GigaWiper’s Multi-Stage Malware Attack: System Sabotage Tactics Revealed
For over eight months, a threat actor has been deploying a destructive backdoor and wiper with advanced system-level sabotage capabilities, according to Microsoft.
Technical Overview of GigaWiper
GigaWiper is a sophisticated Go-based backdoor that integrates multiple malware families and features robust command-and-control (C&C) functionality. Microsoft reports that the GigaWiper malware incorporates on-demand backdoor commands, enabling attackers to execute standalone wiper operations, ransomware-like encryption, and multi-pass wiping procedures. The integration of these destructive functions into a modular backdoor marks a significant evolution in wiper malware, which traditionally focuses solely on destruction rather than extortion or real-world impact, Microsoft highlights.
According to Microsoft, the malware incorporates on-demand backdoor commands, enabling attackers to execute standalone wiper operations, ransomware-like encryption, and multi-pass wiping procedures.
Technical Details and Capabilities
First detected in October 2025, GigaWiper includes a wiper that operates at the physical disk level. It uses Windows Management Instrumentation (WMI) to identify the Windows partition, removes references to non-Windows drives, and performs a full drive wipe before rebooting the system. The backdoor component shares identical wiping functionality, including the same code structure and function names. The backdoor leverages RabbitMQ and Redis for persistence and C&C communication. It can execute wiping commands, trigger a Blue Screen of Death (BSOD), upload files via MinIO Client, run executables, execute PowerShell commands, capture screenshots, record screen activity, gather system information, and initiate Windows installation wipes. Additionally, GigaWiper includes two file-encryption mechanisms: one that employs unrecorded random keys for destruction and another that targets bulk file encryption and decryption. The malware also supports process, registry, RabbitMQ route, and service management, along with capabilities to clear Windows logs and establish a server for remote system control.
Origins and Malware Integration
The wiping functions within the backdoor are derived from older malware used by the same threat actor, combined into a unified implant with added backdoor features. GigaWiper appears to be developed by the Crucio ransomware group, based on encryption code, but also exhibits ties to FlockWiper, which emerged in June 2025. FlockWiper’s wiping function was adapted into Go for GigaWiper.
Microsoft emphasizes that GigaWiper is a backdoor with extensive operational capabilities, allowing threat actors to maintain system control, execute commands, deploy additional tools, and trigger destructive actions on demand.
Implications and Recommendations
Microsoft’s analysis underscores the importance of monitoring for unusual system behavior, such as unauthorized drive wiping, unexpected C&C communications, and unexplained encryption activities. Organizations are advised to strengthen endpoint protections, implement network segmentation, and conduct regular security audits to detect and mitigate such threats. The emergence of GigaWiper signals a growing trend of hybrid malware that combines data destruction with operational flexibility, posing significant risks to enterprise environments.
Conclusion
The malware’s design reflects a shift toward modular, multi-functional threats that blend espionage and destruction. Its use of established techniques from prior malware families underscores the evolving tactics of threat actors. The integration of Go-based code and modern C&C infrastructure highlights the increasing sophistication of cyberattacks targeting critical systems.
