The conflict in Ukraine has always included a hidden front—one fought through networks, critical systems, and silent digital sabotage. Long before most people understood the scale of the cyber war, Russian-linked operators were already shaping the battlefield. Their latest tool, a highly destructive piece of malware known as PathWiper, marks a major escalation in that campaign.
Emerging in mid-2025 during coordinated strikes on Ukrainian infrastructure, PathWiper represents a new generation of state-backed cyber weapons built not to steal, extort, or spy—but to erase. Its goal is simple: take systems offline permanently, cripple operations, and force costly, time-consuming recoveries.
What PathWiper Actually Is
PathWiper belongs to a class of malware designed specifically to destroy data. Unlike ransomware, which locks files for leverage, wipers aim to make recovery impossible. Analysts first spotted PathWiper after attackers gained deep administrative control of targeted Ukrainian networks and deployed the malware across multiple systems at once.
The sophistication of its behavior and its strategic timing leave little doubt that it originates from a well-resourced actor—almost certainly one aligned with Russia’s ongoing hybrid warfare operations.
How the Attack Unfolds
PathWiper’s power lies in its subtlety and its thoroughness.
Attackers begin by obtaining administrator-level access—often through compromised credentials or remote management tools already used by IT staff. They then use legitimate system utilities to slip PathWiper into place, blending their movements with normal network activity.
Once triggered, the malware launches through a simple batch script. That script executes a VBScript, which drops and activates the primary wiper code. Using commonplace administrative tools allows the operation to remain almost invisible until it’s too late.
But the true danger comes from how PathWiper identifies its targets. It doesn’t just go after the C: drive or a handful of volumes. Instead, it scans every connected storage location: local disks, removable media, shared network drives, and even dismounted volumes that aren’t currently in use. Anything the operating system can see, PathWiper can destroy.
The malware methodically dismounts each volume, ensuring no files are locked, then launches multiple threads to overwrite critical structures—specifically the Master Boot Record, Master File Table, and a range of NTFS metadata files that Windows relies on to function. By the time it’s finished, the system cannot boot, cannot recover, and cannot be repaired. Restoration is only possible through clean reinstallations and offline backups—if those even exist.
How It Differs From Earlier Russian Wipers
Ukraine has been hit with destructive malware before—HermeticWiper, CaddyWiper, WhisperGate—but PathWiper represents a more advanced evolution. Earlier tools typically wiped drives in a predictable sequence or focused only on active disks. PathWiper actively hunts for additional storage locations, including devices that administrators may not even realize are present.
It also leans heavily on legitimate scripts and remote management systems, making it extremely difficult to detect early. What would normally look like routine IT maintenance may actually be a precursor to a network-wide wipe.
Why It Matters Strategically
PathWiper isn’t designed for financial gain or espionage. It exists purely to destroy. In the context of a wider military conflict, that makes it a strategic weapon.
Critical infrastructure—energy grids, transportation networks, communications hubs—remains a top priority for Russian cyber units. A wiper like PathWiper can disrupt wartime logistics, damage civilian resilience, and sow uncertainty or panic. It’s a form of warfare aimed at undermining confidence and complicating response operations.
The malware also serves a psychological function: showing Ukraine and its allies that Russia can still cause serious damage in cyberspace, even when conventional operations are stalled or challenged.
Defending Against a Weapon Built to Evade Detection
Stopping PathWiper before it destroys a system is extraordinarily difficult, but not impossible. Defense revolves around detecting the attacker—not just the malware.
Organizations need to:
• Watch for unusual administrative behavior or remote management usage.
• Limit privileged access to only those who absolutely need it.
• Maintain offline backups that cannot be reached by malware.
• Use endpoint detection systems that flag suspicious scripting activity.
• Patch, update, and harden critical systems continuously.
Ultimately, PathWiper reinforces a hard truth: destructive malware is now a core component of modern conflict. As long as infrastructure remains interconnected and digitized, adversaries will continue searching for ways to weaponize it.
For Ukraine—and for any nation or organization watching closely—PathWiper is a warning. The next generation of cyber weapons isn’t coming. It’s already here. And defenders must adapt just as quickly as attackers evolve.
