Back to Feed
MalwareJul 10, 2026

GigaWiper Combines Multiple Malware for System-Level Sabotage

GigaWiper malware combines wiper, ransomware, and backdoor for system sabotage.

Summary

GigaWiper is a sophisticated Go-based backdoor observed since October 2025, capable of system-level sabotage. It integrates a standalone wiper, ransomware-like encryption, and multi-pass wiping commands. This modular approach allows for both espionage and destructive operations, reflecting a shift in wiper malware design.

Full text

For over eight months, a threat actor has been using a destructive backdoor and wiper that has multiple system-level sabotage capabilities, Microsoft reports. Dubbed GigaWiper, the malware is a sophisticated Go-based backdoor that consists of multiple malware families and robust command-and-control (C&C) capabilities. According to Microsoft, the malware in GigaWiper was folded in the form of on-demand backdoor commands, allowing the attacker to execute a standalone wiper, a ransomware-like encryption command, and a wiping command that performs multiple erase passes. “The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which is typically designed purely to destroy rather than to extort and carry real-world consequences,” Microsoft notes. First observed in October 2025, GigaWiper contains a wiper that operates at the physical disk level. It enumerates drives using Windows Management Instrumentation (WMI) to identify the Windows partition, removes partition references from non-Windows drives, wipes each drive, and then reboots the system. The backdoor component of GigaWiper also contains the same wiping functionality, including identical code flow and function names. Additionally, it establishes persistence and C&C communication using RabbitMQ and Redis.Advertisement. Scroll to continue reading. Based on received commands, it can execute the wiper, trigger a Blue Screen of Death (BSOD), upload files to a remote server using MinIO Client, run an executable, run PowerShell commands, take screenshots, record the screen, collect system information, and call a command to wipe the Windows installation. The backdoor also supports two file-encrypting commands: one is destructive, as it uses random encryption keys that are never saved, while the other targets files in bulk for encryption and decryption. Additionally, GigaWiper can run various managers for processes, registry, RabbitMQ routes, and services, can clear Windows logs, and can start a server to provide attackers with remote control over the infected system. The wiping commands implemented in the backdoor come from separate, older malware previously used by the threat actor, stitched together into the same implant with added backdoor capabilities. GigaWiper appears to have been built by the Crucio ransomware developer, based on the encryption code, but also shows connections to FlockWiper, which emerged in June 2025, sharing an identical wiping function that has been ported to Go. “GigaWiper is a backdoor with extensive operational capabilities that allow a threat actor to maintain control over infected systems, execute commands, deploy additional tooling, and ultimately trigger one of multiple destructive commands on demand. It allows the threat actor to operate with flexibility, enabling both quiet espionage activity and destructive wiping operations,” Microsoft notes. Related: Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks Related: Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks Related: Armored Likho APT Targeting Government, Electric Power Entities Related: FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Mount Royal University Confirms Data Stolen in Ransomware AttackChrome 150 Update Patches 27 Vulnerabilities8Layers Raises $2.9 Million for Identity Security PlatformUnpatched Backdoor in Tenda Firmware Grants Admin Access to DevicesAccenture Confirms Data Breach After Hacker Claims Source Code TheftChina-Linked APT Expands Arsenal With New ‘Leash’ BackdoorsGoogle Dialogflow CX Bug Allowed Attackers to Hijack AI ConversationsCISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws Latest News ‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery MechanismNetwork of 200 GitHub Repositories Used for Malware InfectionQIZ Security Raises $17 Million for Cryptographic Governance PlatformUK Government Rolls Out Agentic AI Defense Plan Alongside Industry PledgePalo Alto Networks Patches 13 Vulnerabilities12 Million Impacted by Data Breach at Japanese Telco KDDI15-Year-Old Linux Vulnerability ‘GhostLock’ Earns Researchers $92k From GoogleMicrosoft Patches Defender ‘RoguePlanet’ Vulnerability Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveBlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.Solana Foundation has appointed Michael Coates as Chief Information Security Officer.Michael Sikorski has joined Coinbase as Chief Information Security Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Entities

Microsoft (vendor)WMI (technology)RabbitMQ (technology)Redis (technology)