SecurityWeek

GigaWiper Combines Multiple Malware for System-Level Sabotage


For over eight months, a threat actor has been using a destructive backdoor and wiper that has multiple system-level sabotage capabilities, Microsoft reports.

Dubbed GigaWiper, the malware is a sophisticated Go-based backdoor that consists of multiple malware families and robust command-and-control (C&C) capabilities.

According to Microsoft, the malware in GigaWiper was folded in the form of on-demand backdoor commands, allowing the attacker to execute a standalone wiper, a ransomware-like encryption command, and a wiping command that performs multiple erase passes.

“The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which is typically designed purely to destroy rather than to extort and carry real-world consequences,” Microsoft notes.

First observed in October 2025, GigaWiper contains a wiper that operates at the physical disk level. It enumerates drives using Windows Management Instrumentation (WMI) to identify the Windows partition, removes partition references from non-Windows drives, wipes each drive, and then reboots the system.

The backdoor component of GigaWiper also contains the same wiping functionality, including identical code flow and function names. Additionally, it establishes persistence and C&C communication using RabbitMQ and Redis.

Advertisement. Scroll to continue reading.

Based on received commands, it can execute the wiper, trigger a Blue Screen of Death (BSOD), upload files to a remote server using MinIO Client, run an executable, run PowerShell commands, take screenshots, record the screen, collect system information, and call a command to wipe the Windows installation.

The backdoor also supports two file-encrypting commands: one is destructive, as it uses random encryption keys that are never saved, while the other targets files in bulk for encryption and decryption.

Additionally, GigaWiper can run various managers for processes, registry, RabbitMQ routes, and services, can clear Windows logs, and can start a server to provide attackers with remote control over the infected system.

The wiping commands implemented in the backdoor come from separate, older malware previously used by the threat actor, stitched together into the same implant with added backdoor capabilities.

GigaWiper appears to have been built by the Crucio ransomware developer, based on the encryption code, but also shows connections to FlockWiper, which emerged in June 2025, sharing an identical wiping function that has been ported to Go.

“GigaWiper is a backdoor with extensive operational capabilities that allow a threat actor to maintain control over infected systems, execute commands, deploy additional tooling, and ultimately trigger one of multiple destructive commands on demand. It allows the threat actor to operate with flexibility, enabling both quiet espionage activity and destructive wiping operations,” Microsoft notes.

Related: Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks

Related: Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks

Related: Armored Likho APT Targeting Government, Electric Power Entities

Related: FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks



Source link