New PathWiper Data Wiper Malware Hits Critical Infrastructure in Ukraine

Ukraine’s Infrastructure Faces New Cyber Threat: PathWiper Data Wiper Malware

PathWiper data wiper malware has recently targeted critical infrastructure in Ukraine, marking a significant escalation in destructive cyberattacks amidst ongoing regional conflicts. Most importantly, this attack showcases a sophisticated method of leveraging legitimate tools to maximize impact and evade detection. As cybersecurity professionals and decision-makers monitor this new threat, understanding the inner workings and broader implications of PathWiper becomes crucial.

What is PathWiper Malware?

PathWiper is a previously unseen data-wiping malware first identified by cybersecurity researchers at Cisco Talos. This malware is designed to systematically destroy data on targeted endpoints, with a primary focus on critical infrastructure entities within Ukraine. PathWiper’s emergence highlights the continuously evolving cyber threat landscape, especially for sectors vital to national security and public welfare.

How PathWiper Operates

Unlike traditional malware that relies on social engineering or exploits vulnerabilities, PathWiper leverages access to legitimate endpoint administration frameworks. The attackers used an administrative console—a tool legitimate admins typically use for managing endpoints—to push malicious scripts and binaries across devices within the network. Because the attackers had deep familiarity with these management tools, they effectively disguised malicious commands to appear as routine administrative tasks, minimizing suspicion and maximizing reach.^[1]

Here’s how the attack unfolded:

• The attackers gained access to the enterprise’s admin console.
• Through this privileged platform, they issued batch (BAT) files to all endpoints.
• Each BAT file executed a malicious Visual Basic Script (VBScript), which then dropped the core wiper binary disguised as “sha256sum.exe”.
• This binary, once executed, began the systematic destruction of files and disk structures, wiping out both local and network storage.

Technical Characteristics of PathWiper

PathWiper distinguishes itself with a highly targeted, programmatic approach to data wiping. Upon execution, it:

• Maps all connected storage media, including network drives and dismounted volumes.
• Identifies volume labels for verification and documents valid records.
• Spawns a separate thread for each discovered drive or volume, maximizing the speed and efficiency of the attack.
• Overwrites key disk artifacts, including Master Boot Record (MBR), NTFS Master File Table ($MFT), and other critical structures, with random data.^[5]
• Queries Windows registry paths to locate and target shared network drives.

Therefore, PathWiper’s impact is thorough, leaving little chance for data recovery or forensic investigation. Besides that, the malware mimics the operating patterns of the legitimate admin console utility, helping it evade basic detection measures and increasing its destructive capability.

Attribution and Motivation: Russia-Nexus Activity

Researchers attribute PathWiper’s deployment to a Russian advanced persistent threat (APT) group. This assessment is based on observed tradecraft and notable similarities to previous destructive malware attacks, such as HermeticWiper used at the outset of Russia’s 2022 invasion of Ukraine.^[1] For example, both PathWiper and HermeticWiper corrupt master boot records and NTFS structures, though PathWiper employs more refined and targeted corruption techniques.^[4]

This campaign is part of an ongoing cyberwarfare strategy aimed at crippling essential Ukrainian services and sowing chaos in the digital domain. The use of legitimate administrative tools suggests a well-funded and deeply entrenched adversary with extensive knowledge of targeted environments.

Implications for Cybersecurity and Critical Infrastructure

The PathWiper incident underscores the growing risk that highly specialized, destructive malware poses to national infrastructure. For organizations, especially those in critical sectors, proactive security measures such as stringent access controls, continuous monitoring of privileged accounts, and regular backup validation become indispensable. Because attackers increasingly leverage legitimate administrative tools, endpoint detection and response (EDR) that can spot suspicious use of such consoles is vital.

Most importantly, this attack serves as a stark reminder: robust cybersecurity hygiene and threat intelligence sharing must be foundational elements of modern infrastructure management. As wiper malware like PathWiper evolves, defenders must adapt quickly to detect, contain, and mitigate these sophisticated threats.

References

• The Hacker News: New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure
• Security Affairs: Russia-linked Threat Actors Target Ukraine with PathWiper Wiper
• The Register: Pro-Russia Group Hits Ukraine with Fresh Wiper Malware