Researchers at Cisco Talos have identified a new destructive cyberattack targeting critical infrastructure in Ukraine. The attackers used a previously unknown data-wiping malware that Talos calls “PathWiper.” The operation bears the indicators typically associated with Russian state-linked activity.
In this incident, adversaries compromised an endpoint administration framework — tools intended to secure and manage systems — and leveraged that trusted channel to distribute destructive code. Talos reports the attackers likely obtained access to an administrative console and then used it to push the malicious payload across connected systems.
Cisco Talos attributes the campaign to a Russian-linked advanced persistent threat (APT) group with high confidence, noting that the tactics and techniques closely mirror prior attacks that targeted Ukrainian critical infrastructure and private organisations since the start of the invasion.
Wolf in admin clothing
The operation is notable for how it abused legitimate administrative mechanisms to hide malicious activity. Rather than using overtly malicious distribution techniques, the attackers issued commands through the already-compromised administrative console, producing traffic that could appear routine to network monitoring tools.
The attackers used a staged deployment. They first pushed a VBScript named “uacinstall.vbs” through the administration tool. When executed, that script installed the main PathWiper executable, which was disguised with a benign-sounding filename, “sha256sum.exe,” to blend in with expected system utilities.
The attackers also mimicked legitimate filenames and behaviors used by the administration framework, suggesting they had observed the environment for some time and tailored their actions to avoid detection. That level of reconnaissance indicates extended access and a deliberate effort to appear legitimate before activating the destructive payload.
PathWiper’s purpose is explicit: it systematically destroys data and critical filesystem structures, replacing them with random data so the infected systems become unusable.
On activation, PathWiper enumerates every storage resource available to the host, including physical drives, network shares, and previously mounted network locations, creating a complete inventory of targets.
It then spawns separate worker threads for each identified storage device and proceeds to corrupt key filesystem components. The malware targets NTFS-specific structures, overwriting the Master Boot Record (MBR), Master File Table (MFT), filesystem logs, and other essential metadata with random bytes.
Before corrupting volumes, PathWiper attempts to dismount them using specialized system calls. This technique helps bypass some protections and increases the likelihood of irreversible damage. Recovery without clean, off-network backups is unlikely once the malware completes its destructive actions.
PathWiper and HermeticWiper: a malware family resemblance
Talos researchers observed similarities between PathWiper and an earlier destructive strain known as HermeticWiper, which disrupted Ukrainian critical infrastructure and private organisations in 2022.
HermeticWiper (also referred to as FoxBlade or NEARMISS) has been linked by multiple security firms to the Sandworm group, a Russian-affiliated actor. Both families of malware aim at the same core filesystem components, raising the possibility of shared tooling, code reuse, or similar operational goals.
However, PathWiper demonstrates greater operational sophistication. Where HermeticWiper used a blunt approach to corrupt drives, PathWiper takes a more methodical route: it thoroughly enumerates connected and hidden drives, verifies volume labels, and clearly documents valid targets before initiating destructive operations.
The digital front continues
The discovery of PathWiper underscores that state-linked attackers remain active and continue to refine destructive capabilities. For Ukrainian organisations responsible for critical services such as energy, water, and telecommunications, the incident reiterates the need for continuous vigilance, strict segmentation, and robust, off-network backup strategies.
The broader lesson applies globally: critical infrastructure continues to be a focal point for attackers, including nation-state actors who iterate on their tools and tradecraft. Organisations must assume persistent threats and adapt defenses accordingly.
Each new destructive variant offers insight into how digital conflict is evolving. PathWiper is a current example of those trends, but security teams should prepare for further advances as adversaries continue to develop and refine their arsenals.
(Photo by Leonhard Niederwimmer)
See also: UK cyber unit will target hostile states: Can defences cope?
Want to learn more about cybersecurity and the cloud from industry leaders? Consider attending Cyber Security & Cloud Expo, held in Amsterdam, California, and London, where industry professionals discuss threats like PathWiper and strategies for protecting critical infrastructure.
Explore other upcoming enterprise technology events and webinars powered by TechForge.