Blog

PathWiper: New Malware Targets Ukraine’s Infrastructure

by | Jul 1, 2025 | malware, monitor network, offline backups, Ophtek, PathWiper, remote administration tool, restrict access, Ukraine, Wiper Malware

 

A new malware strain – named PathWiper – is hitting Ukraine’s critical systems, wiping data, and leaving targets devices unusable in a powerful cyberattack.

Cybersecurity researchers have discovered a new and highly destructive malware strain called PathWiper, which is actively targeting critical infrastructures in Ukraine. While most cyber threats tend to focus their aim on stealing data or demanding ransoms, PathWiper is different. Their attack is purely aggressive, designed to wipe systems clean and render them useless. The researchers – who are based at Cisco Talos – believe that this new malware variant is linked to a Russian hacking group.

A Closer Look at the PathWiper Incident

Following a cybersecurity incident affecting a major infrastructure operator in Ukraine, the PathWiper malware was discovered during an investigation into the attack. Researchers found that attackers had first gained access to the victim’s systems through the exploitation of a genuine remote administration tool. By taking control of this tool, the threat actors were able to establish a powerful foothold – allowing them to breach the infrastructure and begin spreading their malware across the entire network.

With remote access secured, the attackers set about executing a batch file which enabled a malicious script. This was designed to install and run the wiper payload, cunningly disguised as a genuine and necessary file. However, the wiper payload’s main objective was to stealthily scan all the available drives – this included local and network-attached drives. Once this had been completed and a swift analysis made, PathWiper began its destructive spree and went about corrupting critical components of the scanned file systems.

Areas targeted by the attack included master boot records, master file tables, system logs, and boot configuration files. Ultimately, PathWiper damaged the affected systems to a degree where the workstations were left beyond repair – they simply couldn’t boot up or access any stored data. And, as PathWiper replaces critical storage data with random, unintelligible data, any recovery is next to impossible. What stands out is its ability to use multiple parts of a computer’s memory at once, a sign of advanced design which suggests state-sponsored development is at its core.

How to Stay Safe from Similar Attacks

 

To maintain the strength of your defenses against attacks where remote administration tools are compromised, you should make sure that you implement the following security practices:

  • Restrict Admin Tool Access: Only a limited number of authorized employees should have access to remote administration tools on your network. To strengthen this access, you should always enable two-factor authentication and log all activity.
  • Monitor for Unusual Activity: It’s crucial that you have real-time network monitoring in place to highlight any unusual activity e.g. enhanced traffic or increased access to drive partitions. These alerts will allow you to detect any breaches early and limit the spread of malware.
  • Keep Offline Backups: The PathWipermalware has left huge amounts of data unrecoverable, underlining the fact that regular backups are crucial – especially to offline storage sources where your data is protected from any external threats.

For more ways to secure and optimize your business technology, contact your local IT professionals.

 

You May Also Like:

Ukraine Hit by Wiper Malware Ukraine’s Military Hacked by Russian Backed USB Malware  Agent Raccoon Malware Strikes Targets Across the Globe Hacker Targets Over 18,000 Script Kiddies with Malware