Russia-linked threat actors targets Ukraine with PathWiper wiper

Pierluigi Paganini June 06, 2025

A Russia-linked threat actor targeted a critical infrastructure organization in Ukraine with a new destructive malware dubbed PathWiper.

Russia-linked threat actor targeted Ukraine’s critical infrastructure with a new wiper named PathWiper. Cisco Talos researchers reported that attackers utilized a legitimate endpoint administration tool, indicating they had access to the administrative console, then used it to deploy the PathWiper wiper. Talos attributes the attack to a Russia-linked APT group, with high confidence based on similarities in techniques, tactics and procedures to past attacks on Ukrainian entities.

PathWiper is a destructive malware that scans and identifies all connected storage, including network drives, then spawns threads to overwrite key disk artifacts and files with random data. The malicious code targets NTFS structures like MBR, $MFT, and others, often dismounting volumes before wiping. Similar to HermeticWiper, linked to Russia’s Sandworm group, PathWiper uses more precise, programmatic methods to identify and corrupt drives.

“On execution, PathWiper replaces the contents of artifacts related to the file system with random data generated on the fly.” reads the report published by Cisco Talos. “It first gathers a list of connected storage media on the endpoint, including:

Physical drive names
Volume names and paths
Network shared and unshared (removed) drive paths

Although most storage devices and volumes are discovered programmatically (via APIs), the wiper also queries ‘HKEY_USERS\Network\<drive_letter>| RemovePath’ to obtain the path of shared network drives for destruction. Once all the storage media information has been collected, PathWiper creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes.”

Commands from the administrative console were executed on endpoints as BAT files, resembling Impacket-style syntax but not necessarily indicating its use. These BAT files ran a malicious VBScript (uacinstall.vbs), which dropped and executed the PathWiper payload named sha256sum.exe. The researchers speculate that the attackers mimicked legitimate admin tool behavior because of their familiarity with the tool and the target environment’s operations.

“Any commands issued by the administrative tool’s console were received by its client running on the endpoints. The client then executed the command as a batch (BAT) file, with the command line partially resembling that of Impacket command executions, though such commands do not necessarily indicate the presence of Impacket in an environment,” Talos explains.

Talos’s report includes Indicators of compromise (IOCs) for this threat.

Russia-linked APT groups have carried out multiple wiper campaigns against critical organizations in Ukraine.

In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PathWiper)

Hacking hacking news information security news IT Information Security malware PathWiper Pierluigi Paganini Russia Security Affairs Security News Ukraine Wiper

Pierluigi Paganini June 25, 2025

Hackers deploy fake SonicWall VPN App to steal corporate credentials

Pierluigi Paganini June 25, 2025