A previously undocumented malware strain named PathWiper has been deployed against a critical infrastructure entity in Ukraine, according to a report by Cisco Talos. The attack leveraged a legitimate endpoint administration framework, suggesting that the threat actor had direct access to the internal management console.
Researchers Jacob Finn, Dmytro Korzhevin, and Asheer Malhotra revealed that the malicious campaign executed commands through the legitimate administration console. These commands pushed a malicious batch (BAT) file to victim machines, which then ran a VBScript file (uacinstall.vbs) from the Windows TEMP directory. This script deployed the wiper binary under the name sha256sum.exe.
“The filenames and actions used mimicked legitimate administrative activity, pointing to the attackers’ deep familiarity with the victim’s environment,” Talos reported.
How PathWiper Works
Once executed, PathWiper identifies all connected storage media and spawns a dedicated thread for each volume, overwriting critical filesystem components such as:
- Master Boot Record (MBR)
- NTFS metadata files:
$MFT,$MFTMirr,$LogFile,$Boot,$Bitmap,$TxfLog,$Tops,$AttrDef
The malware uses randomly generated data to overwrite files, rendering them unrecoverable. PathWiper shares traits with HermeticWiper (also known as FoxBlade, KillDisk), used during Russia’s 2024 invasion of Ukraine and attributed to the Sandworm group.
While both wipers corrupt MBR and NTFS data, they use different mechanisms for file destruction.
“The emergence of PathWiper illustrates the evolving threat landscape faced by Ukraine’s digital infrastructure,” Talos concluded.
Silent Werewolf Targets Russia and Moldova
Meanwhile, cybersecurity firm BI.ZONE uncovered two March 2025 malware campaigns attributed to the Silent Werewolf threat group. These operations targeted organizations in Russia and Moldova, specifically in sectors like nuclear energy, aerospace, and mechanical engineering.
Attackers used phishing emails with nested ZIP files containing a malicious DLL sideloaded via a legitimate binary (DeviceMetadataWizard.exe). The C# loader DLL (d3d9.dll) fetched additional malware from a command-and-control (C2) server and opened a decoy PDF.
In an unusual move, if the target system didn’t meet specific criteria, attackers downloaded a Llama 2 large language model in GGUF format from a disguised Hugging Face URL. This likely helped evade sandbox analysis tools.
A second campaign that same month used phishing lures mimicking government vacation notices and corporate ransomware protection guides, delivering the same loader.
BI.ZONE linked these attacks to previous campaigns using XDSpy, XDigo, and DSDownloader.
Pro-Ukrainian Hacktivist Group BO Team Hits Russian Targets
Russian organizations are also being targeted by a pro-Ukrainian hacktivist group known as BO Team (aka Black Owl, Hoody Hyena, Lifting Zmiy), which has escalated its campaigns since early 2024.
According to a recent Kaspersky report, BO Team employs a wide range of tools and malware, including DarkGate, Remcos RAT, and BrockenDoor. Infection typically begins with phishing emails and leads to full infrastructure compromise.
Observed Tactics Include:
- Destroying file backups with
SDelete - Deploying ransomware via Babuk
- Using scheduled tasks for persistence
- Extracting Active Directory data with
ntdsutil - Harvesting LSASS credentials with
HandleKatzandNanoDump - Remote access via RDP and SSH
- Installing AnyDesk for long-term control
Notably, BO Team operates independently, showing little coordination with other pro-Ukrainian cyber groups. Its use of both espionage and ransomware tactics marks it as an unusually sophisticated and aggressive actor in the hacktivist arena.
“These features confirm the high level of autonomy of the group and the absence of stable connections with other representatives of the pro-Ukrainian hacktivist cluster,” Kaspersky noted. “This once again emphasizes its unique profile within the current hacktivist landscape in Russia.”