Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Blogs

The latest cybersecurity trends, best practices, security vulnerabilities, and more

Exposing PathWiper: A Deep Dive into DCOM Abuse and Network Erasure With Trellix NDR

Executive summary

Ukraine’s national energy and telecommunications infrastructure was the primary targets of the PathWiper attack in 2025. The attack was orchestrated via commercial endpoint administration framework, implying that the attackers had pre-existing access to the administrative console. Once initial access had been established, the attacker executed malicious commands to spread PathWiper across connected endpoints, which resulted in the deletion of vital data from key storage volumes.

This blog explores how attackers could use Distributed Component Object Model (DCOM) as a lateral movement technique to distribute PathWiper, and how Trellix Network Detection and Response (NDR) detects and visualizes such activities. The insights provided here are especially relevant for SOC analysts and cybersecurity professionals who aim to understand and defend against similar threats.

Understanding lateral movement

Lateral movement is a technique used by attackers to navigate within a compromised network. Instead of immediately compromising the first system, malicious actors methodically explore the network to identify high-value targets, escalate privileges, and establish persistence. This phase is crucial for adversaries aiming to maximize impact.

Detecting lateral movement in near real-time is essential for limiting the scope of a breach. Products like Trellix NDR play a pivotal role in identifying unusual internal activity and helping defenders visualize the attack path before serious damage occurs.

Understanding DCOM

DCOM is a programming construct that enables a computer to run programs on a remote computer over a network as if they were running locally. DCOM is a proprietary Microsoft software component that enables COM objects to communicate with one another over a network.

DCOM configuration information is stored in the Windows Registry under three identifiers:

  • CLSID: The Class Identifier (CLSID) is a Global Unique Identifier (GUID). Windows stores a CLSID for each installed class in a program. When you need to run a class, you must enter the correct CLSID so that Windows can locate the program.
  • ProgID: A programmatic identifier (ProgID) is a registry entry that can be associated with a CLSID. Like the CLSID, the ProgID identifies a class but with less precision because it is not guaranteed to be globally unique.
  • APPID: An APPID is a GUID (Globally Unique Identifier) that acts as a central point for defining permissions and other DCOM settings for a group of related COM objects. 

When an application attempts to activate a COM object remotely via DCOM, it typically uses the ProgID or CLSID to identify the specific object it wants to call. The associated APPID then provides the security settings, such as permissions and authentication levels, for that remote activation and subsequent communication.

Inside PathWiper: Capabilities of a modern wiper malware

PathWiper is a destructive wiper malware designed to cause irreparable damage to an organization's systems by overwriting all data and targeting the master boot record (MBR) and NTFS-related artifacts. Unlike ransomware, which encrypts data for a ransom, wiper malware aims to completely take systems offline by destroying data and making recovery impossible.

PathWiper begins by identifying all possible storage devices that are connected to the endpoint. This involves:

  • Physical hard drive names
  • Mounted volume names
  • Network shared and unshared drive paths

The malware gathers information through standard system APIs and queries specific Windows registry keys, such as 'HKEY_USERS\Network\<drive_letter>| RemovePath', to identify historical or hidden network shares that may not be currently mounted.

PathWiper starts a separate thread for each drive and volume after it has compiled a list of targets. Each thread starts overwriting data with randomly generated bytes, making forensic recovery extremely difficult.

It primarily targets core NTFS file system structures, including:

  • Master Boot Record (MBR)
  • $MFT (Master File Table)
  • $LogFile (Hidden system file within the NTFS)

Before overwriting the artifacts, the wiper attempts to dismount volumes by assigning the 'FSCTL_DISMOUNT_VOLUME IOCTL' to the MountPointManager device object. PathWiper also deletes files on disk by replacing them with randomized bytes.

Attack flow: Drop PathWiper using DCOM lateral movement (Excel Application)

The DCOM communication attack flow between client and server, as well as the PathWiper drop on the compromised machine, are shown in Figure 1.

Figure 1: PathWiper Deployment via DCOM:
  Excel-Based Remote Execution Flow
Figure 1: PathWiper Deployment via DCOM: Excel-Based Remote Execution Flow

An attacker would need to be able to write to the system PATH and have Microsoft Excel installed on the target system in order to launch a DCOM attack. The steps to a successful attack are as follows:

  • The adversary uploads an arbitrary malicious file to the target system with a specifically selected file name (such as "WINPROJ.EXE") inside a specifically  chosen PATH.
  • The adversary creates an Excel instance on a remote system using DCOM.
  • Adversary executes ActivateMicrosoftApp method, to achieve execution of fake WINPROJ.EXE.
  • On successful attack, Excel.exe would spawn a fake WINPROJ.EXE at the target system

Microsoft still permits the activation of some end-of-life products, such as FoxPro, Schedule Plus, and Office Project. Shell access can be obtained using the ActivateMicrosoftApp() method. While it is unlikely that any of these out-of-date programs will find their way into modern systems, an attacker could take advantage of this vulnerability to implement persistence and lateral movement strategies.

As shown in Figure 2, the ActivateMicrosoftApp() method activates the currently running application or, if the application is not running, launches a new instance of the application as the starting user or the currently logged in user, depending on how DCOM was configured.

Figure 2: Available DCOM Interfaces Exposed by
  Excel COM Object
Figure 2: Available DCOM Interfaces Exposed by Excel COM Object

Figure 3: ActivateMicrosoftApp() Method:
  Parameters and Execution Logic
Figure 3: ActivateMicrosoftApp() Method: Parameters and Execution Logic

This method looks for the associated binary in the SYSTEM path. Since the program isn't installed, the Excel.exe process returned an error instead of finding the WINPROJ.exe binary file in the system PATH. To take advantage of this, we must first locate write permissions within the system path. The most common location on the PATH where users have write permission is:

C:\users\*\AppData\Local\Microsoft\WindowsApps\

Since January 2010, the Microsoft Project application has been discontinued, and it is less likely that it can be found in modern environments.

Thus, we can upload a binary named "WINPROJ.exe", which, in our case (Figure 4) is the malicious PathWiper sample.

Figure 4: Copying PathWiper as WINPROJ.exe to
  Writable PATH Directory
Figure 4: Copying PathWiper as WINPROJ.exe to Writable PATH Directory

Figure 5: Create an object on the remote
  computer, the client provides a request with the CLSID, PROGID or
  APPID.
Figure 5: Create an object on the remote computer, the client provides a request with the CLSID, PROGID or APPID.

Figure 6: Remote Launch of PathWiper via Excel
  COM Interface
Figure 6: Remote Launch of PathWiper via Excel COM Interface

This technique could be used for persistence once access is established.  Attackers can use PowerShell to automate and persist their control. For example, they could create a scheduled task that leverages DCOM to run the Excel instance regularly, invoking ActivateMicrosoftApp() to launch their payload (Figure 7). This mechanism can sustain access even after a reboot or session end.

Figure 7: Establishing Persistence: Scheduled
  Task to Reinvoke Excel DCOM Call
Figure 7: Establishing Persistence: Scheduled Task to Reinvoke Excel DCOM Call

Pathwiper.exe renamed to WINPROJ.exe, was successfully executed on the compromised machine in both persistent and non-persistent execution. Check Figure 8 for more details.   

Figure 8: Malicious WINPROJ.exe Spawned via
  Excel – Process Tree in Task Manager
Figure 8: Malicious WINPROJ.exe Spawned via Excel – Process Tree in Task Manager

Detection: Trellix Network Detection and Response (NDR)

Trellix NDR detected the attack in three major stages, each with its own set of alerts.  Figure 9, contains all the alerts related to this attack that assist analysts in understanding how the attack progressed from its initial deployment to lateral movement.

  1. Malware Object Alerts on NDR (PathWiper.exe aka WINPROJ.exe Sample Dynamic Analysis)
  2. Suspicious PE File Creation Attempt (Copy PathWiper.exe and rename it WINPROJ.exe on the target machine).
  3. Lateral Movement: DCOM Execution through Excel (the PathWiper.exe aka WINPROJ.exe payload is launched by calling ActivateMicrosoftApp()
igure 9: An overview of Trellix NDR alerts
  generated during the PathWiper attack, which captured each stage of the
  intrusion.
Figure 9: An overview of Trellix NDR alerts generated during the PathWiper attack, which captured each stage of the intrusion.

  1. Malware Object Alerts on NDR (PathWiper.exe aka WINPROJ.exe Sample Analysis)

The first alert targeted the malware object itself: WINPROJ.exe, the renamed PathWiper executable. It contained key threat indicators such as MITRE ATT&CK mappings, information about events, network paths, and associated IP addresses. These details provided a clear picture of how the malware interacted with the system and across the network. Please refer to Figure 10 for more information.

Figure 10: Detailed threat insight from Trellix
  NDR, including MITRE mapping, communication flow, and events
  information
Figure 10: Detailed threat insight from Trellix NDR, including MITRE mapping, communication flow, and events information

Trellix NDR with Trellix Wise

Trellix NDR utilizes Trellix Wise, the AI-powered foundation of our broader Trellix Security Platform, to enhance threat detection and response capabilities. Trellix Wise automates many aspects of alert investigation, reducing false positives and accelerating the time to resolution for security teams. This integration allows organizations to gain greater threat detection accuracy, automate complex tasks, and focus on strategic defenses.

Trellix Wise can provide a user with comprehensive details, such as additional information on the alert, remediation steps, MITRE information, etc. (Figure 11)

Figure 11: Trellix Wise Dashboard: Context-Rich
  Threat Investigation
Figure 11: Trellix Wise Dashboard: Context-Rich Threat Investigation

Summarize this alert

This feature summarizes the entire alert into Key Points making it easier for analysts to understand the “What” and “How” aspects of the alert. Refer to Figure 12 for a detailed update.

Figure 12: Summarize this Alert: PathWiper.exe
  aka Winproj.exe
Figure 12: Summarize this Alert: PathWiper.exe aka Winproj.exe

Asset details

Provides more information about the assets or endpoints involved in the alert.

Figure 13: Asset Details: PathWiper.exe aka
  Winproj.exe
Figure 13: Asset Details: PathWiper.exe aka Winproj.exe

MITRE findings

The MITRE findings provide comprehensive details about the MITRE ID, Category, and associated tactics in addition to detailed information about the generated alerts. See Figure 14 for detailed findings.

Figure 14: MITRE Finding: PathWiper.exe aka
  Winproj.exe
Figure 14: MITRE Finding: PathWiper.exe aka Winproj.exe

Remediation steps

Advanced analysis modules generate actionable recommendations for remediation and mitigation, correlate threats and vulnerabilities to identify potential attack paths, assess risk levels, and provide prioritized recommendations and remediation. Refer to Figure 15 for a detailed view.

Figure 15: Recommended mitigation steps based
  on analysis of the PathWiper executable
Figure 15: Recommended mitigation steps based on analysis of the PathWiper executable

Knowledge graph

The Knowledge graph can transform data from multiple sources into a graph-based model of entities, their attributes, and how they relate. Here, the entire process is connected, including the attacker's IP address, the nature of their activity, and the type of alerting that the Trellix Network Security product generates. Refer to Figure 16 for a detailed update.

Figure 16: Knowledge graph : Mapping Attacker
  Activity and Alert Relationships
Figure 16: Knowledge graph : Mapping Attacker Activity and Alert Relationships

  1. Suspicious PE File Creation Attempt (Copy PathWiper.exe and rename it WINPROJ.exe on the target machine)

The second alert was generated when the attacker copied PathWiper.exe to the target system and renamed it WINPROJ.exe. This renaming enabled the attacker to use Excel's DCOM behavior to launch the malware under a seemingly legitimate filename.

Trellix Wise provided a summary alert, associated MITRE techniques, mitigation steps, and a graphical overview of how this action fits into the overall attack sequence. This sequence is clearly described in Figures (17-20).

Summarize this alert

Figure 17: Summary of the suspicious file
  creation alert when PathWiper.exe was copied and renamed
Figure 17: Summary of the suspicious file creation alert when PathWiper.exe was copied and renamed

MITRE findings

Figure 18: Suspicious PE File Creation Attempt : MITRE Finding
Figure 18: Suspicious PE File Creation Attempt : MITRE Finding

Remediation steps

Figure 19: Suspicious PE File Creation Attempt
  : Remediation Steps
Figure 19: Suspicious PE File Creation Attempt : Remediation Steps

Knowledge graph

Figure 20: Suspicious PE File Creation Attempt
  : Knowledge graph
Figure 20: Suspicious PE File Creation Attempt : Knowledge graph

  1. Lateral movement: DCOM execution through Excel (the PathWiper.exe aka WINPROJ.exe payload is launched by calling ActivateMicrosoftApp())

The final alert coincided with the lateral movement phase. Once the renamed file was in the correct system path, the attacker used DCOM to remotely execute it via Excel's ActivateMicrosoftApp() method. This enabled the malware to run without human intervention, thereby spreading the attack to other systems.

Trellix Wise provided a summarized alert, associated MITRE techniques, mitigation steps, and a graphical overview of how this action fit into the larger attack sequence (see Figures 21-24).

Summarize this alert

Figure 21: Lateral Movement: DCOM Execution
  through Excel (Summarize this alert)
Figure 21: Lateral Movement: DCOM Execution through Excel (Summarize this alert)

MITRE findings

Figure 22: Lateral Movement: DCOM Execution through Excel (MITRE Findings)

Remediation steps

Figure 23: Lateral Movement: DCOM Execution
  through Excel (Remediation Steps)
Figure 23: Lateral Movement: DCOM Execution through Excel (Remediation Steps)

Knowledge graph

Figure 24: Visualizing Lateral Movement:
  Knowledge Graph of Excel DCOM Activity
Figure 24: Visualizing Lateral Movement: Knowledge Graph of Excel DCOM Activity

Conclusion

PathWiper is not just another piece of malware; it is a well-crafted tool that uses legitimate mechanisms such as volume dismounting and registry lookups to quietly infiltrate and wipe out systems. It avoids detection by imitating normal administrative activity until the ultimate damage has been done.

This emphasizes the importance of early visibility, which is where Trellix NDR comes in. Rather than relying on traditional alerts, it monitors your network for unusual behavior, such as remote Excel launches or malicious file copies. When these subtle signals are combined, they create a clear picture of an ongoing attack.

Trellix NDR not only identifies when an attack has occurred, but it also explains how and where it's happening, giving teams the time and insight they need to act before the attack becomes irreversible. That level of clarity is not only useful but also required when dealing with threats like PathWiper.

To learn more about the Trellix NDR platform, take our product tour to see it in action or read more by visiting this page.

Ref:- https://specterops.io/blog/2023/10/30/lateral-movement-abuse-the-power-of-dcom-excel-application/
https://blog.talosintelligence.com/pathwiper-targets-ukraine/

1https://specterops.io/blog/2023/10/30/lateral-movement-abuse-the-power-of-dcom-excel-application/ https://blog.talosintelligence.com/pathwiper-targets-ukraine/

Discover the latest cybersecurity research from the Trellix Advanced Research Center: https://www.trellix.com/advanced-research-center/

This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.

Get the latest

Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Please enter a valid email address.

Zero spam. Unsubscribe at any time.