Skip to main content
TechnologyJul 14, 2026· 3 min read

GigaWiper: the malware that destroys disks and turns PCs into unusable systems

Microsoft Threat Intelligence has published a detailed analysis of GigaWiper, a particularly sophisticated malware that combines remote access, information gathering, and irreversible data destruction functionalities. First identified in October 2025, this threat represents an evolution compared to traditional wipers, as it concentrates capabilities normally distributed among different malware into a single tool. The same code is also monitored by Google Threat Intelligence Group and Binary Defense under the name BlueRabbit.

According to Microsoft, GigaWiper does not originate as a simple program aimed at deleting data, but as a modular platform capable of adapting to the attacker's objectives. The malware is developed in Go (Golang) and incorporates functionalities from at least three previous malicious families: the original GigaWiper, the ransomware Crucio, and FlockWiper. All these components have been integrated into a unique backdoor that allows operators to choose, through specific commands, which attack mode to use.

The most critical aspect concerns the ability to operate directly on physical disks. Instead of merely deleting files, GigaWiper identifies installed drives, eliminates partition information, and overwrites the contents of storage media at a low level. At the end of the operation, it forces a system reboot, leaving the data virtually unrecoverable.

Microsoft also describes a second destructive mode that simulates the behavior of ransomware. Files are encrypted and renamed with a .candy extension, but the encryption keys are generated randomly and are never saved. Consequently, there is no technical possibility of decrypting the data, making this function a wiper disguised as ransomware rather than a classic extortion-focused attack.

An even more aggressive variant exclusively targets the unit containing Windows, performing multiple overwrite passes with different data patterns, including random values, zeros, and 0xFF bytes. This procedure makes the potential recovery of information even more complex.

However, the capabilities of the backdoor go far beyond data destruction. GigaWiper can take screenshots, continuously record screen content, gather detailed information about hardware and the operating system, manage Windows processes and services, modify the system registry, erase event logs, and initiate complete remote control of the infected machine through a VNC-like mode, allowing attackers to use the keyboard and mouse remotely.

To ensure persistence, the malware creates a scheduled task named "OneDrive Update," configured to run at system startup and subsequently at intervals of about one minute. The chosen name can easily be confused with legitimate operating system activities. Communications with the command and control infrastructure also occur via RabbitMQ and Redis, two technologies often present in corporate environments, a feature that can help obscure the network traffic generated by the malware.

Code analysis has also established connections with already known malware. The encryption functionalities indeed derive from Crucio, documented by CISA in 2023, while the logic for multiple disk deletions borrows from FlockWiper, rewritten in Golang and updated with additional secure overwrite mechanisms. According to Microsoft, this evolution demonstrates how the authors have progressively consolidated separate tools into a single operational platform, reducing the number of components to deploy during attacks while increasing the flexibility of operations.

Currently, Microsoft has not detected any large-scale dissemination campaigns targeting home users. GigaWiper is primarily employed in targeted attacks against companies, where attackers initially compromise infrastructure, maintain control over the network, gather information, and only later activate the destructive mechanisms.

To mitigate the risk, Microsoft recommends that companies keep tamper protection features active, use EDR systems with automatic blocking capabilities, monitor the creation of suspicious scheduled tasks, check connections to command and control infrastructures, and maintain backup copies fully isolated from the corporate network. For private users, the usual security practices remain valid, such as keeping Windows and protection tools updated and avoiding the execution of attachments or software from untrusted sources.