Malik Haidar is a veteran of the cybersecurity trenches, known for bridging the gap between high-level business risk and the granular details of malware analysis. Having navigated the complex security landscapes of several multinational corporations, he brings a unique perspective on how modern threats evolve from simple tools into multi-functional weapons. Today, he discusses the emergence of GigaWiper, a sophisticated threat that signals a dangerous shift in the philosophy of cyber-sabotage, blending quiet espionage with total system-level destruction.
We are seeing a significant shift in how malware is constructed, particularly with GigaWiper’s modular approach. How does combining espionage backdoors with destructive wipers change the threat landscape for large organizations?
This modularity is a total game-changer because it strips away the predictability that security teams used to rely on when categorizing threats. Since it was first observed in October 2025, GigaWiper has shown that it is no longer just about simple data destruction; it offers a full suite of operational tools that allow an attacker to stay inside a network for over eight months. The consolidation of these capabilities means a threat actor can sit quietly using RabbitMQ and Redis for communication while they record screens or exfiltrate sensitive files. When they finally decide to pull the trigger, they have multiple paths to choose from, ranging from a simple Blue Screen of Death to a multi-pass wipe that clears every partition identified by the system.
The technical specifics of GigaWiper’s wiping process seem particularly aggressive, targeting physical disks rather than just files. Could you walk us through why this “physical level” approach is so devastating for an IT department?
When a piece of malware starts enumerating drives at the physical disk level using Windows Management Instrumentation, it is essentially going for the jugular of the organization’s infrastructure. GigaWiper specifically sniffs out the Windows partition, but its most destructive act is removing partition references from non-Windows drives and initiating multiple erase passes. For an IT team, this isn’t just a standard “restore from backup” situation; it is a nightmare scenario where the entire hardware configuration is effectively dissolved. The sheer finality of a multi-pass wipe leaves almost no room for forensic recovery, making the aftermath feel like a digital scorched-earth scenario where the system is forced into a reboot with nothing left to load.
GigaWiper includes capabilities for everything from screen recording to ransomware-style encryption. Why would a threat actor want a tool that can do both quiet espionage and loud destruction?
Flexibility is the ultimate weapon in a modern hacker’s arsenal, allowing them to adapt their mission as they learn more about the target’s environment. By integrating code from older malware families like FlockWiper—which we saw emerge in June 2025—the developers have created a Swiss Army knife for digital sabotage. One moment, they are silently taking screenshots and monitoring registry processes to gather corporate intelligence; the next, they can deploy random encryption keys that are never saved, making data recovery impossible even if the victim wants to pay. It allows the attacker to pivot based on the value of the datif the information is worth money, they steal it using the MinIO Client, and if they want to cause pure chaos, they trigger the wiper commands.
The connection between GigaWiper and previous strains like Crucio and FlockWiper suggests an evolving ecosystem of malware development. What does this “stitching together” of older code tell us about the current state of threat actors?
It shows us that threat actors are becoming master recyclers, porting successful functions into more modern languages like Go to enhance their performance and bypass older detection signatures. We noticed that the wiping function in GigaWiper is actually an identical port of the code used in FlockWiper back in June 2025. This isn’t a sign of laziness, but rather an efficient engineering strategy that lets them focus on adding sophisticated new features like remote control servers and automated log clearing. When you see code from the Crucio ransomware developer being folded into a destructive backdoor, you realize we are dealing with a professionalized development cycle where the “best-of” features are aggregated to maximize real-world consequences.
What is your forecast for the future of modular destructive malware?
I expect we will see a rapid proliferation of these “all-in-one” payloads that blur the lines between state-sponsored espionage and financially motivated extortion. As long as frameworks like RabbitMQ provide such stable command-and-control channels, attackers will continue to build deeper, more persistent backdoors that can pivot to total destruction in a matter of seconds. We are moving toward an era where the “wiper” isn’t the whole story, but rather the final act of a long-term breach that began months earlier. Organizations will need to move away from reactive security and focus on detecting these modular tools during their “quiet” phase before those final destructive commands are ever issued.

