
A new wave of cyberattacks has been recorded in Ukraine, targeting the destruction of critical infrastructure. At the center of this campaign is a wiper-class malware named PathWiper, designed not to extort or exfiltrate data, but to render digital systems completely inoperable.
According to researchers from Cisco Talos, PathWiper was deployed via a legitimate remote device management tool, indicating that the attackers had already gained elevated access within the target network prior to activating the malware. This suggests a premeditated breach—likely achieved through the exploitation of vulnerabilities or the compromise of trusted software utilities.
The operation may be linked to the same threat actors responsible for disseminating HermeticWiper—a notorious data destruction tool deployed in Ukraine in 2022.
Functionally, PathWiper bears striking similarities to HermeticWiper, yet it employs a more intricate approach to dismantling file systems. These parallels suggest that PathWiper is not a standalone creation but a natural evolution of an existing arsenal, refined to meet the objectives of this specific campaign.
Execution begins with a .bat
file that triggers a malicious VBScript named uacinstall.vbs
, which then downloads and initiates the main destructive payload—sha256sum.exe
. Each component is named to resemble benign administrative utilities, minimizing suspicion.
A distinguishing feature of this wiper is its unconventional media scanning strategy. While HermeticWiper focused solely on physical drives, PathWiper extends its reach to include networked, disconnected, and previously mounted volumes—allowing it to target the broadest range of accessible storage.
Subsequently, PathWiper employs native Windows tools to forcibly unmount detected volumes, thereby bypassing potential access restrictions. Once the environment is prepared, a parallel overwrite process commences—each thread systematically corrupts a disk partition, striking the structural core of the NTFS file system.
The primary targets of the attack are critical NTFS system structures, including:
- MBR (Master Boot Record): The first sector of the physical disk, containing the bootloader and partition table. Its destruction renders the system unbootable.
- $MFT (Master File Table): The central index of the file system, storing metadata for every file, including its physical location.
- $LogFile: A journal used for tracking file system operations and supporting recovery during failures.
- $Boot: Contains the boot sector structure and vital information on system component locations.
In addition to these, PathWiper corrupts five more NTFS system files, the specifics of which remain undisclosed.
All targeted data is overwritten with random bytes, making recovery virtually impossible. The compromised system becomes entirely defunct, incapable of booting and irrevocably severed from all previously stored information.
Crucially, none of the observed attacks displayed signs of extortion or ransom demands. The absence of financial motives underscores the campaign’s true intent: to destabilize infrastructure, paralyze operations, and inflict foundational damage—a hallmark of politically driven cyber warfare.
As countermeasures, Cisco Talos has released file hashes associated with PathWiper and Snort detection rules to facilitate early identification. However, given the high-level privileges attackers possessed from the outset, mitigation requires more than signatures—it demands rigorous network segmentation, privilege monitoring, and stringent execution policies for scripts.
Since early 2022, Ukraine has been targeted by a multitude of similar wiper programs, including DoubleZero, CaddyWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain. These attacks have consistently focused on governmental agencies, energy providers, telecommunications networks, and transportation hubs. Notably, newer iterations of such malware increasingly emphasize deceptive deployment techniques, camouflage as legitimate software, and a minimal on-disk footprint.