search

LEMON BLOG

Microsoft Uncovers GigaWiper Malware Combining Espionage, Fake Ransomware and Destructive Wiping

Microsoft has uncovered a dangerous new malware framework known as GigaWiper, a Golang-based backdoor designed to do far more than simply steal information or lock files. The malware combines remote access, surveillance, system management, fake ransomware and destructive disk-wiping capabilities within a single modular platform. This gives attackers the flexibility to observe a victim's environment quietly before deciding whether to steal information, maintain access or permanently destroy affected systems. 

Microsoft has linked components of the malware to CyberAv3ngers, an Iranian state-sponsored threat group previously associated with disruptive cyber operations. The discovery reflects a broader shift in advanced attacks, where espionage tools and destructive payloads are increasingly packaged together instead of being deployed as separate malware families.

More Than a Traditional Wiper

Traditional wiper malware is usually designed with one main goal: destroy data and make affected systems unusable.

GigaWiper takes a more flexible approach. Before launching a destructive attack, operators can use the malware as a persistent backdoor to explore the environment, monitor users, execute commands and remotely control compromised machines.

This allows attackers to remain inside a network while deciding which action best supports their campaign. They may collect intelligence quietly, deploy fake ransomware to create confusion or activate wiping commands when they want to cause maximum operational damage.

That combination makes GigaWiper particularly concerning. A system that appears to be suffering from ransomware may actually have been deliberately destroyed, with no genuine recovery mechanism available.

How GigaWiper Communicates With Its Operators

GigaWiper is written in Go, also known as Golang, a programming language increasingly used by both legitimate software developers and malware authors.

Go allows applications to be compiled into portable executables and makes it easier to develop modular tools that can operate across different environments. Malware written in Go can also become relatively large and complex, which may complicate analysis and detection.

The malware uses two different technologies for command-and-control communication:

This architecture allows the malware to receive commands and return collected information through separate communication channels. It also reflects a more structured design than a basic one-purpose malware implant.

Disguising Itself as a OneDrive Update

Once deployed, GigaWiper attempts to remain active by creating a scheduled task called "OneDrive Update."

The name is deliberately chosen to resemble a legitimate Microsoft service. In a busy Windows environment, a scheduled task referring to OneDrive may not immediately attract attention unless administrators inspect its executable path and behaviour.

The malware also stores execution-related information inside a registry location disguised as OneDrive\Environment. These techniques help it blend into normal Windows activity and reduce the likelihood that an administrator will recognise the persistence mechanism at first glance.

This highlights why defenders should not judge a scheduled task or registry entry only by its name. Attackers frequently copy familiar product names to make malicious components appear legitimate.

A Wide Range of Remote-Control Capabilities

GigaWiper gives its operators extensive control over compromised Windows systems.

Its supported functions include:

An integrated VNC component can provide the attacker with interactive remote access to the victim's desktop. This allows the operator to view and control the system much like a legitimate remote-support technician.

The ability to manage processes, services and registry entries also means the malware can be used for ongoing system administration from the attacker's perspective. Operators may stop security tools, change configurations or prepare the environment for additional payloads.

Screen Monitoring Creates an Espionage Risk

GigaWiper is not limited to destructive activity. Its screen-capture and recording functions can support prolonged surveillance.

Attackers may use these capabilities to observe:

Continuous screen recording can expose information that may not be stored in an easily accessible file. For example, an attacker could observe confidential data displayed inside a business application or watch an administrator enter commands during a support session.

This makes the malware suitable for intelligence collection before any destructive phase begins.

Fake Ransomware With No Real Recovery Option

One of GigaWiper's most troubling functions behaves like ransomware but does not appear to be designed for genuine recovery.

The malware can encrypt files using randomly generated encryption keys that are never stored. Because the keys are discarded, the affected files cannot realistically be decrypted later, even if a ransom demand is displayed.

This is better understood as destructive encryption rather than conventional ransomware.

Traditional financially motivated ransomware groups usually preserve a decryption key because they want victims to pay. In contrast, fake ransomware may use the appearance of financial extortion to conceal the true objective: permanently destroying data and disrupting operations.

A ransom note can also mislead incident responders, delaying recognition that the event is actually a wiper attack.

Multiple Methods of Permanently Destroying Systems

GigaWiper contains several destructive options.

Depending on the command issued by the operator, it may: 

Removing partition metadata can prevent the operating system from locating files and volumes correctly. Directly overwriting physical disks can destroy both the data and the structures needed to recover it.

Repeated overwriting further reduces the possibility of forensic recovery. Once these commands are executed successfully, rebuilding from trusted backups may be the only practical restoration method.

A Modular Combination of Earlier Malware Components

Microsoft found that GigaWiper combines capabilities associated with previously identified malware families, including Crucio ransomware and FlockWiper.

Instead of requiring attackers to deploy separate tools for surveillance, remote control and destruction, the framework brings these functions together inside one implant.

This modular design allows operators to activate only the capabilities needed for a particular campaign.

For example, an attacker may initially use the malware for reconnaissance and screen monitoring. Destructive commands could remain inactive until the operator decides that intelligence collection is complete or that disruption has become the primary objective.

How a GigaWiper Attack May Unfold

The observed attack sequence begins after the attacker has already compromised the target environment.

GigaWiper is then deployed and establishes persistence through scheduled tasks and registry changes. It connects to attacker-controlled infrastructure to receive further instructions.

From there, operators may perform reconnaissance, monitor screens, remotely control systems and collect credentials. The final stage depends on the campaign's goal. The attacker may continue espionage activity or trigger wiping and fake-ransomware functions to destroy the environment.

A simplified attack sequence may look like this:

The malware's flexibility means defenders may not immediately know whether an intrusion is intended for espionage, disruption or both.

Why GigaWiper Is Particularly Dangerous

Several characteristics make the malware especially serious.

It combines multiple destructive techniques within a single framework, including disk wiping, unrecoverable encryption and system sabotage. At the same time, it supports surveillance, remote access and reconnaissance.

Its modular design allows operators to choose commands based on changing objectives, while legitimate-looking persistence names help it remain hidden.

The suspected connection to a state-sponsored group also raises the possibility that attacks may be driven by strategic or disruptive objectives rather than financial gain alone.

This distinction matters because paying a ransom may not be relevant when the attacker's actual purpose is permanent destruction.

Which Systems Are at Risk?

GigaWiper targets Microsoft Windows systems.

Any organisation whose environment is compromised by the associated attackers may be exposed, particularly enterprises where threat actors can deploy the malware across multiple servers or workstations.

The risk becomes more serious when attackers obtain administrative privileges, because these permissions may allow them to disable security controls, create scheduled tasks and execute destructive commands across important systems.

Environments with flat networks, excessive administrative access or weak endpoint monitoring may face greater difficulty containing the malware before it spreads.

Endpoint Detection Must Look for Destructive Behaviour

Organisations should deploy and maintain Endpoint Detection and Response solutions capable of identifying unusual system behaviour.

Detection should not depend solely on recognising a known GigaWiper file. Security teams should monitor for suspicious actions such as:

These behaviours may reveal an attack even when the malware sample has been modified or its filename has changed.

Restrict Administrative Privileges

GigaWiper's most damaging capabilities are easier to execute when the attacker has administrative access.

Organisations should therefore apply the principle of least privilege, ensuring users and service accounts receive only the permissions required for their roles.

Administrative accounts should not be used for everyday activities such as email, web browsing or routine document work. Privileged access should be separated, monitored and protected with multi-factor authentication.

Reducing unnecessary administrative rights can limit an attacker's ability to deploy malware widely or issue destructive commands across the environment.

Protect Backups From the Compromised Network

Regular backups remain one of the most important defences against destructive malware, but ordinary connected backups may not be enough.

If backup storage is continuously accessible from the production network, an attacker with administrative privileges may delete or encrypt it before activating the wiper.

Organisations should maintain:

Microsoft's guidance emphasises offline and immutable backups because they provide a recovery path even when production systems have been permanently damaged.

A backup should not be considered reliable merely because the job completed successfully. Organisations must also prove that the data can be restored within an acceptable period.

Block Known Indicators but Do Not Rely on Them Alone

The advisory includes known command-and-control addresses and malware hashes associated with the campaign.

These indicators can be added to perimeter firewalls, web proxies, DNS filters, EDR platforms and threat-monitoring systems. The indicator table appears on page four of the advisory and includes two command-and-control IP addresses together with several SHA-256 malware hashes.

Blocking known indicators can help prevent communication with identified attacker infrastructure. However, threat actors may change servers, domains or malware samples at any time.

For that reason, indicators of compromise should support—not replace—behavioural monitoring and incident investigation.

Deleting Event Logs Should Trigger Immediate Attention

GigaWiper can delete Windows event logs to remove forensic evidence.

Log deletion is often a strong warning sign because legitimate applications rarely need to erase security records unexpectedly. Alerts should be generated when event logs are cleared, especially on servers or administrative workstations.

Where possible, important logs should be forwarded in real time to a central platform. This prevents attackers from removing every copy by deleting records from the compromised endpoint.

Centralised logging can also help investigators reconstruct the sequence of activity after a destructive incident.

Organisations Need a Destructive-Malware Response Plan

A conventional malware response may focus on isolating an infected computer and removing the malicious file.

A wiper incident requires a broader business-continuity response because affected systems may be permanently lost.

The response plan should address:

Incident-response teams should also be prepared for mixed behaviour. An attacker may conduct espionage for weeks before launching the destructive stage.

Final Thoughts

GigaWiper represents a serious evolution in destructive malware because it combines intelligence gathering, remote access, surveillance, fake ransomware and permanent wiping inside a single modular backdoor.

The malware can quietly monitor an organisation before switching to destructive operations, giving attackers significant control over when and how damage occurs. Its ransomware-like behaviour may also create false expectations that encrypted files can be recovered through payment, even though the encryption keys are never retained.

Organisations should respond by strengthening endpoint monitoring, restricting administrative access, protecting backups and watching for suspicious persistence, remote-control and log-deletion activity.

Most importantly, destructive malware must be treated as both a cybersecurity incident and a business-continuity crisis. When attackers can erase systems rather than merely encrypt them, tested recovery procedures become just as important as prevention.

ServiceNow Fixes Security Flaw Exploited to Access...
AI-Generated PowerShell Scripts Are Making Active ...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 16 July 2026

Captcha Image

LEMON VIDEO CHANNELS

Step into a world where web design & development, gaming & retro gaming, and guitar covers & shredding collide! Whether you're looking for expert web development insights, nostalgic arcade action, or electrifying guitar solos, this is the place for you. Now also featuring content on TikTok, we’re bringing creativity, music, and tech straight to your screen. Subscribe and join the ride—because the future is bold, fun, and full of possibilities!

My TikTok Video Collection