A essential infrastructure entity inside Ukraine was focused by a beforehand unseen knowledge wiper malware named PathWiper, in line with new findings from Cisco Talos.
“The assault was instrumented by way of a legit endpoint administration framework, indicating that the attackers possible had entry to the executive console, that was then used to concern malicious instructions and deploy PathWiper throughout related endpoints,” researchers Jacob Finn, Dmytro Korzhevin, and Asheer Malhotra mentioned in an evaluation printed Thursday.
The assault is assessed to be the work of a Russia-nexus superior persistent risk (APT) actor primarily based on the tradecraft noticed and the overlapping capabilities with harmful malware utilized in assaults towards Ukraine.
Talos mentioned the instructions issued by the executive instrument’s console have been obtained by its consumer working on the sufferer endpoints after which executed as a batch (BAT) file.
The BAT file, in flip, consisted of a command to run a malicious Visible Fundamental Script (VBScript) file within the Home windows TEMP folder known as “uacinstall.vbs,” that was additionally pushed to the machines by way of the executive console. The VBScript, for its half, dropped the wiper binary underneath the title “sha256sum.exe” in the identical folder and executed it.
“All through the course of the assault, filenames and actions used have been supposed to imitate these deployed by the executive utility’s console, indicating that the attackers had prior data of the console and probably its performance inside the sufferer enterprise’s atmosphere,” Talos mentioned.
As soon as launched, PathWiper is designed to assemble an inventory of related storage media, together with bodily drive names, quantity names and paths, and community drive paths. The wiper then proceeds to create one thread per drive and quantity for each path recorded and overwrites the contents of the artifacts with randomly generated bytes.
Particularly, it targets: Grasp Boot Report (MBR), $MFT, $MFTMirr, $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, and $AttrDef. As well as, PathWiper irrevocably destroys recordsdata on disk by overwriting them with randomized bytes and makes an attempt to dismount volumes.
PathWiper has been discovered to share some stage of similarity with HermeticWiper (aka FoxBlade, KillDisk, or NEARMISS), which was detected coinciding with Russia’s full-scale army invasion of Ukraine in February 2024. The HermeticWiper malware is attributed to the Russia-linked Sandworm group.
Whereas each wipers try to corrupt the MBR and NTFS-related artifacts, it bears noting that HermeticWiper and PathWiper differ within the method the info corruption mechanism is used towards recognized drives and volumes.
“The continued evolution of wiper malware variants highlights the continued risk to Ukrainian essential infrastructure regardless of the longevity of the Russia-Ukraine warfare,” the researchers mentioned.
Silent Werewolf Targets Russia and Moldova
The invention of a brand new breed of wiper malware towards Ukraine comes as Russian cybersecurity firm BI.ZONE uncovered two new campaigns undertaken by Silent Werewolf in March 2025 to contaminate Moldovan and Russian corporations with malware.
“The attackers employed two separate loader situations to retrieve the malicious payload from their C2 server,” the corporate mentioned. “Sadly, the payload itself was not accessible on the time of this analysis. Nevertheless, a retrospective evaluation of comparable Silent Werewolf campaigns means that the risk actor used XDigo malware.”
Among the targets of the assaults embrace nuclear, plane, instrumentation, and mechanical engineering sectors in Russia. The place to begin is a phishing e mail containing a ZIP file attachment that, in flip, consists of an LNK file and a nested ZIP archive. The second ZIP file consists of a legit binary, a malicious DLL, and a decoy PDF.
Unpacking and launching the Home windows shortcut file triggers the extraction of the nested archive and in the end causes the rogue DLL to be sideloaded by way of the legit executable (“DeviceMetadataWizard.exe”). The DLL is a C# loader (“d3d9.dll”) that is designed to retrieve the next-stage payload from a distant server and show the lure doc to the sufferer.
“The adversaries seem to run checks on course techniques,” BI.ZONE mentioned. “If a goal host doesn’t meet sure standards, the Llama 2 giant language mannequin (LLM) in GGUF format is downloaded from hxxps://huggingface[.]co/TheBloke/Llama-2-70B-GGUF/resolve/important/llama-2-70b.Q5_K_M.gguf.”
“This hinders the excellent evaluation of your entire assault and permits the risk actor to bypass defenses resembling sandboxes.”
The cybersecurity agency mentioned it noticed a second marketing campaign that very same month concentrating on unknown sectors in Moldova and, possible, Russia utilizing the identical C# loader, however by way of phishing lures associated to official trip schedules and proposals for safeguarding company info infrastructure towards ransomware assaults.
The cyber espionage group, per BI.ZONE, is believed to be lively at the least since 2011, concentrating on a variety of corporations in Russia, Belarus, Ukraine, Moldova and Serbia. The assaults are characterised by means of phishing lures to ship malware resembling XDSpy, XDigo, and DSDownloader.
Professional-Ukrainian Hacktivist Group BO Workforce Targets Russia
In current months, Russian state-owned corporations and organizations spanning know-how, telecommunications, and manufacturing verticals are additionally mentioned to have come underneath cyber assaults from a pro-Ukrainian hacktivist group codenamed BO Workforce (aka Black Owl, Hoody Hyena, and Lifting Zmiy).
“BO Workforce is a critical risk aimed each at inflicting most harm to the sufferer and at extracting monetary advantages,” Kaspersky researchers mentioned in a report final week, detailing the risk actor’s skill to sabotage sufferer’s infrastructure and, in some situations, even resorts to knowledge encryption and extortion.
Energetic since at the least January 2024, assaults mounted by the hacktivist cluster are identified to leverage post-exploitation frameworks, together with Mythic and Cobalt Strike, in addition to legit distant entry and tunneling instruments. The group additionally has a historical past of accessing confidential knowledge and publishing details about profitable assaults in its Telegram channel BO Workforce.
Preliminary entry to focus on networks is completed by sending phishing emails containing booby-trapped attachments that, when opened, activate an an infection chain designed to deploy identified commodity malware households like DarkGate, BrockenDoor, and Remcos RAT. Additionally used are instruments resembling HandleKatz and NanoDump for dumping LSASS and creating LSASS dumps, respectively.
Armed with the distant entry, BO Workforce has been noticed destroying file backups, deleting recordsdata utilizing the SDelete utility, and moreover dropping the Home windows model of the Babuk encryptor to demand a ransom in change for regaining entry.
Among the different actions carried out by the risk actor are listed beneath –
Establishing persistence utilizing scheduled duties
Assigning malicious part names just like system or well-known executable recordsdata to evade detection
Extracting the Energetic Listing database utilizing ntdsutil
Operating numerous instructions to gather details about Telegram, working processes, present customers, distant RDP periods, and antivirus software program put in on the endpoints
Utilizing RDP and SSH protocols to carry out lateral motion inside Home windows and Linux infrastructures
Dropping legit distant entry software program like AnyDesk for command-and-control
“The BO Workforce group poses a major risk to Russian organizations resulting from its unconventional strategy to conducting assaults,” Kaspersky mentioned. “In contrast to most pro-Ukrainian hacktivist teams, BO Workforce actively makes use of a large arsenal of malware, together with backdoors resembling BrockenDoor, Remcos, and DarkGate.”
“These options affirm the excessive stage of autonomy of the group and the absence of steady connections with different representatives of the pro-Ukrainian hacktivist cluster. Within the public exercise of BO Workforce, there are virtually no indicators of interplay, coordination or change of instruments with different teams. This as soon as once more emphasizes its distinctive profile inside the present hacktivist panorama in Russia.”
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.
