VYPR
breachPublished Jul 10, 2026· 2 sources

GigaWiper Malware Blends Data Wiping with Ransomware-Like Tactics on Windows

A new Golang-based backdoor, GigaWiper, observed since October 2025, combines destructive disk wiping capabilities with deceptive file encryption, posing a significant threat to Windows systems.

A sophisticated new malware strain dubbed GigaWiper has emerged, targeting Windows systems with a potent combination of destructive capabilities that mimic ransomware while also functioning as a stealthy backdoor. First observed by Microsoft in October 2025, this Golang-based implant is designed to move beyond simple data theft, aiming to cause irreversible damage and significant operational disruption.

GigaWiper's primary threat lies in its multifaceted approach to destruction. It features a multi-pass disk wiper that targets physical drives, including the one hosting the Windows installation, by overwriting data in large chunks and removing partition references. This method attacks the fundamental structure required for systems and data to function, leading to potential unrecoverable loss. Beyond complete disk wiping, the malware also employs a file encryption routine that scrambles data beyond recovery, appending a '.candy' extension. While this behavior resembles ransomware, there is no usable decryption key or ransom note provided, leaving victims with permanently inaccessible files.

Adding to its destructive arsenal, GigaWiper can also damage the boot capabilities of infected systems by deleting critical boot, recovery, and kernel files. Furthermore, it possesses the ability to clear Windows event logs, a tactic often used to hinder incident response and forensic analysis, thereby complicating recovery efforts and potentially masking the extent of the compromise.

Beyond its destructive functions, GigaWiper operates as a versatile backdoor, enabling its operators to maintain persistent access and control over compromised systems. It supports a range of remote access functionalities, including screen capture, screen recording, command execution, system discovery, and management of services and registry keys. This allows attackers to conduct surveillance, gather intelligence, and prepare for further stages of an attack at their leisure.

The malware's command and control (C2) infrastructure utilizes RabbitMQ for receiving instructions and Redis for returning status updates or collected data. Analysts have identified configurations pointing to specific addresses used for both functions, suggesting a coordinated approach to managing multiple infected devices. To ensure persistence, GigaWiper creates a OneDrive Registry key and establishes a scheduled task named 'OneDrive Update,' configured to run at startup, making its presence less conspicuous within enterprise environments.

Microsoft's analysis indicates that GigaWiper is assembled from components of separate malware families, highlighting a trend towards modularity and adaptability in modern threat development. This modular design grants its operators significant flexibility, allowing them to choose between covert monitoring, data destruction, or complete system wiping based on their objectives.

Defending against GigaWiper requires a comprehensive strategy that treats intrusions as business continuity emergencies. Organizations should prioritize isolating affected devices, preserving evidence, and verifying the integrity of backups before destructive commands can propagate. Blocking known C2 infrastructure, maintaining endpoint protection, and implementing cloud-based detection and response tools are crucial. Furthermore, limiting local administrator privileges, monitoring scheduled tasks and registry changes, and regularly rehearsing recovery plans that account for disk loss and boot failures are essential proactive measures.

This new report from Microsoft details GigaWiper's sophisticated Go-based architecture, which consolidates multiple malware families and robust command-and-control capabilities. It highlights the malware's ability to execute a standalone wiper, a ransomware-like encryption command, and a multi-pass wiping command, reflecting a notable shift in wiper malware design towards combined destructive and extortionary tactics.

Synthesized by Vypr AI