GigaWiper Malware Attacking Windows Systems With Data Wipers and Fake Ransomware Notices
GigaWiper is a newly identified Windows threat built to do more than steal information or lock a screen. Once activated, it can erase disks, scramble files beyond recovery, and leave organizations facing sudden outages.
Its arrival shows how destructive malware can combine several familiar attack methods in one tool package.
Microsoft first observed compromised environments being wiped in October 2025, indicating that attackers had moved from access to impact.
The campaign uses a Golang based implant that can persist, accept instructions, collect data, and then launch destructive actions when operators choose. That flexibility raises the risk for Windows networks.
Analysts at Microsoft identified the malware as GigaWiper and described it as a backdoor assembled from separate malware families.
Microsoft said in a report shared with Cyber Security News (CSN) that the design gives its operators several ways to control systems, conduct surveillance, and cause irreversible damage on demand.
GigaWiper stands apart because its damaging features are not limited to one routine. It combines physical disk wiping, a ransomware styled file encryption function that cannot restore data, and a multi pass Windows drive wiper.

The result is an implant that can support intrusion activity before a rapid disruptive stage.
GigaWiper Malware Attacking Windows Systems
The main wiping command locates physical drives and identifies the disk holding the Windows installation.
It removes partition references from other drives, overwrites raw content in large chunks, and forces a restart. Rather than deleting documents, this approach attacks structure that lets Windows systems and data function.
Another command encrypts files with random encryption material that is never retained, then changes names with the .candy extension.
The behavior looks like ransomware, but there is no usable recovery path and no ransom note. Victims may expect options, only to find files were rendered unrecoverable.
The backdoor can damage boot capability by deleting recovery, boot, and kernel files, and it can clear Windows event logs. These actions may make incident response harder while worsening the impact.
It additionally supports remote control, screen capture, screen recording, command execution, system discovery, and service or Registry management.
GigaWiper’s command system communicates through RabbitMQ to receive instructions and uses Redis to return status or output. Analysts observed configuration pointing to an address used for both functions.
This ability to accept broadcast or targeted tasks lets operators coordinate activity across devices while retaining the option to focus on systems.
The malware creates a OneDrive Registry key to track execution and establishes a scheduled task named OneDrive Update.
The task is set to run at startup and afterward, helping the implant remain active. These familiar Windows names can make suspicious activity less obvious, especially in an enterprise environment.
Defending Against a Modular Backdoor
Organizations should treat a suspected GigaWiper intrusion as a business continuity emergency, not only a malware cleanup case.
Teams should isolate devices, preserve evidence where practical, and check backups before destructive commands spread. Blocking known command and control infrastructure can reduce attackers’ ability to manage infected hosts.
Defenders should protect security settings from changes and keep endpoint protections enabled. Cloud based detection, automated investigation, and endpoint response tools can help identify behavior before wiping begins.

Organizations should limit local administrator access, monitor scheduled tasks and Registry changes, and rehearse recovery plans accounting for disk loss.
Regular offline or protected backups remain essential because a wiper can destroy the operating system and data stored beside it. Recovery plans should be tested under conditions including failed booting and unavailable network services.
Security teams should investigate unusual use of disk tools, event log clearing, or file encryption events.
The findings show why destructive malware cannot be viewed only through the lens of traditional ransomware. GigaWiper gives attackers a menu of options, ranging from covert monitoring to file destruction and full disk wiping.
Fast detection, separation of critical systems, protected backups, and practiced recovery procedures remain central to limiting damage from a backdoor such as GigaWiper.
Indicators of compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.
The post GigaWiper Malware Attacking Windows Systems With Data Wipers and Fake Ransomware Notices appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news