Modular Design and Capabilities
Microsoft has detailed a new Windows backdoor named GigaWiper, which has been observed in intrusions since October 2025. Written in Golang, this modular malware combines robust remote access features with multiple destructive capabilities. Researchers believe it was constructed by merging previously separate tools, including the Crucio ransomware and the FlockWiper disk wiper, into a unified operational platform.
GigaWiper executes approximately 20 distinct commands that fall into three categories: destruction, remote access and monitoring, and system management. Its destructive functions include a raw disk wiper that overwrites disk content before forcing an immediate reboot, a fake ransomware module that encrypts files and discards the encryption key, and a secure wiper targeting the Windows installation drive using multi pass overwrites.
Persistence and Monitoring
The backdoor establishes persistence by creating a scheduled task named “OneDrive Update” that runs every minute and at system startup. It also features espionage capabilities such as screen capture, continuous recording, and VNC like remote control that streams the desktop and accepts keyboard and mouse input. To enable this, GigaWiper creates its own Windows Firewall exceptions.
Known command and control servers have been identified at 185.182.193[.]21 and 212.8.248[.]104. Because GigaWiper is deployed after initial compromise, prevention focuses on blocking intrusion attempts and detecting malicious activity before destructive commands execute. Organizations should monitor for connections to these servers, the “OneDrive Update” scheduled task, and attempts to disable Windows recovery tools.
Source: Malwarebytes

