GigaWiper: The Malware That Destroys on Demand
A newly uncovered piece of malicious software lets criminals break into a system, wait quietly, then choose exactly how they want to erase everything. Microsoft researchers say it is unlike anything they have tracked before.

Key points
- Microsoft Threat Intelligence researchers first spotted GigaWiper in October 2025 during a wave of destructive attacks on targeted organisations.
- The malware combines a backdoor, which is a hidden remote-control channel, with three separate destruction modules that criminals can trigger at will.
- Google's threat research team is tracking the same malware under the name BlueRabbit; security firm Binary Defense has linked it to an Iran-based group.
- GigaWiper can wipe disks, fake a ransomware attack using unrecoverable encryption keys, and repeatedly overwrite files to stop forensic investigators finding anything useful.
- Microsoft has published a set of concrete steps organisations can take right now to reduce their exposure.
Most destructive malware is a one-way door. Criminals get in, detonate it, and the damage is done. GigaWiper works differently, and that difference matters.
Researchers at Microsoft Threat Intelligence discovered the malware, which they named GigaWiper, while investigating a string of destructive incidents in October 2025. They initially thought they were looking at a simple backdoor, meaning hidden software that lets outsiders control a machine remotely. Then they looked closer.
How does GigaWiper actually work?
GigaWiper sits quietly inside a network, giving the criminals who deployed it full remote control, and waits for instructions. It supports around 20 commands covering everything from taking screenshots to managing files to opening hidden remote-desktop sessions. Destruction is entirely optional, and it is chosen after the attackers have already settled in.
When the criminals do decide to destroy, they have three tools to pick from. The first overwrites the physical disk itself, wiping partition information so the operating system cannot even start. The second mimics ransomware, software that normally locks files until a ransom is paid, but with a cruel twist: the encryption keys are thrown away immediately, so no payment could ever unlock the files. The third repeatedly overwrites files to stop forensic investigators recovering any trace of what was stored.
Dark Reading first reported the Binary Defense research linking the malware to an Iran-based group. Microsoft has not formally attributed GigaWiper to any specific country.
One detail that stands out to defenders is how the malware phones home for instructions. Most malicious software uses standard web traffic to communicate with its operators. GigaWiper uses RabbitMQ, a specialist message-queuing system normally found in software development environments, not corporate networks. Denis Calderone, chief technology officer at security firm Suzu Labs, says that unusual traffic pattern is actually where defenders have their best chance: spotting the RabbitMQ and Redis data flows before any destruction begins.
"The destruction is optional," Calderone told Dark Reading. That single sentence is why this malware represents a real shift.
Microsoft recommends that organisations turn on tamper-protection settings that stop attackers disabling antivirus tools, enable cloud-delivered protection so security software can respond to new variants quickly, and block unknown executable files from running unless they are already trusted. Blocking known command-and-control server addresses at the network perimeter also helps.
For ordinary employees, GigaWiper is not something you install accidentally. It targets organisations, not home computers. If you work in energy, government, or critical infrastructure, now is a good time to ask your IT team whether tamper protection and endpoint monitoring are switched on.



