Threat Briefing

GigaWiper: Modular Destructive Malware Lets Attackers Freely Choose How to Destroy

Microsoft Threat Intelligence has discovered a new modular malware called GigaWiper that combines backdoors with multiple wiper payloads, allowing attackers to flexibly choose destructive methods according to their needs, posing a serious threat to enterprise data security.

Event Overview

In October 2025, Microsoft Threat Intelligence discovered a new type of malware during a destructive wiping operation, initially misidentified as a Golang-based backdoor. After in-depth analysis, researchers confirmed the malware to be a modular implant, naming it GigaWiper. The core feature of GigaWiper is that it is not a single wiper, but a "backdoor with an embedded wiper"—combining backdoor capabilities with multiple destructive payloads, allowing attackers to flexibly choose the method of destruction via commands after controlling the victim's network.

Technical and Risk Analysis

Attack Method GigaWiper is a modular malware that borrows code snippets from multiple known malware families to form a multi-functional tool. Its main functions include: - Backdoor Capability: Supports command and control (C2) communication, allowing attackers to execute commands remotely. - Disk Wiping: Can overwrite the target system's disk, rendering data unrecoverable. - File Destruction: Can selectively delete or corrupt specific files. - Other Destructive Payloads: Attackers can load additional wiping modules as needed.

Exploitation Chain Attackers first gain network entry through initial access methods (e.g., phishing, exploits), then deploy the GigaWiper backdoor. Once a C2 connection is established, attackers can issue custom commands to trigger different wiping behaviors. This design allows attackers to tailor the scope of destruction based on the target environment, avoiding premature detection.

Affected Assets - Endpoint Devices: Windows systems (possibly also Linux, but current reports focus on Golang-compiled binaries) - Data Storage: Local disks, shared storage - Backup Systems: If not isolated, wiping operations may also affect backups

Enterprise Impact Analysis

  • Operational Risk: Destruction of critical data leads to business interruption and high recovery costs.
  • Financial Risk: Data loss may result in fines (e.g., GDPR), lawsuits, and productivity loss.
  • Compliance Risk: Regulated industries (e.g., finance, healthcare) risk penalties if unable to meet data retention requirements.
  • Brand Risk: Public disclosure of security incidents erodes customer trust.
  • Data Risk: Permanent data loss, even backups may be invalidated if synchronously wiped.

Industry Trend ObservationThe emergence of GigaWiper is not an isolated incident, but represents a trend of destructive malware evolving towards modularity and customizability. Traditional wipers (e.g., NotPetya, Shamoon) typically serve as single-purpose destructive payloads, while GigaWiper merges a backdoor with a wiper, allowing attackers to adjust attack strategies in real time based on intelligence after intrusion. This trend implies: - Increased detection difficulty:Static signatures for single functions are no longer effective, as malicious behaviors are triggered on demand. - Higher attacker efficiency:One implant replaces multiple tools, reducing deployment costs and exposure risk. - Supply chain risk:GigaWiper's modular design could propagate through the supply chain, making it more stealthy.

Defense and Response Recommendations

Enterprise Level - Identity Security:Implement multi-factor authentication (MFA) and follow the principle of least privilege to limit lateral movement. - Zero Trust Architecture:Verify all access requests; do not trust the internal network. - Vulnerability Management:Promptly patch known vulnerabilities to reduce the initial attack surface.

Technical Level - Endpoint Detection and Response (EDR):Deploy EDR solutions with behavioral analysis to monitor abnormal process creation and disk write operations. - XDR:Correlate logs across layers to identify early signs of backdoor and wiping activities. - Threat Intelligence:Subscribe to mainstream threat intelligence feeds to obtain IoCs related to GigaWiper. - Backup Strategy:Follow the 3-2-1 rule, store backups in isolated locations, and regularly test recovery.

Management Level - Incident Response Plan:Develop emergency procedures for wiper attacks, including isolating compromised systems, forensic analysis, and backup recovery. - Security Governance:Incorporate modular malware into risk assessment models. - Third-Party Risk Management:Review vendor security practices to prevent threats from being introduced through the supply chain.

SecurityPost Insight

The discovery of GigaWiper marks the entry of destructive attacks into an "as-a-service" model. Although it has not yet been attributed to a specific APT group, its modular architecture lowers the barrier for attackers—even non-state-backed hackers can leverage ready-made combinations to launch devastating attacks. For enterprises, traditional backup strategies focused on ransomware are no longer sufficient, as wipers directly destroy data and do not demand ransoms. Future defense priorities must shift from "preventing encryption" to "preventing destruction", including enhancing behavioral detection, implementing immutable backups, and increasing sensitivity to backdoor activities. We anticipate that such modular destructive tools will become one of the major threats from the second half of 2026 to 2027, and enterprises should adjust their security architectures promptly.

Evidence route · securitypost

securitypost frames this note through Security Post publishes defensive cybersecurity intelligence for enterprise security leaders, covering thre.... Threat Briefing / Enterprise Security / AI & Cybersecurity explains the local editorial angle: Source links should be opened before the summary is reused. dates, names and status changes still need checking.

Source URL

  1. https://www.darkreading.com/cyberattacks-data-breaches/gigawiper-threat-actors-choose-their-own-destructive-attackPrimary

Related articles

Back to channel