The campaign demonstrates significant advances in the precision and stealth of the attack on Russian wipers against Ukraine. Pathiper’s capabilities penetrate into trusted systems, evading detection and undermining vital services highlight a strengthened digital offensive that has a profound impact on global cybersecurity.
How PATHWIPER works
PathWiper, deployed via a trusted endpoint administration system, marks a significant evolution from HermeticWiper, which targeted Ukrainian systems in 2022. The attack begins with a Windows batch file executing a malicious VBScript (uacinstall.vbs), which deploys a wiper binary disguised as “sha256sum.exe” to blend seamlessly into legitimate processes.
Once active, Pathiper carefully identifies all connected storage media (physical drives, offload volumes, and network shares) to verify volume tags to locate them accurately. It covers critical NTFS structures, including master boot records (MBR), master file tables ($MFTs), and other NTFS artifacts, with random data, without a robust, isolated backup, rendering data recovery is nearly impossible.
