GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware
GigaWiper is a sophisticated Golang-based backdoor discovered in October 2025 that integrates command-and-control features with multiple destructive payloads. It combines functionality from at least three malware families, including a physical disk wiper, a fake ransomware component encrypting files with unsaved keys, and an enhanced multi-pass secure wiper. The backdoor supports 20 commands for control, system information gathering, and destructive actions such as disk wiping, screen recording, remote control, BSOD triggering, and event log clearing. Persistence is maintained via scheduled tasks, and communication occurs through RabbitMQ and Redis servers. No specific affected software versions or patches are identified, and no known exploits in the wild have been reported. The severity is assessed as medium based on the destructive capabilities described.
AI Analysis
Technical Summary
GigaWiper is a multi-functional Golang backdoor combining command-and-control capabilities with destructive payloads derived from multiple malware families: a physical disk wiper, a Crucio ransomware-based fake encryption component, and a reimplemented FlockWiper with enhanced wiping. It provides 20 commands enabling threat actors to maintain persistence, execute destructive operations including disk wiping and BSOD triggers, collect system information, and remotely control compromised systems via VNC-like functionality. Persistence mechanisms include scheduled tasks, and communication channels use RabbitMQ and Redis servers. The malware's destructive features include multi-pass secure wiping and fake ransomware encryption with unsaved keys, complicating recovery efforts. No patches or remediation guidance are available, and no known exploits have been observed in the wild.
Potential Impact
The malware can cause significant data destruction through physical disk wiping and fake ransomware encryption that prevents file recovery. It enables remote control and system sabotage, including triggering blue screen errors and clearing event logs, which can disrupt operations and complicate forensic analysis. The combination of multiple destructive payloads increases the potential damage to affected systems.
Mitigation Recommendations
No official patches or remediation guidance are currently available for GigaWiper. Organizations should monitor for indicators of compromise related to this malware and apply general endpoint protection measures. Since this is a backdoor with destructive payloads, incident response should focus on containment and recovery from backups. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Indicators of Compromise
- hash: 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3
- hash: 12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721
- ip: 212.8.248.104
- ip: 185.182.193.21
- hash: db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674
- hash: a9dbe0025975e3fa764376a437043963
- hash: be1082aac756fbf3ad7f41c1bc5b9eec
- hash: 62bcb76113ea745020f5e68c8ce9f283
- hash: fbc2f83b75f3602a281fec095068ea34
- hash: 7c76e51390b0d2e2759fad5ccee2bc30
- hash: 35953ddaa42da7c71f3efd40d24cf91209c6c473
- hash: 6f0370309e8cae19e83fbff6f08c1ece3b17b642
- hash: 9a518770de592df858659f85d2f1a7f10362c304
- hash: d2815fe279a904b0f13356df58b8a06f8c6babe0
- hash: 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001
- hash: 9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683
- hash: ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913
- hash: f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd
- hash: b91be21e984407529691edb1bfe3f97dd4a1ae24
- hash: 3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd
GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware
Description
GigaWiper is a sophisticated Golang-based backdoor discovered in October 2025 that integrates command-and-control features with multiple destructive payloads. It combines functionality from at least three malware families, including a physical disk wiper, a fake ransomware component encrypting files with unsaved keys, and an enhanced multi-pass secure wiper. The backdoor supports 20 commands for control, system information gathering, and destructive actions such as disk wiping, screen recording, remote control, BSOD triggering, and event log clearing. Persistence is maintained via scheduled tasks, and communication occurs through RabbitMQ and Redis servers. No specific affected software versions or patches are identified, and no known exploits in the wild have been reported. The severity is assessed as medium based on the destructive capabilities described.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GigaWiper is a multi-functional Golang backdoor combining command-and-control capabilities with destructive payloads derived from multiple malware families: a physical disk wiper, a Crucio ransomware-based fake encryption component, and a reimplemented FlockWiper with enhanced wiping. It provides 20 commands enabling threat actors to maintain persistence, execute destructive operations including disk wiping and BSOD triggers, collect system information, and remotely control compromised systems via VNC-like functionality. Persistence mechanisms include scheduled tasks, and communication channels use RabbitMQ and Redis servers. The malware's destructive features include multi-pass secure wiping and fake ransomware encryption with unsaved keys, complicating recovery efforts. No patches or remediation guidance are available, and no known exploits have been observed in the wild.
Potential Impact
The malware can cause significant data destruction through physical disk wiping and fake ransomware encryption that prevents file recovery. It enables remote control and system sabotage, including triggering blue screen errors and clearing event logs, which can disrupt operations and complicate forensic analysis. The combination of multiple destructive payloads increases the potential damage to affected systems.
Mitigation Recommendations
No official patches or remediation guidance are currently available for GigaWiper. Organizations should monitor for indicators of compromise related to this malware and apply general endpoint protection measures. Since this is a backdoor with destructive payloads, incident response should focus on containment and recovery from backups. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/07/09/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware/"]
- Adversary
- null
- Pulse Id
- 6a4fdb50b88e8fc2bfbd26dd
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 | — | |
hash12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721 | — | |
hashdb41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674 | — | |
hasha9dbe0025975e3fa764376a437043963 | — | |
hashbe1082aac756fbf3ad7f41c1bc5b9eec | — | |
hash62bcb76113ea745020f5e68c8ce9f283 | — | |
hashfbc2f83b75f3602a281fec095068ea34 | — | |
hash7c76e51390b0d2e2759fad5ccee2bc30 | — | |
hash35953ddaa42da7c71f3efd40d24cf91209c6c473 | — | |
hash6f0370309e8cae19e83fbff6f08c1ece3b17b642 | — | |
hash9a518770de592df858659f85d2f1a7f10362c304 | — | |
hashd2815fe279a904b0f13356df58b8a06f8c6babe0 | — | |
hash633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 | — | |
hash9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683 | — | |
hashce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913 | — | |
hashf622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd | — | |
hashb91be21e984407529691edb1bfe3f97dd4a1ae24 | — | |
hash3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip212.8.248.104 | CC=NL ASN=AS49981 worldstream b.v. | |
ip185.182.193.21 | CC=NL ASN=AS49981 worldstream b.v. |
Threat ID: 6a50a39468715ace433baa2c
Added to database: 07/10/2026, 07:47:32 UTC
Last enriched: 07/10/2026, 08:02:50 UTC
Last updated: 07/10/2026, 08:02:50 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.