GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware
Essential information
- Published
- 09/07/2026 19:33
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- crucio cutbrooch destructive wiper disk wiping fake ransomware flockwiper gigawiper golang backdoor multi-stage intrusion rabbitmq wprcree wprflock
- Related entities
- 10 indicators, 2 observables, 20 techniques (mitre), 6 malware
Description
In October 2025, Microsoft Threat Intelligence discovered GigaWiper, a sophisticated Golang-based backdoor that combines command-and-control capabilities with multiple destructive payloads. This versatile implant consolidates functionality from at least three separate malware families: a standalone wiper operating at physical disk level, a destructive component derived from Crucio ransomware that encrypts files with randomly generated unsaved keys, and a reimplemented version of FlockWiper with enhanced multi-pass secure wiping. The backdoor provides 20 different commands enabling threat actors to maintain control, execute operations, collect system information, and trigger destructive actions on demand. GigaWiper establishes persistence through scheduled tasks, communicates via RabbitMQ and Redis servers, and can perform disk wiping, fake ransomware encryption, screen recording, VNC-like remote control, and system-level sabotage including BSOD triggers and event log clearing.