According to Cisco Talos findings, critical infrastructure in Ukraine was aimed at invisible data on double -glazing names Pathwiper.
“The attack was instrumental through the legitimate framework of the endpoint administration, indicating that the attackers probably had access to the administrative console, which was used to issue malicious commands and the deployment of Pathwiper on connected final points,” Jacob Finn, DMYTRO KORZHEVIN and ASHEER MALHOTRARRARARARARARARARAR – Note in an analysis published on Thursday.
The attack is evaluated as the work of Russia-NEXUS Advanced Prosteptory DePort (APT) based on the observed trade and the possibility of overlapping with devastating malicious software used in the attacks on Ukraine.
Tolos said the teams issued by the administrative instrument console were obtained by a client running at the victim’s final points and then executed as a party file (BAT).
The BAT file, in turn, consisted of a team to launch a malicious visual basic script (VBScript) in the Temp Windows folder called “Uacinstall.vbs”, which was also pushing for cars through the administrative console. VBScript, for its part, dropped a double -glazed window called “Sha256sum.exe” in the same folder and performed it.
“Throughout the attack, the names of the files and actions were intended for imitation of those who unfold on the administrative communal service console, which indicates that the attackers knew about the console and possibly its functionality in the environment of the victims,” the talos said.
After launching Pathwiper, it is designed to collect the list of connected storage carriers, including physical drive names, volume names and paths, as well as network drive ways. Then the fiberglass continues to create one thread on the drive and the volume for each recorded path and rewrites the contents of the artifacts with accidentally generated bytes.
In particular, this is the goal: Main Download (MBR), $ MFT, $ MFTMIRR, $ Logfile, $ Boot, $ Bitmap, $ TXFLOG, $ Tops and $ ATTRDEF. In addition, Pathwiper irrevocably destroys the disk files by rewriting randomized bytes and attempts to remove volumes.
Has been discovered Hermeticwiper . Pepperner Group.
While both fiberglasses try to ruin the artifacts associated with MBR and NTFs, he notes that Hermeticwiper and Pathwiper differ in how the mechanism of data corruption is used against the detected drives and volumes.
“The evolution of the Wiper malware variants of malware emphasizes the constant threat to the Ukrainian critical infrastructure, despite the durability of the war in Russia-Ukraine,” the researchers said.
Silent werewolf aimed at Russia and Moldova
The opening of the new breed of malicious Wiper’s malware against Ukraine takes place when the Russian cybersecurity company BI.zone has discovered two new companies conducted by silent werewolves in March 2025 to infect Moldovan and Russian companies with harmful software.
“The attackers used two individual loaders to get a harmful useful load from their C2 server,” company – Note. “Unfortunately, the most useful load was inaccessible during this study. However, a retrospective analysis of such silent werewolf companies suggests that the threat actor used malicious Xdigo software.”
Some of the attacks include nuclear sectors, planes, instruments and mechanical engineering in Russia. The starting point is a phishing email containing an attachment on the postal file, which in turn includes the LNK file and the ZIP archive. The second postal file consists of legitimate binary, malicious DLL and PDF.
The pooling and launch of the Windows Fast Access File Causes the Extreme Archive and ultimately causes the Dll Rogue Dll selection using the legal file (“Devicemetadatawizard.exe”). DL-is the forklift C# (“d3d9.dll”), which is designed to get a useful load to the next stage from the remote server and display the victim’s lure document.
“It seems opponents are carrying checks on the target systems,” Bi.zone said. “If the target host does not meet the specific criteria, the large language model Llama 2 (LLM) in GGUF format is loaded with HXXPS: // huggingface (.) Co/Thebloke/Llama-2-70b-GGUF/resolve/Main/Llama-2-70b.
“This prevents comprehensive analysis of the entire attack and allows the actor to bypass the defense such as sandboxes.”
Cybersecurity firm said she watched the second campaign in the same month, aimed at unknown sectors in Moldova and probably Russia using the same forklift C#, but with the help of phishing associated with official recreation schedules and recommendations for the protection of corporate information infrastructure.
It is believed that the cyber -spanning, on Bi.zone, has been active at least since 2011, focusing on a wide range of companies in Russia, Belarus, Ukraine, Moldova and Serbia. Attacks are characterized by the use of phishing supplies for delivery malicious program For example, XDSPY, XDIGO and DSDownloader.
The Hacktivist Bo is an pro -Ukrainian group on Russia
In recent months, Russian state-owned companies and organizations covering technologies, telecommunications and production also say they are subjected to cyber-Ukrainian Hacktivist Group Team (aka Black Owl, Hyena Hood and Zmiy).
“The BO team poses a serious threat aimed at the maximum damage to the victim and to obtain financial benefits,” Kaspersky researchers – Note The report last week, which details the ability of the actor threatening to sabotage the victim infrastructure and, in some cases, even removes data and extortion encryption.
It is known that at least January 2024, the attacks installed by the Khactivist cluster are known to use the frame after operation, including mythical and cobalt strike, as well as legitimate remote access and tunnel tools. The group also has a history of access to confidential data and publishing information about successful Telegram Channel Bo attacks.
Initial access to target networks is carried out by sending phishing sheets containing attachments backed up Broocondoorand Ram Remcos. Tools such as Herglekatz and Nanodump are also used to dump LSASS and LSASS FRIENDS Creating respectively.
Armed with remote access, the Bo team observed, destroying the backup files, deleting the files using SDELETE utility, and rejecting the Windows Windows version dust Engryptor to demand ransom in exchange for recovery.
Some other activities conducted by the actors are below –
- Setting up with the use of the planned tasks
- Appointment names of malicious components similar to system or famous files to avoid detection
- Extract Active Directory database using NTDSUTIL
- Launch various teams to collect telegram information, running processes, current users, RDP distance sessions and antivirus software installed at the final points
- Use RDP and SSH protocols to perform lateral motion in Windows and Linux infrastructure
- Rejecting the legitimate software for remote access like anydesk for teams and control
“The BO team is a significant threat to Russian organizations because of its unconventional approach to the attacks,” Kaspersky said. “Unlike most pro -Ukrainian Khaktivist groups, the BO team actively uses a wide arsenal of malicious software, including rear premises such as Brockendoor, Remcos and Darkgate.”
“These features confirm the high level of autonomy of the group and the lack of stable ties with other representatives of the pro -Ukrainian Khaktivist cluster. There is virtually no signs in the public activity of the team, coordination or sharing tools with other groups.
