PathWiper (Malware Family)

PathWiper

VTCollection
According to Cisco Talos, this wiper replaces the contents of artifacts related to the file system with random data generated on the fly. It identifies connected storage media, creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes. The wiper also reads multiple file systems attributes from NTFS and overwrites them as well. PathWiper additionally destroys files on disk by overwriting them with randomized bytes.
References

2025-06-05 ⋅ Cisco Talos ⋅ Asheer Malhotra, Dmytro Korzhevin, Jacob Finn
Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine
PathWiper
Yara Rules

[TLP:WHITE] win_pathwiper_auto (20260504 | Detects win.pathwiper.)
rule win_pathwiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.pathwiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pathwiper"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c745e0ebccb158 668975e4 e8???????? 8b8d52ebffff 33c8 66894de6 b98fbc0000 }
            // n = 7, score = 100
            //   c745e0ebccb158       | mov                 dword ptr [ebp - 0x20], 0x58b1cceb
            //   668975e4             | mov                 word ptr [ebp - 0x1c], si
            //   e8????????           |                     
            //   8b8d52ebffff         | mov                 ecx, dword ptr [ebp - 0x14ae]
            //   33c8                 | xor                 ecx, eax
            //   66894de6             | mov                 word ptr [ebp - 0x1a], cx
            //   b98fbc0000           | mov                 ecx, 0xbc8f

        $sequence_1 = { c645fc00 85c0 0f859a000000 8b45f0 83c018 8945f0 3b45ec }
            // n = 7, score = 100
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0
            //   85c0                 | test                eax, eax
            //   0f859a000000         | jne                 0xa0
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   83c018               | add                 eax, 0x18
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   3b45ec               | cmp                 eax, dword ptr [ebp - 0x14]

        $sequence_2 = { c645fc2d 8d8d24fcffff 50 51 8d4e54 e8???????? 68???????? }
            // n = 7, score = 100
            //   c645fc2d             | mov                 byte ptr [ebp - 4], 0x2d
            //   8d8d24fcffff         | lea                 ecx, [ebp - 0x3dc]
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d4e54               | lea                 ecx, [esi + 0x54]
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_3 = { 8b85fcfeffff 8b00 50 83c008 50 8d8558ffffff 50 }
            // n = 7, score = 100
            //   8b85fcfeffff         | mov                 eax, dword ptr [ebp - 0x104]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   50                   | push                eax
            //   83c008               | add                 eax, 8
            //   50                   | push                eax
            //   8d8558ffffff         | lea                 eax, [ebp - 0xa8]
            //   50                   | push                eax

        $sequence_4 = { 898534ebffff 8b4804 51 898d38ebffff 8d8dd8eaffff 50 }
            // n = 6, score = 100
            //   898534ebffff         | mov                 dword ptr [ebp - 0x14cc], eax
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   51                   | push                ecx
            //   898d38ebffff         | mov                 dword ptr [ebp - 0x14c8], ecx
            //   8d8dd8eaffff         | lea                 ecx, [ebp - 0x1528]
            //   50                   | push                eax

        $sequence_5 = { c645fc2f 50 8d8578ffffff 8d7e74 50 8bcf e8???????? }
            // n = 7, score = 100
            //   c645fc2f             | mov                 byte ptr [ebp - 4], 0x2f
            //   50                   | push                eax
            //   8d8578ffffff         | lea                 eax, [ebp - 0x88]
            //   8d7e74               | lea                 edi, [esi + 0x74]
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_6 = { 8d45e0 8975ec 50 c745f037347af3 c745f41d4ae42d c745f89b1e0000 e8???????? }
            // n = 7, score = 100
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   50                   | push                eax
            //   c745f037347af3       | mov                 dword ptr [ebp - 0x10], 0xf37a3437
            //   c745f41d4ae42d       | mov                 dword ptr [ebp - 0xc], 0x2de44a1d
            //   c745f89b1e0000       | mov                 dword ptr [ebp - 8], 0x1e9b
            //   e8????????           |                     

        $sequence_7 = { 50 8d45e0 8975ec 50 c745f03734baf3 c745f41deccda2 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   50                   | push                eax
            //   c745f03734baf3       | mov                 dword ptr [ebp - 0x10], 0xf3ba3437
            //   c745f41deccda2       | mov                 dword ptr [ebp - 0xc], 0xa2cdec1d

        $sequence_8 = { 8d45f3 8945ec 8d45e0 50 c645f300 c645e800 e8???????? }
            // n = 7, score = 100
            //   8d45f3               | lea                 eax, [ebp - 0xd]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   c645f300             | mov                 byte ptr [ebp - 0xd], 0
            //   c645e800             | mov                 byte ptr [ebp - 0x18], 0
            //   e8????????           |                     

        $sequence_9 = { c68578ffffff00 0f84b2000000 c6851cfeffff00 85c9 0f84f7010000 8b01 8d951cfeffff }
            // n = 7, score = 100
            //   c68578ffffff00       | mov                 byte ptr [ebp - 0x88], 0
            //   0f84b2000000         | je                  0xb8
            //   c6851cfeffff00       | mov                 byte ptr [ebp - 0x1e4], 0
            //   85c9                 | test                ecx, ecx
            //   0f84f7010000         | je                  0x1fd
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8d951cfeffff         | lea                 edx, [ebp - 0x1e4]

    condition:
        7 of them and filesize < 1047552
}
Download all Yara Rules
PathWiper Propose Change

References

Yara Rules

PathWiper
