Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

GigaWiper Combines Multiple Malware for System-Level Sabotage

The backdoor’s destructive capabilities include a standalone wiper, ransomware encryption, and a multi-pass wiping command.

Malware

For over eight months, a threat actor has been using a destructive backdoor and wiper that has multiple system-level sabotage capabilities, Microsoft reports.

Dubbed GigaWiper, the malware is a sophisticated Go-based backdoor that consists of multiple malware families and robust command-and-control (C&C) capabilities.

According to Microsoft, the malware in GigaWiper was folded in the form of on-demand backdoor commands, allowing the attacker to execute a standalone wiper, a ransomware-like encryption command, and a wiping command that performs multiple erase passes.

“The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which is typically designed purely to destroy rather than to extort and carry real-world consequences,” Microsoft notes.

First observed in October 2025, GigaWiper contains a wiper that operates at the physical disk level. It enumerates drives using Windows Management Instrumentation (WMI) to identify the Windows partition, removes partition references from non-Windows drives, wipes each drive, and then reboots the system.

The backdoor component of GigaWiper also contains the same wiping functionality, including identical code flow and function names. Additionally, it establishes persistence and C&C communication using RabbitMQ and Redis.

Advertisement. Scroll to continue reading.

Based on received commands, it can execute the wiper, trigger a Blue Screen of Death (BSOD), upload files to a remote server using MinIO Client, run an executable, run PowerShell commands, take screenshots, record the screen, collect system information, and call a command to wipe the Windows installation.

The backdoor also supports two file-encrypting commands: one is destructive, as it uses random encryption keys that are never saved, while the other targets files in bulk for encryption and decryption.

Additionally, GigaWiper can run various managers for processes, registry, RabbitMQ routes, and services, can clear Windows logs, and can start a server to provide attackers with remote control over the infected system.

The wiping commands implemented in the backdoor come from separate, older malware previously used by the threat actor, stitched together into the same implant with added backdoor capabilities.

GigaWiper appears to have been built by the Crucio ransomware developer, based on the encryption code, but also shows connections to FlockWiper, which emerged in June 2025, sharing an identical wiping function that has been ported to Go.

“GigaWiper is a backdoor with extensive operational capabilities that allow a threat actor to maintain control over infected systems, execute commands, deploy additional tooling, and ultimately trigger one of multiple destructive commands on demand. It allows the threat actor to operate with flexibility, enabling both quiet espionage activity and destructive wiping operations,” Microsoft notes.

Related: Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks

Related: Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks

Related: Armored Likho APT Targeting Government, Electric Power Entities

Related: FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.