Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

PathWiper

PathWiper is a destructive Windows wiper malware identified by Cisco Talos in a June 2025 attack against a critical infrastructure entity in Ukraine. Talos reported that the malware was deployed through a legitimate endpoint administration framework, indicating the attackers likely had access to the victim’s administrative console and understood how the tool was used in the environment. The intrusion used filenames and actions intended to mimic legitimate administrative activity: a batch file launched C:\WINDOWS\TEMP\uacinstall.vbs via WScript.exe, the VBScript wrote the wiper binary to C:\WINDOWS\TEMP\sha256sum.exe, and then executed it.

PathWiper enumerates connected storage media before destruction, including physical drives, volumes, and network shared and unshared drive paths. It also queries HKEY_USERS\Network<drive_letter>| RemovePath to recover paths for shared network drives. The malware creates threads per discovered drive or volume, attempts to dismount volumes using FSCTL_DISMOUNT_VOLUME via the MountPointManager device object, reads NTFS-related attributes, and overwrites critical disk and file system structures with random data. Reported targets include the MBR, $MFT, $MFTMirr, $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, and $AttrDef. It also overwrites files on disk with randomized bytes, leaving systems unbootable and data effectively irrecoverable.

Cisco Talos attributed the attack and malware with high confidence to a Russia-nexus APT actor based on overlapping tactics, techniques, procedures, and wiper functionality seen in prior attacks on Ukrainian organizations. Multiple sources note semantic and functional similarities to HermeticWiper, another wiper used against Ukraine and widely attributed by third parties to Sandworm. Dragos later linked PathWiper to ELECTRUM with moderate confidence, and broader reporting placed PathWiper among multiple wiper families used in destructive operations against Ukrainian organizations in 2025. High-confidence targeting reflected in the content is Ukrainian critical infrastructure and organizations in Ukraine.

A reported indicator of compromise for PathWiper is SHA-256: 7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Sandworm

"researchers identified a destructive malware family called PathWiper, linked by Dragos to ELECTRUM with moderate confidence."

via help net securityhelpnetsecurity.com
MITRE ATT&CK

Techniques & procedures

12 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059.003Windows Command ShellEvidence1

Any commands issued by the administrative tool’s console were received by its client running on the endpoints. The client then executed the command as a batch (BAT) file...

T1059.005Visual BasicEvidence2

The BAT file consisted of a command to execute a malicious VBScript file called ‘uacinstall.vbs’, also pushed to the endpoint by the administrative console: C:\WINDOWS\System32\WScript.exe C:\WINDOWS\TEMP\uacinstall.vbs

Stealth

1 technique
T1036MasqueradingEvidence1

Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console... Upon execution, the VBScript wrote the PathWiper executable, named ‘sha256sum.exe’, to disk...

Discovery

3 techniques
T1082System Information DiscoveryEvidence1

It first gathers a list of connected storage media on the endpoint, including: Physical drive names Volume names and paths Network shared and unshared (removed) drive paths

T1083File and Directory DiscoveryEvidence1

Once active, PathWiper enumerates local drives, volumes, and even disconnected network shares.

T1135Network Share DiscoveryEvidence2

the wiper also queries ‘HKEY_USERS\Network\<drive_letter>| RemovePath’ to obtain the path of shared network drives for destruction.

Lateral Movement

1 technique
T1021Remote ServicesEvidence1

The operation begins quietly, leveraging a legitimate remote administration tool to deliver a malicious script (uacinstall.vbs).

Command and Control

2 techniques
T1105Ingress Tool TransferEvidence1

The BAT file consisted of a command to execute a malicious VBScript file called ‘uacinstall.vbs’, also pushed to the endpoint by the administrative console... Upon execution, the VBScript wrote the PathWiper executable, named ‘sha256sum.exe’, to disk and executed it.

T1219Remote Access ToolsEvidence1

The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints.

Impact

3 techniques
T1485Data DestructionEvidence5

On execution, PathWiper replaces the contents of artifacts related to the file system with random data generated on the fly... PathWiper then overwrites the contents/data related to these artifacts directly on disk with random data... PathWiper also destroys files on disk by overwriting them with randomized bytes.

T1561.001Disk Content WipeEvidence2

Both wipers attempt to corrupt the master boot record (MBR) and NTFS-related artifacts.

T1561.002Disk Structure WipeEvidence1

The following analytic detects suspicious raw access reads to the drive containing the Master Boot Record (MBR)... adversaries often target the MBR to wipe, encrypt, or overwrite it as part of their impact payload.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Wiper malware targeting Ukrainian organizations.

Read more
help net securityNews
Feb 17, 2026
OT teams are losing the time advantage against industrial threat actors - Help Net Security

Destructive wiper malware that enumerates mounted volumes and overwrites filesystem structures across accessible storage media to cause irreversible data loss.

Read more
rescana blogNews
Jan 25, 2026
Sandworm’s DynoWiper Attack Targeting Polish Combined Heat and Power and Renewable Energy Management Systems: Incident Analysis and Lessons Learned

Wiper malware family used in destructive attacks.

Read more
the hacker newsNews
Jan 24, 2026
New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector

Previously unseen data wiper used against a Ukrainian critical infrastructure entity; noted to have functional overlap with HermeticWiper.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping12

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.