ProBackend
malware wiper threats
3 hours ago6 min read

GigaWiper: The Modular Malware Letting Attackers Choose Their Own Destruction Path

A sophisticated malware implant that blends persistent backdoor access with multiple destructive payloads, allowing attackers to choose when and how to wipe systems — flipping the traditional wiper model on its head.

The Wiper Inside the Backdoor

Here's something that should keep security teams up at night: GigaWiper is a modular malware family that's essentially a wiper hiding inside a backdoor. The threat actors behind it don't just blow up systems and run — they linger, reconnoiter, and pick the perfect moment to hit the delete button. It's destruction as an option rather than a default, and that shift makes GigaWiper one of the more unsettling developments in artificial intelligence cybersecurity threat research this year.

Traditional wipers are fire-and-forget weapons. You deploy them, they shred data, and that's it. No second chances for the attacker if things go sideways. GigaWiper flips that script entirely. The implant gives operators persistent remote access while carrying multiple destructive payloads in its toolkit. They can sit in your network for days, maybe weeks, gathering intelligence before deciding whether to strike at all.

The malware was first spotted in October 2025 during a wave of destructive wiper activity. Researchers initially wrote it off as just another Golang-based backdoor — until they noticed the destruction modules tacked onto what looked like a fairly standard remote access tool. That moment of misidentification tells you everything about how carefully this thing is built.

Source: Dark Reading

The Wiper Inside the Backdoor

How GigaWiper Actually Works

The command set alone is impressive from a malicious engineering standpoint. GigaWiper supports roughly 20 different commands covering remote shell execution, file management, process control, system reconnaissance, screenshot capture, and even hidden remote desktop sessions. That's not a backdoor — that's a full operational toolkit disguised as one.

What makes it particularly dangerous is the modularity. The destructive capabilities aren't hardcoded into a single payload. Instead, they're separate modules that can be loaded on demand. An operator who initially deployed GigaWiper for espionage purposes can later decide to pivot to destruction without needing a second-stage download or additional infrastructure. The wipe capability is already there, sitting in the wings.

The three destruction modules tell a story about how seriously these threat actors take their craft:

Raw disk wiper. This one goes straight for the hardware level, overwriting physical disks and obliterating partition information. You're not just losing files — you're losing the ability to even attempt recovery from the disk structure itself.

Fake ransomware based on Crucio. This is where things get genuinely cruel. The malware encrypts files using randomly generated keys that are then discarded. No ransom note asking for payment, no actual decryption key held back. It mimics ransomware behavior but offers zero path to recovery. You're paying the ransomware price — total data loss — without the (theoretical) option of buying your files back.

Multipass secure wiper derived from FlockWiper. This one repeatedly overwrites files using techniques designed specifically to defeat forensic recovery tools. It's the kind of module that says "we know you'll try to recover this, and we've already thought about that."

Each module serves a different operational need. The raw disk wiper is for when you want to make recovery impossible at the hardware level. The fake ransomware creates confusion and buys time while data disappears. The FlockWiper-based module is for when forensics teams are going to dig into the wreckage anyway.

How GigaWiper Actually Works

The RabbitMQ and Redis Command Infrastructure

Most malware command-and-control uses HTTP, DNS, or some variation of web traffic to stay hidden in plain sight. GigaWiper does something different — and honestly, it's cleverer than most C2 frameworks I've seen.

The command delivery layer runs on RabbitMQ, the AMQP message broker. Commands get pushed through message queues rather than traditional request-response patterns. Status updates and output tracking flow through Redis, the in-memory data store. Together they create a C2 infrastructure that doesn't look like malware traffic at all — it looks like legitimate enterprise messaging and caching.

This matters because most network detection tools are tuned to spot HTTP-based C2 beacons, DNS tunneling patterns, and other common command protocols. RabbitMQ and Redis traffic on non-standard ports is unusual in enterprise environments, but it doesn't trigger the same alarms as a suspicious HTTP POST to an unknown domain. You'd need to know what to look for specifically.

The choice of infrastructure also suggests threat actors with serious operational security instincts. RabbitMQ and Redis are legitimate enterprise tools. Deploying C2 on top of them means the malware blends into normal infrastructure traffic rather than standing out as anomalous.

For defenders, this creates a specific hunting challenge. You're not looking for malware signatures in web proxy logs — you're looking for RabbitMQ and Redis traffic where it shouldn't exist, on ports that don't match your documented infrastructure, communicating with systems you can't account for.

Attribution and the BlueRabbit Connection

Microsoft Threat Intelligence and Google's Threat Intelligence Group both track GigaWiper. Google actually calls it "BlueRabbit" — a name that references the RabbitMQ infrastructure underneath. Binary Defense observed BlueRabbit earlier and attributed it to an Iran-based threat actor, though Microsoft has stopped short of confirming that attribution publicly.

The naming discrepancy between organizations is worth noting. When Microsoft calls something GigaWiper and Google calls it BlueRabbit, it tells you these teams are looking at the same malware from different angles — one focused on the destructive capability, the other on the infrastructure fingerprint.

The Iran connection, if confirmed, places GigaWiper in a familiar geopolitical context. Iranian threat actors have been increasingly active with destructive wiper campaigns targeting critical infrastructure and energy sectors. GigaWiper's modular approach — espionage first, destruction when convenient — fits a pattern of state-aligned actors who want sustained access to targets while retaining the option for devastating strikes.

What's notable here is that Microsoft hasn't formally endorsed the attribution. That restraint matters in threat intelligence — it means defenders should treat the Iran connection as a strong indicator rather than established fact, while still adjusting their defensive posture accordingly.

Defending Against GigaWiper

Microsoft's recommendations for defending against this threat are practical and specific. The first line of defense is tenant-wide tamper protection to prevent attackers from disabling security services once they're inside. If GigaWiper can't turn off your defenses, it's significantly less dangerous.

The DisableLocalAdminMerge setting on Intune and Defender for Endpoint blocks GPO-based antivirus exclusions — a critical hardening step since attackers often try to exclude security tools from scanning once they've gained persistence.

Network-level controls matter too. Blocking direct access to known C2 infrastructure cuts off the command channel before operators can trigger destruction modules. And cloud-delivered protection with strict executable allowlisting means even if GigaWiper lands on a system, its modules have a harder time executing.

But the real defensive opportunity lies in pre-destruction detection. GigaWiper gives attackers time between initial access and destruction triggers. That window is where defenders can catch them. Hunt for RabbitMQ and Redis traffic on unexpected ports. Monitor for unusual process creation patterns around message brokers. Watch for systems that suddenly start behaving like C2 nodes rather than endpoints.

The artificial intelligence cybersecurity landscape keeps evolving, and GigaWiper represents exactly the kind of threat that rewards defenders who think beyond signature-based detection. This is infrastructure-aware, behavior-focused hunting — and it's the only approach that stands a chance against malware designed to look like your own systems.

More blogs