Cybersecurity researchers at Cisco Talos have uncovered a new destructive malware variant they dubbed “PathWiper,” which was used in a recent cyberattack against a critical infrastructure entity in Ukraine. The attack has been attributed to a Russia-linked state-sponsored hacker group.
According to Talos, PathWiper was deployed through a legitimate endpoint administration framework, indicating that the attackers had compromised the administrative console used to manage enterprise endpoints. Once inside, they issued malicious commands that triggered the deployment of the wiper malware across multiple systems.
The malware execution chain began with a batch file command that launched a malicious VBScript named uacinstall.vbs. The attackers disguised their activity to mirror legitimate administrative actions.
PathWiper shares several characteristics with HermeticWiper, also tracked in the cybersecurity community as FoxBlade or NEARMISS, which was used in 2022 attacks against Ukraine and attributed to Russia’s Sandworm APT group. Both malware families designed to corrupt the master boot record (MBR) and damage NTFS artifacts to render systems inoperable.
However, PathWiper comes with a more sophisticated disk corruption technique. Unlike HermeticWiper, which attempts to damage physical drives by brute force enumeration, PathWiper programmatically identifies all connected and dismounted drives, verifies volume labels, and targets specific volumes with precision.
“Talos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat (APT) actor. Our assessment is made with high confidence based on tactics, techniques and procedures (TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian entities,” the team said.
