A new type of wiper malware was used in a destructive cyberattack on a critical infrastructure organization in Ukraine.
According to a report Thursday from Cisco Talos, the previously unknown malware, dubbed “PathWiper” by researchers, was observed in a recent attack on an unidentified organization. Cisco Talos attributed the attack to a Russia-nexus advanced persistent threat (APT) actor and warned that PathWiper posed significant risk to critical infrastructure organizations in Ukraine.
“The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war,” the researchers wrote in the blog post.
A New Breed of Wiper Malware
Cisco Talos researchers explained the PathWiper attack was conducted through a “legitimate endpoint administration framework,” though the report doesn’t offer specifics. The attacker likely used an administrative console to execute commands and deliver PathWiper to all connected endpoints.
“Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment,” the researchers wrote.
While Russian nation-state actors have previously launched wiper attacks against targets in Ukraine, Cisco Talos noted a key distinction with PathWiper that could make the malware a more effective — and destructive — tool. The researchers noted PathWiper’s “corruption mechanism” is different than those in other malware, like HermeticWiper.
“PathWiper programmatically identifies all connected (including dismounted) drives and volumes on the system, identifies volume labels for verification, and documents valid records. This differs from HermeticWiper’s simple process of enumerating physical drives from 0 to 100 and attempting to corrupt them,” they wrote.
Instead of using simple enumeration to locate connected storage drives and volumes, PathWiper discovers them programmatically via APIs and also queries “HKEY_USERS\Network\| RemovePath” to identify and target the paths of shared network drives.
Once malware has collected all storage media and networks paths, it then overwrites the assets with randomly generated bytes. It’s unclear how effective PathWiper was in the critical infrastructure attack; Cisco Talos declined to comment further.
The PathWiper attack is the latest threat to critical infrastructure in Ukraine. The Computer Emergency Response Team of Ukraine (CERT-UA) observed at least three cyberattacks against government facilities and critical infrastructure entities during March. Additionally, in its APT Activity Report Q4 2024-Q1 2025, ESET documented the use of a new wiper that it dubbed “Zerolot,” which was used by the notorious Russian APT Sandworm against energy companies in Ukraine.
