GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware


In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage.

GigaWiper is particularly notable for its makeup. It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction.

Read more…
Source:  Microsoft


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Europol, Microsoft, TrendAI and Collaborators Halt Tycoon 2FA Operations

    March 4, 2026

    Researchers from TrendAI have been tracking the infrastructure, as well as the campaigns and operator behaviors that can be linked to Tycoon 2FA to build a clearer picture of how its services was being used at scale. By November 2025, TrendAI had collected enough data to link the operation to an actor using the monikers “SaaadFridi” ...

  • Google patches 129 Android security flaws — including a potentially dangerous Qualcomm zero-day

    March 3, 2026

    Google has released a new security update which fixed 129 vulnerabilities in the Android ecosystem, including 10 critical-severity bugs, and one high-severity issue apparently being exploited in the wild. In a security advisory, Google said that it fixed a buffer over-read vulnerability in the Graphics component (an open-source Qualcomm module). The bug, tracked as CVE-2026-21385, was ...

  • Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit

    March 3, 2026

    Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical ...

  • Microsoft OAuth scams abuse redirects for malware delivery

    March 3, 2026

    Microsoft has warned organizations about ongoing OAuth abuse scams that use phishing emails and URL redirects to infect victims’ machines with malware and take over their devices. The phishing expedition targets government and public-sector organizations, according to a Monday report from Redmond’s security researchers. And while Microsoft Entra disabled the malicious OAuth applications, Microsoft’s infosec squad ...

  • Hacktivists may have just cracked open ICE and exposed over 6,000 companies working with the DHS

    March 3, 2026

    A hacktivist group has claimed to have broken into systems belonging to the US Department of Homeland Security (DHS) and exposed sensitive files online. The group, with the self-awarded name “The Department of Peace”, stole data from the Office of Industry Partnership that contained contracts between DHS, Immigration and Customs Enforcement (ICE), and over 6,000 private ...

  • Hacked traffic cams and hijacked TVs: How cyber operations supported the war against Iran

    March 3, 2026

    On Saturday, U.S. and Israeli jets began a bombing campaign against Iran, killing its supreme leader Ali Khamenei and several senior government officials. The attacks also hit military and civilian targets all across the country, including a girls’ school, where at least 168 children and adults were killed. After a few days of conflict, multiple reports, ...