Security researchers have identified GigaWiper, a sophisticated backdoor written in the Go programming language that integrates several distinct destructive malware families into a single operational platform. First observed in October 2025, the malware functions as both a standalone wiper and a larger backdoor with command-and-control capabilities. GigaWiper incorporates multiple destructive modules, including a physical disk-level wiper that removes partition metadata and overwrites raw disk content, a command derived from Crucio ransomware that encrypts files with unrecoverable keys, and a multi-pass wiping command based on FlockWiper. The backdoor maintains persistence through registry keys and scheduled tasks, while utilizing RabbitMQ and Redis for communication. By consolidating these disparate tools, threat actors can choose specific destruction methods while reducing their overall deployment footprint. This modular architecture represents a shift toward increased operational efficiency in destructive cyber threats, moving beyond simple wiping to include extortion-like capabilities within a unified, versatile implant.
Why it matters
GigaWiper demonstrates a significant evolution in malware design by consolidating multiple destructive tools into a single, modular backdoor. This approach allows attackers to switch between physical disk destruction and file-level encryption, complicating incident response and increasing the potential for permanent data loss across compromised systems.
Key details
- GigaWiper is a Golang-based backdoor that combines command-and-control functionality with multiple destructive payloads.
- The malware includes a standalone wiper that operates at the physical disk level to overwrite data and remove partition metadata.
- Additional destructive commands within the backdoor utilize logic from existing malware families, including ransomware-like encryption and multi-pass wiping.
- The backdoor maintains persistence on infected systems by creating specific registry keys and scheduled tasks.
What you can do
- Review Microsoft Defender detections and mitigation recommendations provided by security researchers to defend against GigaWiper.
- Investigate systems for the presence of the registry key HKCU\SOFTWARE\OneDrive\Environment and associated scheduled tasks.
What we don't know
- The specific identity or origin of the threat actors utilizing GigaWiper remains undisclosed.
- The full extent of the malware's distribution and the number of organizations impacted by these intrusions are not specified.