- Microsoft warns of “GigaWiper,” a destructive malware attributed to the Iranian group CyberAv3ngers that combines several variants into one
- It can erase drives, encrypt files with a fake ransomware extension or overwrite Windows partitions, while also spying via screenshots, VNC sessions and system data theft
- The malware hides under fake OneDrive tasks and registry keys and displays both spying and sabotage capabilities with no recovery path for victims’ data
Microsoft is warning about a new piece of malware called GigaWiper, which can spy on people’s computers and then completely destroy them in various ways.
It was built by mixing different malware variants into one, and appears to be the work of Iranian state-sponsored threat actors called CyberAv3ngers. The hackers also took a cheeky dig at Microsoft through the malware’s obfuscation mechanism.
As Microsoft explained, GigaWiper can overwrite the physical drive and erase the partition table, destroying the contents of the disk directly. It can also encrypt all files on the drive, add a .candy extension and change the desktop background to display a warning. This ransomware approach doesn’t share a ransom note or generate a decryption key, so there’s nothing to pay and no way to decrypt the files – they’re gone forever, just giving victims false hope.
Spying on the victims
Finally, the third method goes directly to the Windows drive and overwrites it several times with different data patterns.
Besides bricking the disk, GigaWiper can also spy on its victims by taking screenshots, recording the screen or opening a VNC session to either stream someone else’s work or allow the attackers to use the mouse and keyboard. The malware can also extract system data, manage programs and services, modify the registry and more.
But the cheekiest feature is how it hides. It schedules a task called OneDrive Update and tracks itself in a registry key called OneDriveEnvironment. Perhaps the attackers assumed that no one was really paying attention to OneDrive, and thus the malware could remain out of sight for longer.
Speaking of the attackers, Microsoft isn’t naming them, but most of the components meshed together to form GigaWiper were previously attributed to the CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps.

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



