GigaWiper Raises the Stakes With Modular Destructive Malware
What happened
Microsoft Threat Intelligence (MTI) has uncovered a new malware strain called GigaWiper, a modular implant that combines backdoor functionality with multiple destructive capabilities. Initially identified during destructive activity in October 2025, researchers first believed it was a Golang-based backdoor. Further analysis revealed it was far more sophisticated, allowing attackers to maintain access to compromised environments before deciding how to disrupt them.
Unlike traditional wiper malware, GigaWiper gives threat actors the flexibility to execute destructive actions only when they choose. The malware supports around 20 commands, including remote shell execution, file management, reconnaissance, screenshot capture, and hidden remote desktop sessions. Once attackers have gathered enough intelligence, they can deploy one of several destructive modules.
Microsoft identified three primary payloads: a raw disk wiper that destroys partition data, a fake ransomware module derived from the Crucio ransomware family that encrypts files with unrecoverable keys, and a secure file wiper based on FlockWiper that repeatedly overwrites files to prevent forensic recovery. Microsoft noted that Google Threat Intelligence Group tracks the malware as BlueRabbit, while Binary Defense previously linked BlueRabbit to an Iran-based threat actor. Microsoft has not attributed GigaWiper to any specific group.
Who is affected
Any organization targeted by advanced threat actors could be at risk, particularly those operating critical infrastructure or other high-value environments. Because GigaWiper allows attackers to remain inside networks for extended periods before launching destructive actions, organizations with weak monitoring or insufficient endpoint visibility may be especially vulnerable.
The malware’s use of RabbitMQ and Redis for command-and-control communications also highlights how attackers are adopting less conventional techniques to evade detection.
Why CISOs should care
Security experts warn that GigaWiper represents a shift in destructive malware. Rather than immediately wiping systems, attackers can quietly perform reconnaissance, move laterally, and prepare their attack before activating destructive payloads.
Denis Calderone, CTO at Suzu Labs, described traditional wipers as “fire-and-forget,” while GigaWiper makes destruction optional until the attacker decides the timing is right. Boris Cipot, Principal Security Engineer at Black Duck, noted that defenders must focus on identifying early signs of compromise instead of waiting for the destructive phase.
For CISOs, this reinforces the importance of detecting attacker activity well before business-critical systems are impacted.
3 practical actions
Monitor for unusual RabbitMQ and Redis communications, especially on unexpected ports.
Enable tamper protection, cloud-delivered security features, and application control to reduce attacker persistence.
Hunt proactively for reconnaissance and lateral movement activity instead of focusing only on destructive malware execution.


