According to new Cisco Talos research, critical infrastructure entities within Ukraine are subject to previously invisible data wiper malware named Pathwiper.
“The attack was calculated through a legitimate endpoint management framework, indicating that an attacker is likely to access the management console, and was then used to issue malicious commands and deploy Pathwiper across connected endpoints.”
The attack is rated as the work of Russian and Nexus Advanced Persistent Threat (APT) actors based on their observed trademarks and overlapping capabilities with destructive malware used in attacks against Ukraine.
Talos said that the command issued by the console of the administration tool was received by a client running on the victim’s endpoint and executed as a batch (BAT) file.
The BAT file consists of a command that runs a malicious Visual Basic Script (VBScript) file in a Windows Temp folder called “uacinstall.vbs” and was also pushed to the machine via the admin console. VBScript deleted the wiper binary in the same folder with the name “sha256sum.exe” and ran it.
“Through the course of the attack, the filenames and actions used were intended to mimic those deployed by the management utility console, indicating that the attacker had prior knowledge of the console and its functionality within the victim company’s environment,” Talos said.
Once launched, Pathwiper is designed to collect a list of connected storage media, including physical drive names, volume names and paths, and network drive paths. The wiper then creates one thread and volume per drive for each recorded path, overwriting the artifact contents with randomly generated bytes.
Specifically, it targets the Master Boot Record (MBR), $MFT, $MFTMIRR, $logfile, $boot, $bitmap, $txflog, $tops, $attrdef. Additionally, Pathwiper irreparably destroys files on disk by overwriting randomized bytes and volumes with attempts to remove them.
Pathwiper has been found to share some similarity with HermeticWiper (aka Foxblade, Killdisk, or Nearmiss), which was detected in February 2024 in line with a full-scale military invasion in Ukraine.
Both wipers attempt to destroy MBR and NTFS-related artifacts, but we note that HermeticWiper and Pathwiper differ in how data corruption mechanisms are used for identified drives and volumes.
“The continuous evolution of wiper malware variations underscores the ongoing threat to Ukraine’s critical infrastructure despite the longevity of the Russia-Ukraine war,” the researchers said.
Silent Uedov targets Russia and Moldova
The discovery of a new kind of wiper malware for Ukraine comes as Russian cybersecurity company Bi.Zone discovered two new campaigns by Silent Uedaur in March 2025 to infect Moldovan and Russian companies with malware.
“The attacker adopted two separate loader instances to retrieve malicious payloads from the C2 server,” the company said. “Unfortunately, the payload itself was not available at the time of this study. However, a retrospective analysis of a similar silent werewolf campaign suggests that threat actors used Xdigo malware.”
The targets of the attack include Russia’s nuclear, aircraft, instrumentation and mechanical engineering departments. The starting point is a phishing email with attachments of a ZIP file that contains LNK files and nested ZIP archives. The second ZIP file consists of legitimate binaries, malicious DLLs, and decoy PDFs.
Unpacking and launching a Windows shortcut file will trigger extraction of nested archives, and ultimately sideload the malformed DLL via a legitimate executable (“DeviceMetadatawizard.exe”). The DLL is a C# loader (“d3d9.dll”) designed to retrieve the next stage payload from a remote server and display the lure document to the victim.
“It looks like the enemy is doing a check on the target system,” says Bi.zone. “If the target host does not meet certain criteria, the GGUF format llama two major language models (LLM) will be downloaded from hxxps:// huggingface(.)co/thebloke/llama-2-70b-gguf/resolve/main/llama-2-70b.q5_k_k_k_m.guf.
“This will hinder a comprehensive analysis of the entire attack and allow threat actors to bypass defenses such as sandboxes.”
The cybersecurity company said it targets unknown sectors in Moldova and perhaps uses the same C# loader for Russia, but has observed a second campaign in the same month via fishing ladies related to official vacation schedules and recommendations to protect the company information infrastructure against ransomware attacks.
Cyberspy groups per Bi.Zone are believed to have targeted a wide range of companies in Russia, Belarus, Ukraine, Moldova and Serbia since at least 2011. Attacks are characterized by using phishing authors to deliver malware such as XDSPY, XDIGO, and DSDownLoader.
Pro-Ukrainian hacktivist group BO team targeting Russia
In recent months, Russian state-owned companies and organizations spanning technology, telecommunications and production industries have allegedly been cyberattacked by the codename BO team (aka Black Owl, Hoody Hyena, Lifting Zmiya).
“The BO team is a serious threat aimed at causing the greatest damage to victims and deriving financial benefits,” Kaspersky researchers in a report last week detailing the ability of threat actors to interfere with victim infrastructure, and in some cases even resorting to data encryption and fear tor.
Active since at least January 2024, attacks mounted by HackTivist clusters are known to utilize post-extraction frameworks that include myths and cobalt strikes, as well as legitimate remote access and tunneling tools. The group also has access to information and public information about the success of the attack on the Telegram Channel Bo team.
Initial access to the target network is achieved by sending a phishing email containing attachments trapped in Booby when you open an infection chain designed to deploy known commodity malware families such as Darkate, Brockendoor, and Remcos Rat. Tools like HandleKatz and Nanodump are also used to dump LSASS and create LSASS dumps.
It has been observed that BO teams armed with remote access destroy file backups, use the Sdelete utility to delete files, and even delete the Windows version of Babuk Encreepter in order to request a ransom in exchange for restoring access.
Some of the other activities carried out by threat actors are listed below –
- Set persistence using scheduled tasks
- Assign malicious component names similar to the system or famous executable to avoid detection
- Extract Active Directory database using ntdsutil
- Run various commands to gather information about telegrams, running processes, current users, remote RDP sessions, and antivirus software installed on the endpoint
- Perform lateral movements within Windows and Linux infrastructure using RDP and SSH protocols
- Remove legitimate remote access software like anydesk for command and control
“The BO Team Group poses a major threat to Russian organizations with its unconventional approach to conducting attacks,” Kaspersky said. “Unlike most pro-Ukrainian hacktivist groups, the BO team actively uses a wide range of malware, including backdoors such as Block Endor, Lenkos and Dark Gate.”
“These characteristics support the high level of autonomy in the group and the lack of stable relationships with other representatives of the pro-Ukleinhaktivist cluster. There is virtually no indication of interaction, coordination, or exchange with other groups in the public activity of the BO team.
