206/68 Monday, June 9, 2025
Cybersecurity researchers from Cisco Talos have uncovered a new data-wiping malware called PathWiper, used in targeted attacks against Ukraine’s critical infrastructure. The malware is designed to destroy data and disrupt operations. Attackers reportedly used a legitimate endpoint administration tool to deploy the payload, indicating that they had likely obtained admin-level access through prior compromise.
PathWiper is being compared to HermeticWiper, previously used by the Russia-linked Sandworm group in attacks on Ukraine. The malware executes via a Windows batch file that launches a malicious VBScript (uacinstall.vbs), which then drops and runs the main payload, sha256sum.exe. It mimics legitimate administrative tools to avoid detection. Once active, PathWiper scans all drives (local, network, and dismounted), uses Windows APIs to dismount volumes, and then corrupts critical NTFS structures—including the MBR, $MFT, $LogFile, and $Boot—by overwriting them with random data, rendering systems unbootable and unrecoverable.
This attack does not involve any ransom demands or financial motives, suggesting its sole purpose is destruction and disruption. Cisco Talos has published file hashes and Snort rules to help organizations detect and block the malware. PathWiper joins a growing list of destructive data wiper malware used in cyber warfare against Ukraine, including DoubleZero, CaddyWiper, IsaacWiper, WhisperGate, and AcidRain—all of which have been attributed to state-sponsored Russian threat actors.
