CyberSecurity news

FlagThis

Jacob Finn@Cisco Talos Blog //

PathWiper Malware Targets Critical Infrastructure in Ukraine

A new destructive malware, dubbed PathWiper, has been discovered targeting critical infrastructure in Ukraine. Cisco Talos researchers identified the wiper after observing an attack on a Ukrainian entity. The attackers, believed to be a Russia-nexus APT actor, gained access to a legitimate endpoint administration framework and used it to deploy PathWiper across connected endpoints. The malware is designed to overwrite data with random bytes, effectively disrupting the targeted systems. The discovery highlights the continued cyber threat to Ukrainian critical infrastructure amidst the ongoing conflict.

The attack unfolded through a compromised administrative console. Attackers issued commands via the console, which were received by clients running on the endpoints and executed as batch files. These files contained commands to execute a malicious VBScript file named "uacinstall.vbs", which in turn, dropped and executed the PathWiper executable. The filenames and actions used throughout the attack were designed to mimic those of the administrative utility, suggesting the attackers had prior knowledge of the console and its functionality within the targeted environment.

Once executed, PathWiper identifies connected storage media and overwrites crucial file system artifacts with random data. It targets physical drives, volume names, network drive paths, and critical files like the Master Boot Record (MBR). The malware creates a thread for each drive and volume, overwriting the contents with randomly generated bytes, effectively destroying data and disrupting system operations. While PathWiper shares some similarities with HermeticWiper, another wiper used in previous attacks against Ukraine, there are notable differences in their data corruption mechanisms.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Cisco Talos Blog: Newly identified wiper malware “PathWiper†targets critical infrastructure in Ukraine
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • The Hacker News: New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • cyberpress.org: New pathWiper Malware Strikes Critical Infrastructure with Admin Tool Deployment
  • securityaffairs.com: Russia-linked threat actors targets Ukraine with PathWiper wiper
  • blog.talosintelligence.com: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor.
  • The Register - Security: Destructive malware has been a hallmark of Putin's multi-modal war A new strain of wiper malware targeting Ukrainian infrastructure is being linked to pro-Russian hackers, in the latest sign of Moscow's evolving cyber tactics.
  • RedPacket Security: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure
  • ciso2ciso.com: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure - Source: go.theregister.com
  • BleepingComputer: A new data wiper malware named 'PathWiper' is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country.
  • Cisco Talos Blog: In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.
  • Security Affairs: Cisco Talos researchers reported that attackers utilized a legitimate endpoint administration tool, indicating they had access to the administrative console, then used it to deploy PathWiper across the victim network.
  • Catalin Cimpanu: Multiple sources indicate the use of PathWiper malware against Ukrainian critical infrastructure.
  • Industrial Cyber: Industrial Cyber article on PathWiper malware targeting Ukrainian critical infrastructure.
  • hackread.com: News article about a new New PathWiper Malware Strikes Ukraine’s Critical Infrastructure
  • industrialcyber.co: Researchers from Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, involving a previously...
  • www.csoonline.com: A destructive new malware, dubbed PathWiper, has struck Ukraine’s critical infrastructure, erasing data and disabling essential systems, according to a recent Cisco Talos report.
  • www.scworld.com: Ukraine's critical infrastructure subjected to novel PathWiper compromise
  • ciso2ciso.com: New PathWiper Malware Strikes Ukraine’s Critical Infrastructure – Source:hackread.com
Classification: