Much like a snowplow clearing everything from it’s path, the new Russian Malware is wreaking havoc on Ukraine. It has emerged, targeting critical infrastructure in Ukraine and marking a significant evolution in Russia-linked cyber sabotage campaigns. Here’s a comprehensive breakdown of what PathWiper is, how it works, and why it matters.
PathWiper is a form of wiper malware. Unlike ransomware, which encrypts files and demands payment for decryption, wiper malware is designed to permanently destroy data and render systems inoperable. PathWiper was first identified during a coordinated attack against Ukrainian critical infrastructure in June 2025. The malware is believed to be the work of a sophisticated threat actor with a history of targeting Ukraine, likely with state sponsorship.
Technical Details and Attack Chain
- Initial Access and Deployment: Attackers first gain administrative access to the target environment. They use legitimate endpoint administration tools to deploy PathWiper, which helps them move laterally across the network and install the malware on multiple systems with minimal detection.
- Execution Process: The malware is typically launched via a Windows batch file. This batch script executes a malicious VBScript, which then drops the main wiper payload onto the system. The use of legitimate scripting and administrative tools allows the attackers to blend in with normal IT operations.
- Drive and Volume Enumeration: PathWiper stands out for its ability to programmatically identify all connected storage media. This includes not just local hard drives, but also network drives, removable media, and even dismounted volumes. The malware ensures that every possible storage location is targeted for destruction.
- Destruction Mechanism: Once running, PathWiper uses Windows APIs to dismount each identified volume, ensuring that files are not locked and can be overwritten. For each drive or volume, it spawns a separate thread to overwrite critical file system structures. The main targets include:
- The Master Boot Record (MBR), which contains the bootloader and partition information.
- The Master File Table ($MFT), which is essential for the NTFS file system to track files and directories.
- Other NTFS metadata files such as $LogFile, $Boot, and others that are crucial for file system integrity.
- Impact: By overwriting these core components with random data, PathWiper ensures that the operating system cannot boot and that data recovery is virtually impossible. The affected machines are effectively “bricked,” requiring complete reinstallation and restoration from backups—if available.
PathWiper is not the first wiper malware used against Ukraine, but it is one of the most advanced. Earlier wipers like HermeticWiper and CaddyWiper also targeted critical infrastructure, but PathWiper’s approach is more thorough. Instead of simply wiping physical drives in sequence, it actively searches for all storage devices, including those that are not currently mounted or are accessible over the network. This results in a more comprehensive and devastating attack.
Additionally, PathWiper relies heavily on legitimate administrative tools for deployment and execution. This makes detection and prevention much harder, as the malware’s activity can be mistaken for routine IT maintenance or troubleshooting.
Strategic Significance and Motivation
The emergence of PathWiper highlights the ongoing evolution of cyberwarfare tactics. The malware’s sole purpose is destruction—there are no ransom demands or attempts at extortion. This aligns with a broader strategy of using cyberattacks to disrupt and demoralize, especially during periods of heightened military conflict.
For Ukraine, the threat is especially acute. Critical infrastructure—such as energy, transportation, and communications—remains a primary target for cyber sabotage. The use of wiper malware is intended to cause maximum operational disruption, complicating response efforts and undermining public confidence.
Detection, Response, and Defense
Detecting PathWiper before it executes is a significant challenge due to its use of legitimate administrative tools and scripting languages. However, defenders can take several steps to mitigate the risk:
- Monitor for unusual administrative activity, especially the use of remote management tools and scripts.
- Restrict access to critical systems and enforce the principle of least privilege.
- Regularly back up essential data and store backups offline to prevent them from being wiped.
- Employ endpoint detection and response (EDR) solutions capable of identifying suspicious scripting activity and unauthorized drive enumeration.
- Keep all systems and security tools updated to recognize the latest threats.
PathWiper represents a new level of sophistication in destructive malware targeting critical infrastructure. Its ability to thoroughly identify and wipe all connected storage devices makes it one of the most dangerous wipers to date. The malware’s deployment in Ukraine underscores the reality that cyberwarfare is now a central component of modern conflict, and that defenders must be constantly vigilant and adaptive to counter rapidly evolving threats. Organizations, especially those in sectors deemed critical, should review their security postures and incident response plans to ensure resilience against this and future wiper attacks.