A significant and destructive cyberattack has recently been observed targeting a critical infrastructure entity in Ukraine, involving the deployment of a previously unknown data-wiping malware now identified as “PathWiper.”
Researchers from Cisco Talos disclosed that the highly targeted campaign leveraged a legitimate endpoint administration framework, a tactic that not only demonstrates advanced attacker proficiency but also points to the likelihood of the attackers having gained access to the administrative console within the victim’s environment.
This strategic access enabled threat actors to issue malicious commands that facilitated the widespread deployment of PathWiper across multiple connected endpoints with alarming efficiency.
Attack Orchestrated Using Legitimate Administrative Tools
The chain of attack began when commands, initiated from the compromised administrative console, were received by endpoint clients and executed as batch files.
The batch file’s primary role was to launch a malicious VBScript, named ‘uacinstall.vbs’, which was surreptitiously distributed to endpoints via the same administrative tool.
Upon execution, this script wrote the PathWiper payload disguised as ‘sha256sum.exe’ onto the system drive and ran it, effectively camouflaging its malicious intent amidst legitimate administrative activity.
The attack’s operations closely mimicked the expected behavior of the administration console, a clear indicator that the adversaries possessed deep contextual knowledge of the victim organization’s infrastructure and its operational tooling.
PathWiper functions with a primary intent to irreversibly destroy data across all accessible storage devices.
Once executed, it systematically enumerates all physically and logically connected drives, including network, local, and dismounted volumes.
To accomplish this, it leverages native Windows APIs and even probes the system registry at ‘HKEY_USERS\Network<drive_letter>|RemovePath’ to identify shared network drives for targeted wiping.
For each discovered storage path, PathWiper spawns a dedicated thread to maximize parallelism and destruction speed.
Its destructive approach includes overwriting critical filesystem artifacts such as the Master Boot Record (MBR), NTFS metadata files ($MFT, $LogFile, $Bitmap, etc.), and any files present on the disk, replacing their contents with randomly generated bytes.
Advanced Destructive Capabilities
Before commencing its overwriting operations, PathWiper attempts to dismount volumes using the FSCTL_DISMOUNT_VOLUME IOCTL call further ensuring that data recovery becomes virtually impossible.
The malware’s functional sophistication is reminiscent of HermeticWiper (also known as FoxBlade or NEARMISS), another destructive wiper linked to Russia’s Sandworm group that infamously struck Ukrainian organizations in 2022.
While both wipers aim to obliterate key system and user data, PathWiper distinguishes itself by programmatically identifying and verifying all connected drives and volumes, as opposed to the more rudimentary enumeration approach used by HermeticWiper.
According to the Report, Security analysts at Cisco Talos have attributed this attack to a Russia-nexus advanced persistent threat (APT) group, citing strong similarities in tactics, techniques, and procedures (TTPs) as well as core wiper functionalities observed in previous Russian-linked operations.
The sophistication of PathWiper’s deployment and its integration with legitimate administrative tools further reinforce this high-confidence assessment.
The incident underscores the continued threat posed by evolving wiper malware in the ongoing Russia-Ukraine conflict, as threat actors adapt and innovate new methods to bypass security measures and ensure maximal operational and psychological impact.
The ongoing proliferation of wiper variants and their increasingly deep integration with legitimate administrative controls remains a potent threat to critical infrastructure, with significant implications for both national security and civilian stability.
As demonstrated by the PathWiper incident, attackers are leveraging privileged access to trusted systems, making early detection and incident response more challenging than ever before.
Indicators of Compromise (IOC)
| SHA256 Hash | Description |
|---|---|
| 7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3 | PathWiper executable |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
