Insights, news, education and announcements from PolySwarm

Russia Targets Ukraine Critical Infrastructure With PathWiper

Written by The Hivemind | Jun 13, 2025 6:33:09 PM

Verticals Targeted: Critical infrastructure
Regions Targeted: Ukraine
Related Families: HermeticWiper (aka FoxBlade, NEARMISS)

Executive Summary

PathWiper is a new wiper malware deployed by a Russia-linked APT, targeting Ukraine’s critical infrastructure with destructive intent. The attack leveraged a legitimate endpoint administration framework, highlighting the persistent cyber threat to Ukraine amid ongoing conflict.

Key Takeaways

  • PathWiper was deployed via a compromised administrative console, mimicking legitimate operations to evade detection.
  • The malware systematically targets NTFS components and shared network drives, overwriting critical data with random bytes.
  • PathWiper shares similarities with HermeticWiper but employs advanced techniques for identifying and corrupting storage devices.
  • Attributed to a Russia-nexus APT, the attack underscores the evolving threat landscape targeting Ukraine’s infrastructure.

What is PathWiper?

Cisco Talos recently uncovered a sophisticated cyberattack targeting an unnamed critical infrastructure entity in Ukraine, deploying a previously undocumented wiper malware dubbed PathWiper. Attributed with high confidence to a Russia-nexus advanced persistent threat (APT) actor, this attack highlights the ongoing cyber warfare against Ukraine’s vital systems. The attackers exploited a legitimate endpoint administration framework, indicating prior access to the administrative console, which was used to distribute malicious commands and deploy PathWiper across connected endpoints.

The attack began with a BAT file executing a malicious VBScript, uacinstall.vbs, which wrote the PathWiper executable, disguised as sha256sum.exe, to disk. This executable systematically targets file system structures, overwriting critical components like the Master Boot Record (MBR), Master File Table, and NTFS log files with randomly generated bytes. Unlike simpler wipers, PathWiper programmatically identifies all connected storage devices, including dismounted volumes and shared network drives, by querying system APIs and registry keys. It creates separate processing threads for each storage device, dismounts volumes using specialized system calls to bypass protections, and maximizes data destruction, rendering recovery nearly impossible without offline backups.

PathWiper shares semantic similarities with HermeticWiper, a wiper linked to Russia’s Sandworm group that targeted Ukraine in 2022. Both corrupt MBR and NTFS artifacts, but PathWiper’s approach is more refined. While HermeticWiper enumerates drives bluntly from 0 to 100, PathWiper verifies volume labels and documents valid targets, ensuring precise and efficient destruction. This evolution in technique underscores the increasing sophistication of wiper malware amid the Russia-Ukraine conflict.

The attackers’ use of filenames and actions mimicking the administrative console suggests deep reconnaissance of the victim’s environment. This tactic enabled PathWiper to blend with legitimate operations, complicating detection. The reliance on VBScript and BAT files for initial execution aligns with tactics observed in other Russia-linked campaigns, exploiting trusted tools to deliver malicious payloads.

This attack is part of a broader pattern of cyberattacks targeting Ukraine’s critical infrastructure, including energy, water, and telecommunications. The Computer Emergency Response Team of Ukraine (CERT-UA) reported multiple incidents in early 2025, while ESET documented another wiper, Zerolot, used by Sandworm against Ukrainian energy firms. These campaigns reflect the strategic use of destructive malware to disrupt essential services, amplifying the impact of the ongoing war.

IOCs

PolySwarm has a sample of PathWiper.

 

7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3

 

You can use the following CLI command to search for all PathWiper samples in our portal:

$ polyswarm link list -f PathWiper

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
View full post