PathWiper is a newly identified destructive wiper malware targeting critical infrastructure in Ukraine, attributed to a Russia-nexus advanced persistent threat (APT) group. The malware is deployed using a legitimate endpoint administration framework, allowing it to propagate stealthily across connected endpoints within a network. Unlike ransomware or data theft malware, PathWiper's primary objective is data destruction. It overwrites file system artifacts with random data, targeting physical drives, logical volumes, and network shared drives, rendering affected systems unusable and data irrecoverable. This destructive behavior is similar to the previously observed HermeticWiper but PathWiper distinguishes itself with a more sophisticated mechanism for identifying and corrupting connected drives and volumes. The use of legitimate administrative tools for deployment indicates a high level of operational security and sophistication, complicating detection and response efforts. The malware's tactics align with multiple MITRE ATT&CK techniques, including persistence (T1543), credential access (T1078), discovery (T1082, T1083), defense evasion (T1070), lateral movement (T1135), command and control (T1059.003, T1059.005), and impact (T1490). No public exploits or patches currently exist, and detection relies on indicators such as the provided malware hash. This attack highlights the ongoing cyber threat to Ukrainian critical infrastructure amid geopolitical conflict, emphasizing the use of destructive malware as a strategic weapon to disrupt essential services.

For European organizations, especially those with operational or business ties to Ukraine or similar critical infrastructure sectors, PathWiper represents a significant threat. The malware’s deployment via legitimate endpoint administration frameworks suggests that any organization using similar tools and network architectures with shared drives and volumes could be at risk if targeted. Successful infection results in permanent data loss and system downtime, severely impacting confidentiality, integrity, and availability. Critical sectors such as energy, transportation, healthcare, and government services could face operational paralysis, financial losses, and reputational damage. The malware’s ability to propagate across connected endpoints and network shares increases the potential scope of impact within an organization. Given the geopolitical tensions and ongoing conflict, there is an elevated risk of spillover or targeted attacks against European entities supporting Ukrainian infrastructure or sharing similar technology stacks. The sophisticated deployment method complicates detection, increasing the risk of delayed response and mitigation, which could exacerbate operational disruptions.

1. Enforce strict access controls and network segmentation for endpoint administration frameworks to minimize their misuse and reduce the attack surface. 2. Continuously monitor and audit the use of legitimate administrative tools for anomalous activities, such as unusual deployment patterns or execution of destructive commands. 3. Implement robust backup strategies, including offline or immutable backups, to ensure data recovery in the event of a wiper attack. 4. Harden network shares and volumes by applying least privilege principles and monitoring for unauthorized access or modifications. 5. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying suspicious file system activities indicative of wiper behavior, such as random data overwrites. 6. Conduct regular threat hunting exercises focused on PathWiper indicators of compromise, including the provided malware hash. 7. Develop and regularly update incident response plans specifically addressing destructive malware scenarios to enable rapid containment and recovery. 8. Collaborate with national cybersecurity agencies and information sharing organizations to stay informed about emerging threats and indicators related to PathWiper. 9. Restrict lateral movement by enforcing multi-factor authentication and maintaining credential hygiene to prevent credential theft and misuse. 10. Maintain up-to-date patching of all systems to reduce exposure to other vulnerabilities that could facilitate initial access, even though no specific patches exist for PathWiper.