PathWiper (computer virus)

Chronicle

2025: Attack on Ukraine's infrastructure

Critical infrastructure facilities in Ukraine were attacked by the new harmful software PathWiper, designed to completely destroy data in infected systems. This was reported by analysts Cisco at Talos in a study published in June 2025.

The new malware was deployed through legitimate endpoint administration tools, which indicates that attackers have previously obtained administrative access to target systems. Attacks on Ukrainian infrastructure were not accompanied by ransom demands or financial claims.

𝓲

Фото: Freepik

The researchers draw parallels between PathWiper and another destructive malware HermeticWiper, which was previously used in attacks on Ukraine by the hacker group Sandworm. The similarity between these threats suggests a link between clusters of attackers using these tools.

PathWiper is deployed on target systems via Windows batch files that run malicious VBScript called uacinstall.vbs. This script loads and executes the main payload as a sha256sum.exe file.

To evade detection, the malware mimics behavior and uses names associated with legitimate system administration tools. This masking allows the malware to go unnoticed for a long time.

Unlike HermeticWiper, which simply lists physical disks, PathWiper programmatically identifies all connected disks - local, network and dismantled. The malware then abuses the Windows API to dismantle the volumes and prepare them for destruction.

The malware creates a separate thread for each volume to overwrite the critical structures of the NTFS file system. The main targets are the Master Boot Record (MBR) - the first sector of the physical disk containing the bootloader and partition table.

PathWiper also attacks Master File Table ($ MFT), the main NTFS system file containing a directory of all files and folders, including their location on disk and metadata. The $ LogFile log, used to register NTFS operations and track^[1] changes, is hit^[2]

Notes