In June 2025, Ukrainian critical infrastructure faced a significant cyberattack involving a newly identified data-wiping malware named PathWiper. Cisco Talos researchers Jacob Finn, Dmytro Korzhevin, and Asheer Malhotra reported that the attackers utilized a legitimate endpoint administration framework to deploy PathWiper across multiple systems, suggesting prior access to the administrative console.
The attack sequence began with the administrative console issuing commands to client systems, which executed a batch file. This file ran a malicious Visual Basic Script (VBScript) named uacinstall.vbs located in the Windows TEMP folder. The VBScript then dropped and executed the PathWiper binary, labeled sha256sum.exe, in the same directory. The use of filenames and actions that mimic legitimate administrative processes indicates the attackers’ familiarity with the victim’s operational environment.
Once activated, PathWiper systematically identified connected storage media, including physical drives, volumes, and network paths. It created individual threads for each identified path and overwrote their contents with randomly generated data. The malware specifically targeted critical system components such as the Master Boot Record (MBR), Master File Table (MFT), and other essential NTFS structures, rendering data recovery virtually impossible.
PathWiper shares similarities with HermeticWiper, a malware linked to the Russia-affiliated Sandworm group, which was deployed during the initial stages of Russia’s invasion of Ukraine in February 2024. Both malwares aim to corrupt the MBR and NTFS structures, but they differ in their data corruption methodologies. The emergence of PathWiper underscores the persistent cyber threats facing Ukrainian infrastructure amid ongoing geopolitical tensions.
In a related development, Russian cybersecurity firm BI.ZONE identified two campaigns by the group Silent Werewolf in March 2025, targeting organizations in Moldova and Russia. The attackers used distinct loaders to retrieve malicious payloads from command-and-control servers. While the specific payloads were not available during the research, historical analysis suggests the use of XDigo malware. Targets included sectors such as nuclear, aerospace, instrumentation, and mechanical engineering within Russia.
Understanding Wiper Malware
Wiper malware is designed to destroy data, making it irretrievable and disrupting normal operations. Unlike ransomware, which encrypts data for ransom, wipers aim for complete data destruction without the possibility of recovery. This type of malware is often used for sabotage, evidence destruction, or as a tool in cyber warfare.
Historical Context and Notable Incidents
The use of wiper malware has escalated in recent years, particularly in geopolitical conflicts. In 2012, the Shamoon wiper targeted Saudi Aramco, affecting over 30,000 computers. More recently, during the Russia-Ukraine conflict, multiple wiper variants have been deployed against Ukrainian entities, including HermeticWiper, WhisperGate, and CaddyWiper. These attacks highlight the strategic use of wiper malware to disrupt critical infrastructure and services.
Mechanisms of Wiper Malware
Wiper malware employs various techniques to destroy data:
– Overwriting Files: Replacing file contents with random data or null bytes, rendering them useless.
– Encrypting Files: Encrypting files without providing a decryption key, making recovery impossible.
– MBR Corruption: Overwriting the Master Boot Record, preventing the system from booting.
– MFT Corruption: Damaging the Master File Table, making files inaccessible.
These methods ensure that the data is permanently destroyed, causing significant operational disruptions.
Preventive Measures Against Wiper Malware
Organizations can adopt several strategies to mitigate the risk of wiper malware attacks:
– Regular Data Backups: Maintain up-to-date, offline backups to facilitate data restoration after an attack.
– Employee Training: Educate staff on recognizing phishing attempts and other common malware delivery methods.
– Email Security: Implement robust email filtering to block malicious attachments and links.
– Patch Management: Regularly update software to close vulnerabilities that could be exploited by attackers.
– Endpoint Security: Deploy comprehensive endpoint protection solutions to detect and prevent malware infections.
By implementing these measures, organizations can enhance their resilience against wiper malware and other cyber threats.
Conclusion
The deployment of PathWiper against Ukrainian critical infrastructure in 2025 highlights the evolving nature of cyber threats in geopolitical conflicts. Understanding the mechanisms and historical context of wiper malware is essential for developing effective defense strategies. Organizations must remain vigilant and proactive in implementing comprehensive cybersecurity measures to protect against such destructive attacks.
