Uniquely Destructive PathWiper Payload Emerges in Ukraine Attacks

Researchers have identified a new wiper malware dubbed PathWiper, discovered during a recent attack on an unnamed organization in Ukraine. The malware is attributed to a Russia-linked APT and poses a significant threat to Ukrainian critical infrastructure.  

‍

Researchers noted that the attack leveraged a legitimate endpoint administration framework to deploy PathWiper across multiple endpoints, suggesting the attackers had prior knowledge of the victim's internal systems, DarkReading reports.

‍

Unlike previous wipers such as HermeticWiper, PathWiper uses a more advanced corruption mechanism, programmatically identifying all connected and dismounted drives using APIs, and querying registry paths to locate shared network drives. Once identified, it overwrites the storage assets with random data, making recovery difficult.

‍

This new malware reflects the ongoing evolution of wiper tools used by Russian actors against Ukraine. Although researchers did not comment on the effectiveness of the specific attack, the incident is part of a broader pattern of cyberattacks.  

‍

CERT-UA recorded at least three attacks on Ukrainian critical infrastructure in March, and ESET’s latest report documented another wiper, Zerolot, deployed by the Sandworm APT against Ukrainian energy firms.  

‍

Takeaway: PathWiper isn’t just another wiper, it’s a warning shot. We’ve seen this pattern play out over and over again: payloads first appear in Ukraine, get tested against real-world infrastructure under the cover of geopolitical chaos, then resurface months later in global ransomware campaigns rebranded, repackaged, and twice as dangerous.  

‍

Ukraine has effectively become a live-fire test range for cyberweapons, and PathWiper is just the latest stress test. But what makes this one different is how surgical and intentional it is.  

‍

This isn’t a blunt-force tool like NotPetya or HermeticWiper. It programmatically identifies drives, volumes, and shared network paths, then corrupts the data with randomly generated bytes. That’s not just disruptive; it’s deliberately engineered to leave zero chance of recovery.

‍

And here’s where things get even more concerning: ransomware crews are hitting a ceiling with the same old double extortion model where they exfiltrate data, encrypt it, then threaten to leak it if the ransom demand is not met.  

‍

But what happens when the victim refuses to pay, which is becoming more common? The ransomware operators naturally have to escalate their tactics to put more pressure on the victim, and that’s exactly what’s coming, more data destruction.

‍

We’re starting to see signs that financially motivated ransomware operators are borrowing playbooks from nation-state attacks that detonate wipers. It’s no longer about just locking systems; it’s about threatening to obliterate them to force extortion compliance.

‍

PathWiper may have emerged in Ukraine, but don’t assume it’s staying there. The payload is just too effective and the strategy too appealing for ransomware crews to ignore. We’re likely not far off from seeing advanced, destructive wipers like this deployed in enterprise environments outside of Ukraine — not for espionage, not for sabotage, but for extortion.  

‍

The line between nation-state tactics and cybercriminal operations is vanishing fast, and the next wave of ransomware won’t just steal your data — it’ll salt the earth behind it. Ready or not, that future is likely coming soon.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.