Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware

0
Medium
Published: 07/09/2026 (07/09/2026, 17:33:04 UTC)
Source: AlienVault OTX General

Description

GigaWiper is a sophisticated Golang-based backdoor discovered in October 2025 that integrates command-and-control features with multiple destructive payloads. It combines functionality from at least three malware families, including a physical disk wiper, a fake ransomware component encrypting files with unsaved keys, and an enhanced multi-pass secure wiper. The backdoor supports 20 commands for control, system information gathering, and destructive actions such as disk wiping, screen recording, remote control, BSOD triggering, and event log clearing. Persistence is maintained via scheduled tasks, and communication occurs through RabbitMQ and Redis servers. No specific affected software versions or patches are identified, and no known exploits in the wild have been reported. The severity is assessed as medium based on the destructive capabilities described.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 08:02:50 UTC

Technical Analysis

GigaWiper is a multi-functional Golang backdoor combining command-and-control capabilities with destructive payloads derived from multiple malware families: a physical disk wiper, a Crucio ransomware-based fake encryption component, and a reimplemented FlockWiper with enhanced wiping. It provides 20 commands enabling threat actors to maintain persistence, execute destructive operations including disk wiping and BSOD triggers, collect system information, and remotely control compromised systems via VNC-like functionality. Persistence mechanisms include scheduled tasks, and communication channels use RabbitMQ and Redis servers. The malware's destructive features include multi-pass secure wiping and fake ransomware encryption with unsaved keys, complicating recovery efforts. No patches or remediation guidance are available, and no known exploits have been observed in the wild.

Potential Impact

The malware can cause significant data destruction through physical disk wiping and fake ransomware encryption that prevents file recovery. It enables remote control and system sabotage, including triggering blue screen errors and clearing event logs, which can disrupt operations and complicate forensic analysis. The combination of multiple destructive payloads increases the potential damage to affected systems.

Mitigation Recommendations

No official patches or remediation guidance are currently available for GigaWiper. Organizations should monitor for indicators of compromise related to this malware and apply general endpoint protection measures. Since this is a backdoor with destructive payloads, incident response should focus on containment and recovery from backups. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.microsoft.com/en-us/security/blog/2026/07/09/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware/"]
Adversary
null
Pulse Id
6a4fdb50b88e8fc2bfbd26dd
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3
hash12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721
hashdb41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674
hasha9dbe0025975e3fa764376a437043963
hashbe1082aac756fbf3ad7f41c1bc5b9eec
hash62bcb76113ea745020f5e68c8ce9f283
hashfbc2f83b75f3602a281fec095068ea34
hash7c76e51390b0d2e2759fad5ccee2bc30
hash35953ddaa42da7c71f3efd40d24cf91209c6c473
hash6f0370309e8cae19e83fbff6f08c1ece3b17b642
hash9a518770de592df858659f85d2f1a7f10362c304
hashd2815fe279a904b0f13356df58b8a06f8c6babe0
hash633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001
hash9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683
hashce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913
hashf622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd
hashb91be21e984407529691edb1bfe3f97dd4a1ae24
hash3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd

Ip

ValueDescriptionCopy
ip212.8.248.104
CC=NL ASN=AS49981 worldstream b.v.
ip185.182.193.21
CC=NL ASN=AS49981 worldstream b.v.

Threat ID: 6a50a39468715ace433baa2c

Added to database: 07/10/2026, 07:47:32 UTC

Last enriched: 07/10/2026, 08:02:50 UTC

Last updated: 07/10/2026, 08:02:50 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses