
In a sobering development that underscores the continued cyber threat to Ukrainian critical infrastructure, Cisco Talos has disclosed a destructive malware attack using a previously unknown wiper dubbed “PathWiper.” The attack was attributed with high confidence to a Russia-nexus advanced persistent threat (APT) actor.
Cisco Talos reports: “Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling ‘PathWiper’.”
The attackers had deep access, leveraging a legitimate endpoint administration framework to push commands to victim machines:
“The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console…”
PathWiper is a file system-level destructive malware designed to overwrite and corrupt all reachable storage volumes, including network shares and disconnected drives. Once executed via a malicious VBScript (uacinstall.vbs), it deploys an executable (sha256sum.exe) to initiate the wipe:
“On execution, PathWiper replaces the contents of artifacts related to the file system with random data generated on the fly,” Cisco Talos notes.
The malware is capable of:
- Scanning physical drives, volume paths, and network shares
- Reading and overwriting NTFS structures like $MFT, $Boot, $Bitmap, $LogFile, and even the Master Boot Record (MBR)
- Launching concurrent threads per storage path for efficient destruction
- Dismounting volumes before corruption using Windows IOCTL commands
This makes PathWiper particularly effective at causing irreversible system damage.
Cisco draws comparison between PathWiper and HermeticWiper (FoxBlade/NEARMISS), previously deployed by Russia’s Sandworm group during the early stages of the Ukraine invasion in 2022: “Both wipers attempt to corrupt the master boot record (MBR) and NTFS-related artifacts.”
However, unlike HermeticWiper, which crudely attempted to wipe drives numbered 0–100, PathWiper programmatically scans, identifies, and verifies each storage volume—suggesting greater operational awareness of the victim environment and improved evasion capabilities.
Cisco Talos makes a high-confidence attribution to a Russia-aligned APT based on:
- Wiper behavior and technical capabilities
- Similarities to previously observed destructive campaigns
- Overlap in TTPs with past operations linked to Sandworm/APT44
“The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war,” the report concludes.