Microsoft has disclosed information regarding a newly identified malicious program known as “GigaWiper”, which enables threat actors to remotely control computers running the Windows operating system and irreversibly destroy data stored on affected systems.
Once installed, the malware establishes persistence by creating a scheduled task disguised as “OneDrive Update”. The task is executed when the system starts and subsequently runs once every minute. “GigaWiper” receives commands from its operators through RabbitMQ servers and transmits the results of executed operations via Redis infrastructure.
According to Microsoft, the malware incorporates several destructive capabilities. One of these functions removes disk partition information, overwrites data stored on physical drives, and forces the affected computer to restart. Another function specifically targets the drive on which the Windows operating system is installed and irreversibly erases its contents.
The malware can also encrypt files and append the “.candy” extension to their filenames. However, because the encryption keys are generated randomly and are not stored, recovery of the affected data is not possible.
“GigaWiper” supports a total of 20 distinct command codes. These commands allow its operators to execute PowerShell instructions, collect information about the computer and installed antivirus solutions and manage running processes and Windows services.
The malware is also capable of modifying the Windows Registry, capturing screenshots, recording activity displayed on connected monitors, clearing Windows event logs and uploading files to remote servers. In addition, a remote-access capability similar to VNC allows operators to monitor the screen of an infected computer and control the system using keyboard and mouse input. To establish this connection, the malware modifies Windows Firewall rules to permit remote access.
Microsoft stated that “GigaWiper” may remain active on a compromised computer for an extended period and be used for surveillance and remote administration before its destructive functions are activated.
Microsoft Defender includes detection capabilities for “GigaWiper” and its associated components. The company recommends that organizations enable Tamper Protection, cloud-delivered antivirus protection and endpoint detection and response capabilities in block mode.
© 2011-2026 All rights reserved