This campaign showcases significant advancements in precision and stealth over previous Russian wiper attacks on Ukraine. PathWiper’s ability to infiltrate trusted systems, evade detection, and cripple vital services highlights an intensifying digital offensive with far-reaching implications for global cybersecurity.
How PathWiper operates
PathWiper, deployed via a trusted endpoint administration system, marks a significant evolution from HermeticWiper, which targeted Ukrainian systems in 2022. The attack begins with a Windows batch file executing a malicious VBScript (uacinstall.vbs), which deploys a wiper binary disguised as “sha256sum.exe” to blend seamlessly into legitimate processes.
Once active, PathWiper meticulously identifies all connected storage media—physical drives, dismounted volumes, and network shares—verifying volume labels to target them with precision. It overwrites critical NTFS structures, including the Master Boot Record (MBR), Master File Table ($MFT), and other NTFS artifacts, with random data, rendering data recovery nearly impossible without robust, isolated backups.
