Wiper malware is evolving, and the stakes for Critical Infrastructure and Operational Technology (OT) have never been higher. 

Recently, security researchers detailed the lethality of PathWiper—a highly precise, destructive malware engineered by state-sponsored actors not to hold data for ransom, but to completely obliterate it.

While PathWiper is a highly destructive and sophisticated strain of malware, it has not been deployed in a widespread, indiscriminate manner like common ransomware. Instead, it is a highly targeted cyberwarfare tool.

Because it was only recently discovered by Cisco Talos in June 2025, the “known attacks” revolve around a specific, highly coordinated campaign rather than a long list of global breaches.

Here are the details of the known attacks and campaigns involving PathWiper:

1. The 2025 Ukrainian Critical Infrastructure Attack (Primary Incident)

The defining attack associated with PathWiper occurred against unnamed national energy, telecommunications, and critical infrastructure entities within Ukraine.

• The Target: Ukrainian critical infrastructure facilities.
• The Threat Actor: Cisco Talos attributed the attack with high confidence to a Russia-nexus Advanced Persistent Threat (APT) group. The campaign shares significant tactical overlap with “Sandworm” (the Russian military intelligence group responsible for previous attacks on Ukraine’s power grid).
• The Vector: The attackers did not use a traditional phishing or vulnerability exploit to deploy the wiper. Instead, they compromised a legitimate commercial endpoint administration framework. Because they already had access to the victim’s administrative console, they were able to quietly push malicious commands (mimicking routine IT tasks) to all connected endpoints simultaneously.

2. DCOM Abuse and Lateral Movement Campaign

Following the initial Talos discovery, further threat intelligence from Trellix NDR (Network Detection and Response) revealed specific lateral movement campaigns associated with the PathWiper deployment.

• The Technique: Attackers utilized DCOM (Distributed Component Object Model) abuse to move through the network.
• The Execution: The attackers created remote Microsoft Excel instances on target machines. They then used the ActivateMicrosoftApp method to execute a fake binary (often disguised as WINPROJ.exe or sha256sum.exe), which was actually the PathWiper payload. This allowed the malware to spread from the initial compromised administrative server to other high-value targets across the network without triggering standard antivirus alarms.
   

  The Broader Context: The “Wiper War”

  While PathWiper currently has a narrow target list, it is part of a much larger, ongoing campaign of destructive attacks against Ukraine that began in 2022.

  PathWiper is considered the direct evolutionary successor to HermeticWiper (which was deployed just hours before the 2022 physical invasion of Ukraine). However, while HermeticWiper blindly corrupted drives by counting from 0 to 100, PathWiper is considered far more lethal because it programmatically identifies, verifies, and targets active, hidden, and historically mounted network drives to ensure maximum, irreversible destruction.

  In summary PathWiper is a surgical weapon, a cyberwar strike capability. Its known attacks are strictly confined to Russian state-sponsored sabotage against Ukrainian critical infrastructure in mid-2025. However, because it abuses standard Windows administrative tools and DCOM architecture, the Tactics, Techniques, and Procedures (TTPs) used in this attack are being closely monitored by critical infrastructure defenders worldwide.

  Unlike older, crude wipers that blindly corrupt drives, PathWiper is a methodical approach. To defend against it, security teams must understand exactly how it operates.

  Unpacking the TTPs and IoCs of PathWiper
  
  

  PathWiper does not rely on zero-days; it turns the administrative environment into a weapon.

  Key Tactics, Techniques, and Procedures (TTPs):

  • Hijacked Execution & Lateral Movement: Attackers compromise legitimate endpoint administration consoles to push malicious batch files (init_wipe.bat). They also heavily abuse DCOM (Distributed Component Object Model), creating remote Excel instances to quietly spawn and execute their payloads across the network.
  • Deep Reconnaissance: PathWiper actively queries Windows APIs and registry keys—specifically HKEY_USERS\Network\<drive_letter>\RemovePath—to hunt down both currently mounted and historical/hidden network drives.
  • Irreversible Destruction: It programmatically dismounts volumes and systematically overwrites the Master Boot Record (MBR), the Master File Table ($MFT), and the $LogFile with randomly generated bytes. Once it executes, the data is permanently gone.

   

  Critical Indicators of Compromise (IoCs) to hunt for:

  • Malicious Scripts: Look for unexpected batch executions dropping a VBScript named uacinstall.vbs.
  • Masquerading Executables: The primary wiper payload is frequently disguised under legitimate-sounding names like sha256sum.exe or WINPROJ.exe.
  • Anomalous Registry Queries: Unusual querying of network share paths in the registry combined with sudden volume dismount commands (FSCTL_DISMOUNT_VOLUME).

   

The Real Threat: The “Trojan Horse” and the “Blindfold”

Can PathWiper directly “brick” your Linux-based CCTV cameras or access control systems? The technical answer is no—it is a Windows-killer. The operational reality? It can blind your entire facility.

Advanced Persistent Threats (APTs) use IoT in two specific ways when deploying malware like PathWiper:

1. IoT as the Entry Point: Hackers scan your perimeter, find an IP camera with a default password or unpatched firmware, and compromise it. From that “harmless” camera, they pivot into your corporate network, hijack the administrative frameworks, and drop PathWiper on your core Windows machines.
2. The Collateral Damage (VMS/PACS): What controls your physical security? Your Video Management System (VMS) and Physical Access Control System (PACS) servers are almost always running on Windows. When PathWiper destroys those servers, your cameras become useless glass, and your electronic doors fail. The physical security grid goes dark.

 Breaking the Kill Chain with Redinent XIoT Platform

Securing your physical facility relies on the security of the servers that run it; similarly, protecting your IT environment is impossible if you ignore your IoT perimeter.

The Redinent XIoT Platform bridges this gap through continuous, automated scanning across the entire ecosystem:

• Securing the Edge (Cameras & Sensors): Redinent automatically discovers every IoT asset and actively scans them for the vulnerabilities attackers use to get inside. By identifying rogue cameras, flagging outdated firmware, and enforcing the removal of default passwords, Redinent cuts off PathWiper’s initial access vector.
• Hardening the Core (VMS & Endpoints): When Redinent scans your endpoint devices, it flags the exact misconfigurations PathWiper abuses to spread. It detects overly permissive network shares, identifies weak DCOM configurations, and ensures strict network segmentation between your IoT devices and your core servers.
• Proactive IoC Detection: By continuously mapping your XIoT attack surface, Redinent provides the early configuration warnings and behavioral insights needed to hunt down the TTPs of advanced malware before the wiper payload is ever detonated.

In an era of automated, destructive malware, treating IT security and IoT/Physical security as two separate silos is a fatal flaw.

Is your Video Management Server truly segmented from your corporate network? Are your perimeter cameras acting as open doors? Let’s secure the whole picture.