GigaWiper Malware Attacking Windows Systems With Data Wipers and Fake Ransomware Notices

GigaWiper Malware Attacking Windows Systems With Data Wipers and Fake Ransomware Notices










GigaWiper is a newly identified Windows threat built to do more than steal information or lock a screen. Once activated, it can erase disks, scramble files beyond recovery, and leave organizations facing sudden outages.

Its arrival shows how destructive malware can combine several familiar attack methods in one tool package.

Microsoft first observed compromised environments being wiped in October 2025, indicating that attackers had moved from access to impact.

The campaign uses a Golang based implant that can persist, accept instructions, collect data, and then launch destructive actions when operators choose. That flexibility raises the risk for Windows networks.

Analysts at Microsoft identified the malware as GigaWiper and described it as a backdoor assembled from separate malware families.

Microsoft said in a report shared with Cyber Security News (CSN) that the design gives its operators several ways to control systems, conduct surveillance, and cause irreversible damage on demand.

GigaWiper stands apart because its damaging features are not limited to one routine. It combines physical disk wiping, a ransomware styled file encryption function that cannot restore data, and a multi pass Windows drive wiper.

Wiper functions (Source - Microsoft)
Wiper functions (Source – Microsoft)

The result is an implant that can support intrusion activity before a rapid disruptive stage.

GigaWiper Malware Attacking Windows Systems

The main wiping command locates physical drives and identifies the disk holding the Windows installation.

It removes partition references from other drives, overwrites raw content in large chunks, and forces a restart. Rather than deleting documents, this approach attacks structure that lets Windows systems and data function.

Another command encrypts files with random encryption material that is never retained, then changes names with the .candy extension.

The behavior looks like ransomware, but there is no usable recovery path and no ransom note. Victims may expect options, only to find files were rendered unrecoverable.

The backdoor can damage boot capability by deleting recovery, boot, and kernel files, and it can clear Windows event logs. These actions may make incident response harder while worsening the impact.

It additionally supports remote control, screen capture, screen recording, command execution, system discovery, and service or Registry management.

GigaWiper’s command system communicates through RabbitMQ to receive instructions and uses Redis to return status or output. Analysts observed configuration pointing to an address used for both functions.

This ability to accept broadcast or targeted tasks lets operators coordinate activity across devices while retaining the option to focus on systems.

The malware creates a OneDrive Registry key to track execution and establishes a scheduled task named OneDrive Update.

The task is set to run at startup and afterward, helping the implant remain active. These familiar Windows names can make suspicious activity less obvious, especially in an enterprise environment.

Defending Against a Modular Backdoor

Organizations should treat a suspected GigaWiper intrusion as a business continuity emergency, not only a malware cleanup case.

Teams should isolate devices, preserve evidence where practical, and check backups before destructive commands spread. Blocking known command and control infrastructure can reduce attackers’ ability to manage infected hosts.

Defenders should protect security settings from changes and keep endpoint protections enabled. Cloud based detection, automated investigation, and endpoint response tools can help identify behavior before wiping begins.

References to 'GRAT' in function names (Source - Microsoft)
References to ‘GRAT’ in function names (Source – Microsoft)

Organizations should limit local administrator access, monitor scheduled tasks and Registry changes, and rehearse recovery plans accounting for disk loss.

Regular offline or protected backups remain essential because a wiper can destroy the operating system and data stored beside it. Recovery plans should be tested under conditions including failed booting and unavailable network services.

Security teams should investigate unusual use of disk tools, event log clearing, or file encryption events.

The findings show why destructive malware cannot be viewed only through the lens of traditional ransomware. GigaWiper gives attackers a menu of options, ranging from covert monitoring to file destruction and full disk wiping.

Fast detection, separation of critical systems, protected backups, and practiced recovery procedures remain central to limiting damage from a backdoor such as GigaWiper.

Indicators of compromise (IoCs):-

Type Indicator Description
SHA-256 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 GigaWiper backdoor 
SHA-256 ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913 GigaWiper backdoor 
SHA-256 f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd GigaWiper backdoor 
SHA-256 9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683 GigaWiper backdoor 
SHA-256 3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd GigaWiper standalone wiper 
SHA-256 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 Crucio 
SHA-256 12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721 FlockWiper 
SHA-256 db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674 FlockWiper 
IP address 185.182.193[.]21 GigaWiper command and control server 
IP address 212.8.248[.]104 GigaWiper command and control server 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.

The post GigaWiper Malware Attacking Windows Systems With Data Wipers and Fake Ransomware Notices appeared first on Cyber Security News.






Tushar Subhra Dutta





Go to cyber-security-news





Posted

in

, ,

by