Newly Identified PathWiper Malware Targets Ukrainian Critical Infrastructure

• A destructive cyberattack on a critical infrastructure entity in Ukraine ultimately deployed malware.
• Attackers disseminated a specially crafted VBScript that wrote and launched the PathWiper executable.
• The campaign is believed to be orchestrated by a Russia-nexus APT actor.

A recently discovered destructive malware known as “PathWiper” has been deployed in a cyberattack on a critical infrastructure entity in Ukraine, according to a June 2025 report from Cisco Talos. 

Analysis indicates the campaign may be the handiwork of a Russia-nexus advanced persistent threat (APT) actor, marking yet another escalation in the ongoing cyber conflict impacting Ukrainian organizations.

PathWiper was delivered using a legitimate endpoint administration framework, suggesting the attackers had already compromised administrative consoles within the targeted environment. 

Through this access, adversaries pushed malicious BAT files containing commands to execute a specially crafted VBScript, which then wrote and launched the PathWiper executable. 

This multi-stage approach allowed the adversaries to disseminate the wiper rapidly across connected endpoints, masquerading as routine administrative actions.

Once executed, PathWiper enumerates all connected storage media, including local drives, network shares, and even previously dismounted volumes. For each discovered storage target, it spawns dedicated threads and systematically overwrites file system artifacts and user files with randomized data, aiming for irrecoverable destruction. 

The malware targets crucial NTFS artifacts such as the Master Boot Record (MBR), $MFT (Master File Table), $LogFile, and several others vital to system and data integrity. PathWiper also attempts to dismount volumes before targeting them, further reducing any chance of recovery. 

Notably, while PathWiper shares some procedural similarities with the HermeticWiper family linked to Sandworm and previous attacks on Ukraine, it demonstrates greater sophistication in identifying and corrupting storage volumes.

The medium to high confidence attribution to a Russia-linked APT is based on clear overlaps in tactics, techniques, and procedures with previous destructive campaigns.