A critical infrastructure entity within Ukraine was targeted by a previously unseen data wiper malware named PathWiper, according to new findings from Cisco Talos.
“The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints,” researchers Jacob Finn, Dmytro Korzhevin, and Asheer Malhotra said in an analysis published Thursday.
The attack is assessed to be the work of a Russia-nexus advanced persistent threat (APT) actor based on the tradecraft observed and the overlapping capabilities with destructive malware used in attacks against Ukraine.
Talos said the commands issued by the administrative tool’s console were received by its client running on the victim endpoints and then executed as a batch (BAT) file.
The BAT file, in turn, consisted of a command to run a malicious Visual Basic Script (VBScript) file in the Windows TEMP folder called “uacinstall.vbs,” that was also pushed to the machines via the administrative console. The VBScript, for its part, dropped the wiper binary under the name “sha256sum.exe” in the same folder and executed it.
“Throughout the course of the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment,” Talos said.
Once launched, PathWiper is designed to gather a list of connected storage media, including physical drive names, volume names and paths, and network drive paths. The wiper then proceeds to create one thread per drive and volume for every path recorded and overwrites the contents of the artifacts with randomly generated bytes.
Specifically, it targets: Master Boot Record (MBR), $MFT, $MFTMirr, $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, and $AttrDef. In addition, PathWiper irrevocably destroys files on disk by overwriting them with randomized bytes and attempts to dismount volumes.
PathWiper has been found to share some level of similarity with HermeticWiper (aka FoxBlade, KillDisk, or NEARMISS), which was detected coinciding with Russia’s full-scale military invasion of Ukraine in February 2024. The HermeticWiper malware is attributed to the Russia-linked Sandworm group.
While both wipers attempt to corrupt the MBR and NTFS-related artifacts, it bears noting that HermeticWiper and PathWiper differ in the manner the data corruption mechanism is used against identified drives and volumes.
“The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war,” the researchers said.
Silent Werewolf Targets Russia and Moldova
The discovery of a new breed of wiper malware against Ukraine comes as Russian cybersecurity company BI.ZONE uncovered two new campaigns undertaken by Silent Werewolf in March 2025 to infect Moldovan and Russian companies with malware.
“The attackers employed two separate loader instances to retrieve the malicious payload from their C2 server,” the company said. “Unfortunately, the payload itself was not available at the time of this research. However, a retrospective analysis of similar Silent Werewolf campaigns suggests that the threat actor used XDigo malware.”
Some of the targets of the attacks include nuclear, aircraft, instrumentation, and mechanical engineering sectors in Russia. The starting point is a phishing email containing a ZIP file attachment that, in turn, includes an LNK file and a nested ZIP archive. The second ZIP file consists of a legitimate binary, a malicious DLL, and a decoy PDF.
Unpacking and launching the Windows shortcut file triggers the extraction of the nested archive and ultimately causes the rogue DLL to be sideloaded via the legitimate executable (“DeviceMetadataWizard.exe”). The DLL is a C# loader (“d3d9.dll”) that’s designed to retrieve the next-stage payload from a remote server and display the lure document to the victim.
“The adversaries appear to run checks on target systems,” BI.ZONE said. “If a target host does not meet certain criteria, the Llama 2 large language model (LLM) in GGUF format is downloaded from hxxps://huggingface[.]co/TheBloke/Llama-2-70B-GGUF/resolve/main/llama-2-70b.Q5_K_M.gguf.”
“This hinders the comprehensive analysis of the entire attack and allows the threat actor to bypass defenses such as sandboxes.”
The cybersecurity firm said it observed a second campaign that same month targeting unknown sectors in Moldova and, likely, Russia using the same C# loader, but via phishing lures related to official vacation schedules and recommendations for protecting corporate information infrastructure against ransomware attacks.
The cyber espionage group, per BI.ZONE, is believed to be active at least since 2011, targeting a wide range of companies in Russia, Belarus, Ukraine, Moldova and Serbia. The attacks are characterized by the use of phishing lures to deliver malware such as XDSpy, XDigo, and DSDownloader.
Pro-Ukrainian Hacktivist Group BO Team Targets Russia
In recent months, Russian state-owned companies and organizations spanning technology, telecommunications, and production verticals are also said to have come under cyber assaults from a pro-Ukrainian hacktivist group codenamed BO Team (aka Black Owl, Hoody Hyena, and Lifting Zmiy).
“BO Team is a serious threat aimed both at causing maximum damage to the victim and at extracting financial benefits,” Kaspersky researchers said in a report last week, detailing the threat actor’s ability to sabotage victim’s infrastructure and, in some instances, even resorts to data encryption and extortion.
Active since at least January 2024, attacks mounted by the hacktivist cluster are known to leverage post-exploitation frameworks, including Mythic and Cobalt Strike, as well as legitimate remote access and tunneling tools. The group also has a history of accessing confidential data and publishing information about successful attacks in its Telegram channel BO Team.
Initial access to target networks is accomplished by sending phishing emails containing booby-trapped attachments that, when opened, activate an infection chain designed to deploy known commodity malware families like DarkGate, BrockenDoor, and Remcos RAT. Also used are tools such as HandleKatz and NanoDump for dumping LSASS and creating LSASS dumps, respectively.
Armed with the remote access, BO Team has been observed destroying file backups, deleting files using the SDelete utility, and additionally dropping the Windows version of the Babuk encryptor to demand a ransom in exchange for regaining access.
Some of the other activities carried out by the threat actor are listed below –
- Setting up persistence using scheduled tasks
- Assigning malicious component names similar to system or well-known executable files to evade detection
- Extracting the Active Directory database using ntdsutil
- Running various commands to collect information about Telegram, running processes, current users, remote RDP sessions, and antivirus software installed on the endpoints
- Using RDP and SSH protocols to perform lateral movement within Windows and Linux infrastructures
- Dropping legitimate remote access software like AnyDesk for command-and-control
“The BO Team group poses a significant threat to Russian organizations due to its unconventional approach to conducting attacks,” Kaspersky said. “Unlike most pro-Ukrainian hacktivist groups, BO Team actively uses a wide arsenal of malware, including backdoors such as BrockenDoor, Remcos, and DarkGate.”
“These features confirm the high level of autonomy of the group and the absence of stable connections with other representatives of the pro-Ukrainian hacktivist cluster. In the public activity of BO Team, there are practically no signs of interaction, coordination or exchange of tools with other groups. This once again emphasizes its unique profile within the current hacktivist landscape in Russia.”
