Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

GigaWiper: A Modular Backdoor Malware Merging Three Families into One Destructive Threat



GigaWiper is a cutting-edge malware that has combined the destructive features of three existing families into one single implant. It offers flexibility in executing both quiet espionage activities and full-scale destruction on command. Microsoft's discovery and analysis provide essential insights into this modular backdoor threat, underscoring the importance of cybersecurity measures and constant vigilance against emerging threats.

  • GigaWiper is a malicious backdoor malware identified by Microsoft as a significant threat to computer systems and networks.
  • The malware combines the capabilities of three existing families – FlockWiper, Crucio, and standalone disk wiper – into a single, highly destructive implant.
  • GigaWiper was first observed in October 2025 by Microsoft's threat intelligence team.
  • The malware features a command-and-control backdoor with multiple built-in destruction capabilities.
  • It includes an extensive full remote-control suite with commands for screenshots, system information collection, and registry navigation.
  • GigaWiper's modular structure allows it to maintain persistence, communicate with operators, and switch between intelligence-gathering and full destruction on command.
  • The malware employs fanout exchanges for simultaneous broadcasting of commands to infected hosts.
  • Mitigations recommended by Microsoft include enabling tamper protection, running endpoint detection in block mode, and utilizing cloud-delivered protection.



  • GigaWiper, a malicious backdoor malware, has been identified by Microsoft as a significant threat to computer systems and networks. This malware combines the capabilities of three existing families – FlockWiper, Crucio, and the standalone disk wiper – into a single, highly destructive implant.

    According to Microsoft's report, GigaWiper was first observed in October 2025, when the company's threat intelligence team detected destructive wiping activity inside compromised environments. The malware is written in Go programming language and features a command-and-control backdoor with multiple built-in destruction capabilities.

    The malware's construction reveals an interesting architectural story. Each of its three main destructive commands – Command 1, Command 2, and Command 3 – can be traced back to a separate, previously existing malware family developed by the same threat actor. This demonstrates how threat actors have evolved their tooling over time by merging standalone tools into unified platforms that reduce deployment footprint while expanding destructive capabilities.

    The destructive commands themselves are of particular interest, showcasing GigaWiper's versatility and flexibility. Command 1 wipes physical disks at the raw level, Command 2 triggers a Blue Screen of Death, Command 3 encrypts files with a randomly generated key, renames them with a .candy extension, and drops a threatening image as the wallpaper.

    Beyond destruction, GigaWiper includes an extensive full remote-control suite. Commands 9 and 10 handle screenshots and continuous screen recording when the user is active, commands 15 through 18 manage system information collection, process control, service management, and registry navigation in a way that maintains session state between requests, essentially providing an interactive registry browser.

    The malware's modular structure changes what defenders need to think about. Traditional wipers get deployed, run, and destroy. GigaWiper sits on a system, maintains persistence, communicates back to operators, and can switch between quiet intelligence-gathering and full destruction on command, without requiring the attacker to deploy a new tool.

    GigaWiper's C2 infrastructure observed in samples used 185.182.193[.]21 on port 5544 for RabbitMQ command delivery and port 7542 for Redis result reporting. The malware employs fanout exchanges, both named "All" and "Topic," which allow for simultaneous broadcasting of commands to every infected host as well as targeted commands to specific machines.

    The impact of GigaWiper is evident in its ability to maintain control over infected systems, execute commands, deploy additional tooling, and ultimately trigger one of multiple destructive commands on demand. This flexibility enables the threat actor to operate with effectiveness, enabling both quiet espionage activity and destructive wiping operations.

    Microsoft recommends mitigations that focus on preventing defense-disabling steps by organizations: enabling tamper protection, running endpoint detection in block mode, and utilizing cloud-delivered protection to catch rapidly evolving tools. Blocking direct access to GigaWiper's known C2 infrastructure at 185.182.193[.]21 is also a recommended immediate network-level action for affected organizations.

    The discovery of GigaWiper highlights the ever-evolving nature of malware families and their ability to merge capabilities into single backdoor implants that are highly destructive yet stealthy in operation. This serves as a reminder for organizations to stay vigilant, prioritize cybersecurity measures, and adhere to regular software updates and patching procedures.


    GigaWiper is a cutting-edge malware that has combined the destructive features of three existing families into one single implant. It offers flexibility in executing both quiet espionage activities and full-scale destruction on command. Microsoft's discovery and analysis provide essential insights into this modular backdoor threat, underscoring the importance of cybersecurity measures and constant vigilance against emerging threats.




    Related Information:
  • https://www.ethicalhackingnews.com/articles/GigaWiper-A-Modular-Backdoor-Malware-Merging-Three-Families-into-One-Destructive-Threat-ehn.shtml

  • https://securityaffairs.com/195068/malware/gigawiper-merges-three-malware-families-into-one-destructive-backdoor.html


  • Published: Fri Jul 10 04:55:41 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us