GigaWiper: The Swiss Army Knife of Destructive Malware

A newly named piece of malicious software has been quietly spreading for over eight months, combining spying tools, file destroyers, and fake-ransomware tricks inside a single package.

ThreatVectr Newsdesk· 3 min read
A close-up overhead shot of a hard drive with its metal casing partially open, the magnetic platters reflecting a deep red light
Share

Key points

  • Microsoft first detected GigaWiper in October 2025, and it had already been active for more than eight months by the time of the report.
  • GigaWiper can wipe every drive on an infected computer, encrypt files with keys it immediately discards, and trigger a forced system crash, all from a single remote command.
  • The malware appears to share code with two earlier malicious programs: Crucio ransomware and FlockWiper, which surfaced in June 2025.
  • GigaWiper uses RabbitMQ and Redis, two legitimate software tools normally used to move data between servers, to hide its communications with attackers.

Some malware destroys files. Some spies quietly. GigaWiper, a newly documented malicious program first spotted in October 2025, does both, and switches between the two on command.

Microsoft published its analysis of GigaWiper this week, describing it as a backdoor, meaning software secretly installed on a victim's machine that lets outsiders control it remotely, with an unusually wide menu of destructive options. SecurityWeek first flagged the report.

What exactly can GigaWiper do to an infected machine?

Quite a lot, and that is the point. Most wiper malware, software designed purely to erase data and cripple systems, does one thing. GigaWiper does several. At the push of a button from whoever controls it, the software can erase every drive connected to the computer by working at the physical disk level, meaning it bypasses the operating system and scrubs the storage directly. Recovery after that kind of attack is extremely difficult.

It can also trigger a Blue Screen of Death, the familiar crash screen Windows shows when something goes catastrophically wrong, forcing the machine offline. A separate command encrypts files using randomly generated keys that are never saved anywhere, making the encryption permanent and the files unrecoverable. That mimics ransomware, which normally locks files and demands payment, except here there is no payment option and no way back.

When the attackers simply want to watch rather than destroy, GigaWiper can take screenshots, record the screen, harvest system information, and upload files to a remote server.

The malware is written in Go, a programming language popular with attackers partly because it compiles into a single self-contained file that is easier to move between machines. It hides its communications with the attackers inside RabbitMQ and Redis traffic: both are legitimate tools businesses use every day to shuttle data between servers, which makes the malicious traffic harder to spot.

Microsoft notes that GigaWiper appears to have been assembled from older code. The encryption routines match those seen in Crucio ransomware, and an identical wiping function was previously used by FlockWiper. Think of it less as a new weapon and more as several old weapons bolted into one frame.

For organisations rather than home users, the practical concern is the combination of espionage and destruction in one implant. The attackers can gather intelligence for weeks, then flip a switch and erase the evidence along with everything else.

If you run IT for any organisation, now is a good time to audit what software is communicating outward over RabbitMQ or Redis connections you did not deliberately set up.

© 2026 Threat Vectr