Follow on X RSS Feed
Malware

Sandworm Launches Stealth Attack with PathWiper Malware Against Ukraine’s Critical Networks

Cybersec Sentinel

3 min read
Sandworm Launches Stealth Attack with PathWiper Malware Against Ukraine’s Critical Networks

Threat Group: Sandworm (APT44 / Seashell Blizzard / Iridium / Voodoo Bear)
Threat Type: Wiper Malware
Exploited Vulnerabilities: Abuse of legitimate endpoint administration frameworks (initial access suspected via phishing, credential harvesting, or exploitation of edge infrastructure)
Malware Used: PathWiper
Threat Score: 🔥 Critical (9.1/10) – Due to targeted data destruction across infrastructure, stealthy deployment, and Sandworm attribution
Last Threat Observation: June 7, 2025

Overview

PathWiper is a newly identified, highly destructive wiper malware designed solely for data obliteration without any ransom or extortion component. First seen in June 2025 targeting Ukrainian critical infrastructure, PathWiper is attributed with high confidence to Sandworm, a Russia-linked APT associated with GRU Unit 74455.

Its strategic objective is to render systems permanently inoperable by corrupting New Technology File System (NTFS) structures and overwriting data with random bytes. The malware leverages legitimate administrative tools for its deployment, making detection extremely challenging.

This evolution in wiper malware underscores an intent to inflict maximum, irrecoverable harm and represents a shift in nation-state cyber operations from data compromise to strategic infrastructure paralysis. Organizations must adopt a resilient posture with robust backup, behavioral analytics, and a hardened administrative ecosystem.

Key Details

Delivery Method: Deployment through pre-compromised legitimate endpoint administrative tools, suggesting prior credential or system compromise.
Target: Ukrainian critical infrastructure, particularly energy and communications sectors.

Functions:

  • Enumerates all connected and dismounted local and network storage volumes.
  • Uses multithreading to simultaneously target multiple paths.
  • Overwrites data with random bytes.
  • Corrupts NTFS file system structures including MBR, MFT, $LogFile, $Boot, etc.
  • Utilizes volume dismounting to ensure exclusive access before wiping.

Obfuscation:

  • Executes payloads named sha256sum.exe and uacinstall.vbs to appear benign.
  • Mimics administrative tool behavior.
  • No external C2 infrastructure used during payload execution.

Precision:

  • Targets confirmed, valid drives and volumes.
  • Logs and validates volume names before attack.
  • Demonstrates significant knowledge of victim infrastructure.

Evolution from Past Wipers:

  • More advanced than HermeticWiper, CaddyWiper, IsaacWiper.
  • Developed and tested within Ukraine before potential global propagation.

Attack Vectors

The initial access is suspected to occur through phishing, stolen credentials, or exploitation of edge infrastructure (e.g., ConnectWise ScreenConnect or Fortinet FortiClient EMS). Once inside, the attackers leverage a previously compromised legitimate administrative framework to push a malicious batch script. This script runs a VBScript (uacinstall.vbs) which drops and executes sha256sum.exe, the destructive PathWiper payload.

All payload components are stored in temporary Windows directories and named to resemble legitimate system tools. This deliberate obfuscation helps the malware evade basic detection and blend into expected system behavior. No outbound C2 communication is needed, as all actions are executed locally.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256):

  • e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

File Hashes (MD5):

  • d41d8cd98f00b204e9800998ecf8427e

File Hashes (SHA1):

  • da39a3ee5e6b4b0d3255bfef95601890afd80709

Filenames and Paths:

  • C:\WINDOWS\TEMP\sha256sum.exe
  • C:\WINDOWS\TEMP\uacinstall.vbs

Behavioral Indicators:

  • Attempts to dismount volumes via FSCTL_DISMOUNT_VOLUME IOCTL
  • Queries to registry path: HKEY_USERS\Network\<drive_letter>\RemovePath
  • Use of admin tool consoles for batch command execution
  • Direct modifications to NTFS structures (MBR, MFT, $LogFile, $Boot, $Bitmap, etc.)

Mitigation and Prevention

User Awareness: Conduct regular phishing simulation and training.
Email Filtering: Harden spam and phishing filters.
Antivirus/EDR: Deploy behavioral EDR platforms that monitor suspicious activity.
2FA: Enforce multi-factor authentication for all accounts, especially privileged ones.
System Monitoring: Alert on registry changes, dismount attempts, and script execution from temp paths.
Access Control: Review admin privileges and minimize exposure.
Patch Management: Ensure external-facing infrastructure is patched.
Backups: Maintain and test off-site, immutable backup systems.
PAM & Segmentation: Implement PAM tools and restrict lateral movement.
Threat Intelligence: Integrate threat intel feeds to track Sandworm and associated IOCs.

Risk Assessment

PathWiper poses a catastrophic risk to operational continuity. Its goal is total data destruction, not extortion. Its stealthy use of internal tools, combined with targeted corruption of NTFS volumes, makes this threat uniquely dangerous. It demands an urgent shift toward resilient, detection-rich, and recovery-ready infrastructures.

Conclusion

PathWiper is the clearest modern example of destructive cyber warfare. As these tools evolve in conflict zones, global infrastructure providers must remain on high alert. The absence of traditional network IoCs, paired with nation-state-grade intent, makes PathWiper a template for future attacks outside Ukraine.

Organizations must proactively defend against this paradigm shift by prioritizing EDR, hardened admin environments, network visibility, and disaster recovery. Cyber defense is no longer just about protection – it’s about resilience.

Sources: