{ "id": "cae8146e-1536-43c4-a82d-4a5c3fd1b721", "created_at": "2026-04-06T00:06:25.916869Z", "updated_at": "2026-04-10T03:30:30.716058Z", "deleted_at": null, "sha1_hash": "9b17848da751505edfac06ef3898e3ed48f30345", "title": "Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89194, "plain_text": "Newly identified wiper malware “PathWiper” targets critical\r\ninfrastructure in Ukraine\r\nBy Jacob Finn\r\nPublished: 2025-06-05 · Archived: 2026-04-05 15:18:58 UTC\r\nThursday, June 5, 2025 06:00\r\nCisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a\r\npreviously unknown wiper we are calling “PathWiper”. \r\nThe attack was instrumented via a legitimate endpoint administration framework, indicating that the\r\nattackers likely had access to the administrative console, that was then used to issue malicious commands\r\nand deploy PathWiper across connected endpoints. \r\nTalos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat\r\n(APT) actor. Our assessment is made with high confidence based on tactics, techniques and procedures\r\n(TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian\r\nentities.  \r\nThe continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical\r\ninfrastructure despite the longevity of the Russia-Ukraine war. \r\nProliferation of PathWiper \r\nAny commands issued by the administrative tool’s console were received by its client running on the endpoints.\r\nThe client then executed the command as a batch (BAT) file, with the command line partially resembling that of\r\nImpacket command executions, though such commands do not necessarily indicate the presence of Impacket in an\r\nenvironment.\r\nThe BAT file consisted of a command to execute a malicious VBScript file called ‘uacinstall.vbs’, also pushed to\r\nthe endpoint by the administrative console: \r\nC:\\WINDOWS\\System32\\WScript.exe C:\\WINDOWS\\TEMP\\uacinstall.vbs\r\nUpon execution, the VBScript wrote the PathWiper executable, named ‘sha256sum.exe’, to disk and executed it: \r\nC:\\WINDOWS\\TEMP\\sha256sum.exe\r\nThroughout the course of the attack, filenames and actions used were intended to mimic those deployed by the\r\nadministrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its\r\nfunctionality within the victim enterprise’s environment.\r\nhttps://blog.talosintelligence.com/pathwiper-targets-ukraine/\r\nPage 1 of 4\n\nPathWiper capabilities \r\nOn execution, PathWiper replaces the contents of artifacts related to the file system with random data generated\r\non the fly. It first gathers a list of connected storage media on the endpoint, including: \r\nPhysical drive names \r\nVolume names and paths \r\nNetwork shared and unshared (removed) drive paths \r\nAlthough most storage devices and volumes are discovered programmatically (via APIs), the wiper also queries\r\n‘HKEY_USERS\\Network\\\u003cdrive_letter\u003e| RemovePath’ to obtain the path of shared network drives for\r\ndestruction. \r\nOnce all the storage media information has been collected, PathWiper creates one thread per drive and volume for\r\nevery path recorded and overwrites artifacts with randomly generated bytes. The wiper reads multiple file systems\r\nattributes, such as the following from New Technology File System (NTFS). PathWiper then overwrites the\r\ncontents/data related to these artifacts directly on disk with random data: \r\nMBR \r\n$MFT \r\n$MFTMirr \r\n$LogFile \r\n$Boot \r\n$Bitmap \r\n$TxfLog \r\n$Tops \r\n$AttrDef \r\nBefore overwriting the contents of the artifacts, the wiper also attempts to dismount volumes using the\r\n‘FSCTL_DISMOUNT_VOLUME IOCTL’ to the MountPointManager device object. PathWiper also destroys\r\nfiles on disk by overwriting them with randomized bytes. \r\nPathWiper’s mechanisms are somewhat semantically similar to another wiper family, HermeticWiper, previously\r\nseen targeting Ukrainian entities in 2022. HermeticWiper, also known as FoxBlade or NEARMISS, is attributed to\r\nRussia’s Sandworm group in third-party reporting with medium to high confidence. Both wipers attempt to\r\ncorrupt the master boot record (MBR) and NTFS-related artifacts.  \r\n A significant difference between HermeticWiper and PathWiper is the corruption mechanisms used against\r\nrecorded drives and volumes. PathWiper programmatically identifies all connected (including dismounted) drives\r\nand volumes on the system, identifies volume labels for verification and documents valid records. This differs\r\nfrom HermeticWiper's simple process of enumerating physical drives from 0 to 100 and attempting to corrupt\r\nthem. \r\nCoverage \r\nhttps://blog.talosintelligence.com/pathwiper-targets-ukraine/\r\nPage 2 of 4\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. \r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work.  Please contact your Cisco account representative or authorized\r\npartner if you are interested in a free trial of Cisco Secure Access. \r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.  \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.  \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. \r\nSnort 2 rules: 64742, 64743 \r\nhttps://blog.talosintelligence.com/pathwiper-targets-ukraine/\r\nPage 3 of 4\n\nSnort 3 rules: 301174\r\nIndicators of compromise (IOCs) \r\n7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3\r\nSource: https://blog.talosintelligence.com/pathwiper-targets-ukraine/\r\nhttps://blog.talosintelligence.com/pathwiper-targets-ukraine/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/pathwiper-targets-ukraine/" ], "report_names": [ "pathwiper-targets-ukraine" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433985, "ts_updated_at": 1775791830, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b17848da751505edfac06ef3898e3ed48f30345.pdf", "text": "https://archive.orkl.eu/9b17848da751505edfac06ef3898e3ed48f30345.txt", "img": "https://archive.orkl.eu/9b17848da751505edfac06ef3898e3ed48f30345.jpg" } }