For the past eight months, a sophisticated malware known as GigaWiper has been actively used by a threat actor to conduct system-level sabotage, as reported by Microsoft. Developed using the Go programming language, GigaWiper is a multifaceted backdoor that incorporates various malware families and advanced command-and-control capabilities. The malware's design allows attackers to execute a standalone wiper, a ransomware-like encryption command, and a comprehensive wiping command that makes multiple erase passes, all on demand. GigaWiper was first detected in October 2025. Its wiper component operates at the physical disk level, utilizing Windows Management Instrumentation to identify Windows partitions, remove partition references from non-Windows drives, and wipe each drive before rebooting the system. The malware's backdoor features include identical wiping functionalities, persistent C&C communication via RabbitMQ and Redis, and capabilities to cause a Blue Screen of Death, upload files to remote servers, execute commands, and wipe Windows installations. It also supports two file-encrypting commands: one that uses unsaved random encryption keys for destructive purposes, and another that encrypts and decrypts files in bulk. GigaWiper's development appears to involve the Crucio ransomware creator, given the similarities in encryption code, and shares connections with FlockWiper, another malware with an identical wiping function. This malware represents a significant evolution in wiper malware, as it not only destroys data but also enables espionage and extensive control over infected systems.
GigaWiper: A New Threat in System-Level Sabotage
GigaWiper backdoor includes wiper, ransomware encryption and multi-pass wiping commands for destructive sabotage and espionage.


