Russia-linked PathWiper malware hits Ukrainian infrastructure

A destructive new malware, dubbed PathWiper, has struck Ukraine’s critical infrastructure, erasing data and disabling essential systems, according to a recent Cisco Talos report.

Attributed with high confidence to a Russia-linked advanced persistent threat (APT) group, the cyberattack leverages a compromised administrative framework, marking a significant escalation in Moscow’s cyber warfare capabilities.

“The deployment of PathWiper through a trusted endpoint management system reflects a tactical maturation in state-sponsored APT operations,” said Arpita Dash, an analyst at QKS Group. She noted that such “living off the land” (LotL) techniques exploit authorized IT workflows to deliver destructive payloads, pushing defenders to shift from static, signature-based detection to behavioral telemetry-driven models. This shift underscores the growing challenge of detecting such stealthy attacks.

This campaign showcases significant advancements in precision and stealth over previous Russian wiper attacks on Ukraine. PathWiper’s ability to infiltrate trusted systems, evade detection, and cripple vital services highlights an intensifying digital offensive with far-reaching implications for global cybersecurity.

How PathWiper operates

PathWiper, deployed via a trusted endpoint administration system, marks a significant evolution from HermeticWiper, which targeted Ukrainian systems in 2022. The attack begins with a Windows batch file executing a malicious VBScript (uacinstall.vbs), which deploys a wiper binary disguised as “sha256sum.exe” to blend seamlessly into legitimate processes.

Once active, PathWiper meticulously identifies all connected storage media—physical drives, dismounted volumes, and network shares—verifying volume labels to target them with precision. It overwrites critical NTFS structures, including the Master Boot Record (MBR), Master File Table ($MFT), and other NTFS artifacts, with random data, rendering data recovery nearly impossible without robust, isolated backups.

Unlike HermeticWiper’s sequential drive targeting, PathWiper’s refined logic ensures rapid and irreversible destruction. “PathWiper’s lack of command-and-control infrastructure reflects a tactical shift toward pre-staged, autonomous payloads,” Dash noted, urging defenders to focus on endpoint telemetry and patterns of file system manipulation to detect such threats.

By spawning separate threads for each storage device and mimicking legitimate administrative commands, PathWiper demonstrates deep familiarity with the victim’s environment, a hallmark of state-sponsored capabilities. Dash emphasized that security teams must prioritize behavioral baselining and TTP-based analytics, such as those aligned with MITRE ATT&CK, to uncover anomalous activity within trusted IT workflows, enabling earlier detection of such advanced attacks.

Echoes of past attacks

While PathWiper shares tactical similarities with HermeticWiper, its enhanced capabilities reveal a clear evolution in wiper malware sophistication. The new variant employs advanced techniques, such as querying registry keys to locate network drives and dismounting volumes to bypass protections, a stark contrast to HermeticWiper’s simpler approach of sequentially targeting drives numbered 0 through 100.

PathWiper continues a consistent pattern of wiper malware targeting Ukraine since Russia’s 2022 invasion, with Fortinet’s analysis, led by Principal Security Researcher Geri Revay, documenting seven distinct strains—WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, DoubleZero, and AcidRain — deployed in the first quarter alone. Fortinet’s telemetry also detected remnants of the 2017 NotPetya wiper, highlighting the enduring threat of these destructive tools.

“Given PathWiper’s likely attribution to a Russia-nexus APT, enterprises with operations in high-conflict zones must integrate geopolitical intelligence into their risk models,” Dash advised, emphasizing the need for “region-specific security controls and contingency playbooks: to counter escalating threats.

Global implications

PathWiper’s use of a trusted endpoint management system exposes a broader vulnerability, one that could affect any organization relying on similar platforms. Cisco Talos highlighted the malware’s ability to mimic legitimate processes, making detection especially difficult for global defenders.

“Destructive attacks like PathWiper go far beyond immediate outages. They jeopardize regulatory compliance, erode customer trust, and threaten long-term financial stability,” warned Dash, urging CISOs to incorporate cyber-specific scenarios into continuity planning and review insurance policies for state-linked threat exclusions.

For Ukrainian infrastructure, particularly in the energy and telecom sectors, there’s an urgent need to deploy advanced EDR/XDR tools for real-time detection and maintain immutable, segmented backups. Dash echoed Fortinet’s call for offline backups and robust network segmentation as baseline defenses.

To build long-term resilience, she stressed adopting zero trust architectures and running regular purple team exercises to test detection and response. PathWiper reflects a shifting threat landscape, where attackers continuously evolve tactics to cause maximum disruption, intensifying the digital danger to critical systems amid ongoing conflict.