A newly discovered piece of malware, known as GigaWiper, has been found to not only spy on data but also render entire systems unusable. This malware combines several destructive functions with a powerful backdoor for attackers, making it a significant threat to computer systems. GigaWiper was first detected in October 2025, and a recent analysis has revealed the full extent of its capabilities. The malware is also being tracked by other security researchers under the name BlueRabbit.
GigaWiper is a highly destructive malware that can wipe hard drives and irretrievably destroy data. It overwrites hard drives at a low level, directly accessing the physical drives and removing partition entries and overwriting the contents of storage media. This makes it difficult to recover data, and the computer restarts after the destructive operation is complete. The data that was once stored on the computer is then no longer accessible.
In addition to its data-wiping capabilities, GigaWiper also masquerades as ransomware, encrypting files and appending the .candy extension to them. However, this is not a classic extortion attack, as the decryption keys are generated at random and not stored, making recovery technically impossible. The malware also overwrites the Windows system drive multiple times with various data patterns, making recovery even more difficult.
GigaWiper is more than just a data wiper; it is also a backdoor that allows attackers to gain permanent access to infected systems. The malware can take screenshots, record the screen, enable remote control functions, collect system information, manage processes and Windows services, modify the Windows Registry, and delete event logs to cover their tracks. This allows attackers to gather information about a system or take control of it before triggering its destructive activity.
The malware sets up a scheduled task in the Windows Task Scheduler to ensure it remains on affected computers for as long as possible. This task is disguised as a legitimate OneDrive update, making it easy to overlook. GigaWiper also uses RabbitMQ and Redis to communicate with command-and-control servers, making the connections harder to detect in corporate networks where these services are already in use.
GigaWiper's structure is distinctive, as it combines malicious code from several malware families. The attackers have integrated functions from older malware strains, such as Crucio and FlockWiper, into a new backdoor developed in the Go programming language. This allows attackers to decide whether to take control of systems, manipulate data, and/or trigger complete destruction.
Currently, GigaWiper is primarily used for targeted attacks against organizations and corporations. There is no evidence of widespread distribution among home Windows users. However, traditional security measures remain crucial, such as keeping Windows and security software up to date and never opening unsolicited attachments or apps. Businesses should also enable protective features, deploy modern attack detection systems, and monitor suspicious activity.
Regular backups are also important, and they should be stored in a separate location from the computer. This is because only an independent data backup can help with recovery in the event of a genuine wiper attack. By taking these precautions, individuals and organizations can reduce the risk of falling victim to GigaWiper and other types of malware.





