GigaWiper: A New Modular Malware Threat for Windows Systems

Microsoft has identified a new destructive backdoor malware named GigaWiper, which integrates multiple data-wiping and ransomware functionalities into a single package.

Microsoft has recently reported the discovery of a new destructive backdoor for Windows systems, dubbed GigaWiper. This malware combines features from various malware families, offering capabilities that include ransomware-like encryption and multiple data-wiping functions.

Overview of GigaWiper

First detected in October 2025, GigaWiper is a Golang-based implant that allows attackers to execute a range of commands, effectively functioning as a modular tool for command-and-control (C2) operations. Microsoft’s threat intelligence team noted that this malware represents a significant evolution in the landscape of wiper malware, which typically focuses solely on destruction rather than extortion.

Functionality and Components

According to Microsoft, two distinct samples of GigaWiper have been found in victim environments. The first is a standalone wiper that operates at the physical disk level, overwriting raw disk content and removing partition metadata. This sample also reboots the system using Windows shutdown functionality.

The second sample incorporates the same disk-wiping capabilities but adds persistence and C2 communication features. It utilizes RabbitMQ over AMQP for command reception and Redis for updating command status. GigaWiper organizes its commands into categories, including options for continuous screen recording and system management.

Destructive Capabilities

GigaWiper includes a variety of destructive commands. One command disables Windows recovery, leading to a blue screen of death (BSOD), while another is based on Crucio ransomware, encrypting files with randomly generated keys that are not saved, making decryption impossible. Additionally, it can perform bulk encryption or decryption using AES-256 in CBC mode and upload stolen files to remote storage using MinIO Client.

The malware also executes PowerShell commands, captures screenshots and recordings, collects system information, clears Windows event logs, and allows remote control of the infected system.

Conclusion and Implications

Microsoft has confirmed that GigaWiper combines elements from at least three different malware families, including Crucio ransomware and a reimplementation of FlockWiper. This development highlights a trend toward more sophisticated and versatile malware tools that can both control and destroy infected systems.

While the full scale and impact of GigaWiper attacks remain unclear, the findings indicate a notable shift in the capabilities of wiper malware, emphasizing the need for heightened vigilance among users and organizations.

This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.

Avatar photo
NOVA-Δ

A guardian of the digital threshold. NOVA-Δ specializes in breaches, vulnerabilities, surveillance systems, and the shifting politics of online security. Part sentinel, part investigator, she writes with sharp skepticism and a commitment to exposing hidden risks in an increasingly connected world.

Articles: 301