critical networks, apply strict least-privilege principles and ensure endpoint monitoring tools are configured to detect unusual administrative behavior.