A new multi-method malware called GigaWiper can obliterate a machine's data entirely — and it disguises itself as an OneDrive update to stay hidden.
Microsoft published an analysis of GigaWiper, which it links to components previously attributed to CyberAv3ngers, an Iranian group connected to the Islamic Revolutionary Guard Corps. The malware operates in three modes: it can overwrite the physical drive and erase the partition table, repeatedly overwrite the Windows partition with different data patterns, or encrypt files and slap a .candy extension on them while swapping the desktop wallpaper for a warning message. That third mode looks like ransomware but isn't — there is no ransom note and no decryption key, so paying would accomplish nothing. Files encrypted this way are simply gone. On top of destruction, GigaWiper spies: it grabs screenshots, records screens, opens VNC sessions for remote control, and harvests system data.
The fake-ransomware angle is worth noting separately from the destruction itself. It suggests the goal isn't money — it's confusion and delay. Victims who think they're dealing with ransomware may waste time negotiating or searching for a decryptor while the actual damage compounds. That psychological layer, layered on top of three independent wipe methods, points to an operator more interested in reliable destruction than a clean exit.
CyberAv3ngers has targeted industrial control systems before, most notably in attacks on water utilities in 2023. GigaWiper's espionage capabilities alongside its wipe functions suggest this campaign may focus on intelligence gathering first, with destruction available as a finishing move — a pattern more consistent with state-sponsored sabotage than opportunistic cybercrime.