Trellix disclosed PathWiper, a destructive malware operation that abuses DCOM to move across Windows environments and trigger large-scale disk wiping. The activity was presented as a network erasure campaign rather than conventional ransomware, with the malware designed to render systems inoperable by corrupting or destroying data across affected hosts.
The report highlights the use of legitimate Windows remote management mechanisms to propagate the wiper, underscoring how trusted administrative features can be turned into destructive tradecraft. For defenders, the findings point to the need for tighter controls on DCOM usage, stronger monitoring of lateral movement through native Windows components, and rapid containment of suspicious remote execution activity before wiping actions spread across the network.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Trellix published research describing PathWiper, including its abuse of DCOM and use for network-wide destructive wiping. The publication marks the public disclosure of the malware and its technical behavior.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.