216.73.217.64

GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware

· Published 09/07/2026 19:33

Export JSON

Essential information

Published
09/07/2026 19:33
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
crucio cutbrooch destructive wiper disk wiping fake ransomware flockwiper gigawiper golang backdoor multi-stage intrusion rabbitmq wprcree wprflock
Related entities
10 indicators, 2 observables, 20 techniques (mitre), 6 malware

Description

In October 2025, Microsoft Threat Intelligence discovered GigaWiper, a sophisticated Golang-based backdoor that combines command-and-control capabilities with multiple destructive payloads. This versatile implant consolidates functionality from at least three separate malware families: a standalone wiper operating at physical disk level, a destructive component derived from Crucio ransomware that encrypts files with randomly generated unsaved keys, and a reimplemented version of FlockWiper with enhanced multi-pass secure wiping. The backdoor provides 20 different commands enabling threat actors to maintain control, execute operations, collect system information, and trigger destructive actions on demand. GigaWiper establishes persistence through scheduled tasks, communicates via RabbitMQ and Redis servers, and can perform , fake ransomware encryption, screen recording, VNC-like remote control, and system-level sabotage including BSOD triggers and event log clearing.

External references