Advertisement
Security

GigaWiper: The Modular Threat Merging Espionage With Total Destruction

Microsoft identifies a sophisticated new backdoor, GigaWiper, which stitches together existing malware to facilitate targeted data destruction.

·4 hours ago·2 min read
red padlock on black computer keyboard
Photo by FlyD on Unsplash
Advertisement

Security researchers at Microsoft have unmasked a concerning evolution in threat actor methodology with the discovery of GigaWiper. This sophisticated backdoor, first identified in intrusions dating back to October 2025, demonstrates a strategic shift toward modularity by integrating remote administration tools with irreversible destructive routines.

A Hybrid Architecture for Persistence

Rather than relying on bespoke development, the architects behind GigaWiper have synthesized various existing malicious components into a single, cohesive Golang-based package. The tool functions as both a stealthy administrative backdoor and a lethal wiper, allowing threat actors to maintain long-term access before triggering system-level data eradication on command.

Persistence is maintained by masking a scheduled task as a legitimate OneDrive Update. For communication, the malware utilizes RabbitMQ for inbound instructions and Redis for relaying command outputs back to the adversary. The backdoor exposes 20 command codes, granting attackers the ability to manipulate the registry, manage processes, or execute PowerShell commands remotely.

Aggregating Destructive Malware Families

The operational power of GigaWiper lies in its ability to call upon multiple distinct wiping mechanisms. By embedding functionality from known threats, the malware can bypass standard detection while ensuring that recovery remains impossible for the victim.

“GigaWiper is particularly notable for its makeup,” Microsoft researchers said. “The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences.”

The technical investigation revealed clear lineage between GigaWiper and other known malicious entities. The integration process includes:

  • Command 1: A standalone wiper module for comprehensive disk erasure.
  • Command 3: A module derived from the Crucio ransomware family that uses non-recoverable encryption keys.
  • Command 12: A Golang-based implementation of FlockWiper designed for secure, multi-pass data destruction.

Defining the Operational Scope

The depth of this threat is evidenced by the specific data points uncovered during the forensic analysis conducted by the Microsoft team:

  • Detection of the initial intrusions began in October 2025.
  • The backdoor supports a total of 20 distinct command codes for system manipulation.
  • Functionality includes a VNC-like remote control capability for direct user interaction.

Implications for Enterprise Resilience

The emergence of GigaWiper highlights an urgent need for organizations to revisit their incident response and recovery strategies. Because the malware is designed to render data unrecoverable, reliance on standard backups is insufficient; defenders must ensure that backups are kept strictly offline or otherwise isolated from the production network. To mitigate the risk of such modular backdoors, security teams should focus on aggressive hardening of endpoints, implementing behavioral detection protocols, and deploying attack surface reduction controls to intercept the malicious commands before they can achieve their destructive objectives.

#ransomware#malware#cybercrime#security
← Back to all stories
Advertisement