
Summary created by Smart Answers AI
In summary:
- Microsoft discovered GigaWiper malware that overwrites hard drives multiple times and renders entire systems unusable by deleting partition entries and storage contents.
- PCWorld reports this sophisticated threat primarily targets organizations rather than home users, combining surveillance capabilities with irreversible data destruction.
- The malware integrates components from older threats like Crucio ransomware and includes a Go-based backdoor for remote system control and stealth operations.
Microsoft has discovered a new piece of malware that not only spies on data but also renders entire systems unusable. The malware, known as GigaWiper, combines several destructive functions with a powerful backdoor for attackers.
Security researchers at Microsoft Threat Intelligence first detected the activity back in October 2025. The recently published analysis reveals the full extent of the malware’s capabilities.
According to the report, GigaWiper isn’t a traditional wiper malware with a single purpose—it’s far worse. Other security researchers are also tracking the malware under the name BlueRabbit.
GigaWiper can wipe hard drives and irretrievably destroy data
One of the most dangerous aspects of GigaWiper is its ability to overwrite hard drives at a low level. Unlike ordinary malware, it doesn’t simply delete individual files but directly accesses the physical drives.
In doing so, GigaWiper can remove partition entries and overwrite the contents of storage media. Once the destructive operation is complete, the computer restarts and the data that was once stored on it is made no longer accessible in the usual way.
Another function masquerades as ransomware. GigaWiper encrypts files and appends the .candy extension to them. However, this isn’t a classic extortion attack—the decryption keys are generated at random and not stored, so recovery is technically impossible.
Another destructive function of GigaWiper overwrites the Windows system drive multiple times with various data patterns, making recovery even more difficult.
GigaWiper is more than just a data wiper
However, this malware isn’t limited to destruction of data. Microsoft describes GigaWiper as a backdoor through which attackers can gain permanent access to infected systems.
Among other things, the malware can:
- Take screenshots
- Record the screen
- Enable remote control functions
- Collect system information
- Manage processes and Windows services
- Modify the Windows Registry
- Delete event logs to cover their tracks
This allows attackers to first gather information about a system or take control of it before triggering its destructive activity.
Disguised as a OneDrive task
According to Microsoft, GigaWiper sets up a scheduled task in the Windows Task Scheduler to ensure it remains on affected computers for as long as possible. This task is named “OneDrive Update” and runs regularly—easy to overlook if you aren’t paying attention.
The malware also uses RabbitMQ and Redis to communicate with command-and-control servers, making the connections harder to detect in corporate networks where these services are already in use.
Malicious code from several malware families combined
A distinctive feature of GigaWiper is its structure. Microsoft found that several older malware components were integrated into it.
Some of the functions originate from Crucio, a ransomware strain previously analyzed. Another component is based on FlockWiper, an older wiper malware strain. The attackers have integrated these functions into a new backdoor developed in the Go programming language.
This allows attackers to decide whether to take control of systems, manipulate data, and/or trigger complete destruction.
Should you be concerned?
Based on current findings, GigaWiper is primarily used for targeted attacks against organizations and corporations. There’s currently no evidence of widespread distribution among home Windows users.
The malware works by first gaining access to a system, which is then controlled by attackers. So, for home users, traditional security measures remain crucial: Windows and security software should be kept up to date, and unsolicited attachments and apps should never be opened.
According to Microsoft, businesses should enable protective features such as tamper protection for security software, deploy modern attack detection systems, and monitor suspicious activity like unusual tasks in the Windows Task Scheduler or unexpected network connections.
Regular backups are important, too. These should be stored in a separate location from the PC, as only an independent data backup can help with recovery in the event of a genuine wiper attack.
By the way: If you’re using Windows 11 Home, you’re missing out on the many benefits of Windows 11 Pro. To learn more, see our comparison of Windows 11 Home and Pro. If you want to upgrade, snag it for cheap in the PCWorld Software Store: now just $59 instead of $99.
This article originally appeared on our sister publication PC-WELT and was translated and localized from German.