// Security Guides
GigaWiper, OpenPLC, and Grid Relay Flaws: Defending Against July's Destructive Threat Wave
By NeoShield Security Team · Published 2026-07-10 · 5 min read
A new multi-stage Windows backdoor capable of irreversible disk destruction is making rounds alongside critical ICS vulnerabilities in OpenPLC and Schneider Electric power relays — here is what defenders need to prioritize today.
The most alarming development is the emergence of GigaWiper, a sophisticated Windows backdoor that blends full disk wiping, OS drive overwriting, and a fake ransomware facade into a single destructive package. What makes GigaWiper particularly dangerous is its deception layer — it presents itself as ransomware, complete with ransom messaging, but deliberately destroys files without ever saving decryption keys. There is no paying your way out. Any organization that treats a GigaWiper infection as a standard ransomware negotiation will lose critical recovery time. Defenders must immediately update their incident classification playbooks to flag any ransomware-presenting infection for destructive malware triage first. Indicators to watch for include rapid, sequential disk write activity across the OS volume, processes spawning with elevated privileges that touch raw disk handles, and ransom notes appearing alongside catastrophic file system changes. Endpoint detection rules should be tuned to alert on volume shadow copy deletion combined with low-level disk I/O from non-system processes.
GigaWiper also makes the case for backup integrity more urgent than ever. Offline or immutable backups are the single most effective control against a wiper. If your backup solution is network-attached and accessible from a compromised endpoint, GigaWiper can reach it. Organizations should audit backup reachability from standard user and admin contexts right now, enforce immutability policies on backup targets, and — critically — run a restoration drill before an incident forces the issue. A backup that has never been tested is a liability, not an asset.
Shifting to operational technology environments, CISA has flagged a critical vulnerability in OpenPLC v3, the widely used open-source programmable logic controller runtime. The flaw allows an authenticated attacker to write arbitrary files to the underlying filesystem and then leverage the platform's own program compilation process to escalate to arbitrary native code execution. Because OpenPLC runs in industrial and research environments that may bridge IT and OT networks, exploitation could provide a foothold into process control systems. Defenders running OpenPLC v3 should apply available patches immediately, restrict authentication to the smallest possible set of trusted accounts, and place the runtime behind network segmentation that prevents direct access from general enterprise networks. If patching cannot happen immediately, disabling remote access to the OpenPLC web interface and enforcing strict allowlisting of who can submit programs for compilation are meaningful interim controls.
Also flagged by CISA is a vulnerability in Schneider Electric Easergy MiCOM Px40 Series protection relays, devices deployed in medium, high, and extra-high voltage grid protection applications. Exploitation of this flaw could allow adversaries to disrupt or manipulate the protective relay functions that safeguard power transmission infrastructure. In practical terms, a compromised relay could fail to trip during a fault, or could be made to trip falsely, with consequences ranging from equipment damage to widespread outages. Organizations operating these devices should contact Schneider Electric for patch availability, isolate relay management interfaces from routable networks, and review access logs for any unexpected authentication attempts against relay management ports. Given the physical consequences of relay manipulation, this should be treated as a safety-critical issue, not just a cybersecurity one.
Underpinning all three of today's threats is the persistent reality that credential theft remains the most common initial access vector. GigaWiper infections, OpenPLC exploitation, and relay management access all become dramatically harder for attackers when strong authentication is enforced. Multi-factor authentication should be mandatory on every internet-facing management interface, every VPN, and every OT management console. Privileged accounts should be audited for password age and reuse, and session monitoring should be in place to detect anomalous login patterns.
Defensive priorities for today:
- Update incident response playbooks to classify wiper-presenting malware as destructive incidents immediately, bypassing standard ransomware negotiation workflows
- Verify that backup targets are immutable or offline and inaccessible from compromised endpoint contexts, then run a restoration test
- Patch or isolate OpenPLC v3 instances, restrict compilation access, and segment OT networks from enterprise IT
- Engage Schneider Electric support for MiCOM Px40 Series guidance and isolate relay management interfaces from routable networks
- Enforce MFA on all privileged and internet-facing access points and audit credential hygiene across OT and IT environments
- Tune EDR and SIEM rules to detect mass disk write activity, shadow copy deletion, and low-level disk handle access by non-system processes
This briefing is informational and intended to support your team's awareness — always consult official vendor advisories and CISA guidance for authoritative patch and mitigation details specific to your environment.
Related NeoShield tools
Related articles
SOC Console for Small Teams: How to Centralize Alerts, Logs, Incidents, and Response Without Enterprise Complexity
A SOC console helps teams organize security signals, investigate incidents, and respond faster. Learn what small teams actually…
Security GuidesPost-Quantum Cryptography Migration: What Small Teams Should Do Before Quantum Risk Becomes Urgent
Quantum computing may threaten today’s public-key cryptography in the future. Learn how small teams can start crypto inventory…
Security GuidesDevSecOps Security Gates: How to Stop Risky Code Before It Reaches Production
DevSecOps security gates help teams catch vulnerable dependencies, weak code, secrets, and misconfigurations earlier in the…
NeoShield Security publishes defensive cybersecurity guides for developers, small teams, SOC learners, and MSPs. AI-assisted content is reviewed for safety, defensive purpose, and practical security value.