A newly discovered wiper malware named PathWiper has been identified as a significant cyber threat targeting Ukraine’s critical infrastructure, according to researchers from Cisco Talos.
This destructive software showcases a high level of technical sophistication and has been attributed with high confidence to a Russia-linked advanced persistent threat (APT) group.
The timing and context of the attack demonstrate a continued escalation of destructive cyber activity in the ongoing Russia-Ukraine conflict, with critical infrastructure remaining at the epicenter of this digital battleground.
PathWiper operates by infiltrating legitimate endpoint administration tools used within targeted organizations.
The attackers leveraged access to an administrative console, a central control mechanism for managing endpoints, to distribute malicious commands across the network.
By issuing instructions through this trusted administrative framework, the attackers ensured that the malware would be propagated efficiently and with minimal suspicion.
The deployment began with the attacker instructing the console to send a batch (BAT) file to connected endpoints.
Upon execution, this BAT file ran a VBScript, named ‘uacinstall.vbs’, which in turn, dropped and launched the PathWiper executable, misleadingly named ‘sha256sum.exe’.
This sequence using common administrative paths and filenames demonstrates the adversaries’ familiarity with the victim environment, as they mimicked legitimate activities to remain undetected.
The process can be visualized as the administrative console pushing a command such as ‘C:\WINDOWS\System32\WScript.exe C:\WINDOWS\TEMP\uacinstall.vbs’ to endpoints, which subsequently executes the wiper payload ‘C:\WINDOWS\TEMP\sha256sum.exe’.
By blending into regular administrative traffic, PathWiper avoided triggering alarms until the destructive phase was underway.
PathWiper’s primary objective is to inflict irreversible damage to an organization’s data and system functionality.
Upon execution, the malware systematically gathers a comprehensive list of all storage volumes attached to the infected system including physical drives, volume names, network shares, and even disconnected drives it finds through registry queries.
This information is collected programmatically via Windows APIs and by accessing system registry paths such as ‘HKEY_USERS\Network<drive_letter>|RemovePath’ to detect mapped network drives.
The wiper specifically targets and corrupts essential NTFS file system structures, such as the Master Boot Record (MBR), Master File Table ($MFT), its mirror ($MFTMirr), $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, and $AttrDef.
These artifacts are core components that govern how data is accessed and managed on Windows systems.
By destroying them, PathWiper ensures that not only is data rendered unrecoverable, but the file system itself becomes corrupt and unbootable.
Furthermore, before beginning the overwrite process, the malware attempts to dismount volumes using the FSCTL_DISMOUNT_VOLUME IOCTL to the MountPointManager device object.
This step is designed to minimize interference during the wiping operation, ensuring maximum effectiveness and irreversibility.
PathWiper’s approach stands out when compared to previous malware like HermeticWiper, which targeted Ukraine in early 2022.
While HermeticWiper relied on simply enumerating physical drives and attempting to overwrite them, PathWiper uses a more intelligent, targeted method identifying, validating, and then destroying all connected drives, including those that are dismounted or temporarily disconnected.
Analysts note that these techniques have allowed PathWiper to become both highly destructive and fast, wiping all accessible data across the network in a matter of minutes.
The technical breadth of this malware showcases the adversaries’ deep understanding of Windows internals and administrative infrastructure, making detection and response a race against time once the wiper is unleashed.
As Ukraine continues to bolster its cyber resilience, PathWiper serves as a reminder of the evolving challenges posed by APTs and nation-state actors targeting critical civilian and military assets in cyberspace.
7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…