Microsoft uncovers GigaWiper, a backdoor designed for destruction on demand

Tags:

Microsoft is warning defenders about a new backdoor that blurs the line between espionage malware and wipers.

In a technical analysis published on Thursday, Microsoft Threat Intelligence detailed GigaWiper, a Golang-based implant first observed in October 2025 intrusions that combines remote administration capabilities with multiple disk-wiping and ransomware routines.

Rather than building a new destructive tool from scratch, the operators assembled GigaWiper from several existing malware families, embedding them as modular commands inside a single backdoor.

“GigaWiper is particularly notable for its makeup,” Microsoft researchers said. “The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences.”

Malware capabilities of the backdoor included multiple disk wiping logics, an irreversible Crucio ransomware encryption, persistence, and RabbitMQ and Redis-based communication.

A backdoor for destruction on demand

According to Microsoft, GigaWiper exists in two forms. A standalone wiper and a larger backdoor whose command set embeds the standalone wiping functionality alongside numerous administrative features.

Written in Go, the malware supports 20 command codes that enable operators to execute PowerShell commands, manage Windows services and processes, manipulate the registry, capture screenshots, record displays, clear event logs, and remotely control infected systems through a Virtual Network Computing (VNC)-like capability.

Persistence is established through a scheduled task posing as a “OneDrive Update,” while command-and-control (C2) relies on RabbitMQ for receiving instructions and Redis for returning command output. This architecture allows attackers to quietly maintain access and selectively activate destructive functionality when an objective has been achieved, the researchers added.

The backdoor combines three malware families

Microsoft researchers found that GigaWiper integrates destructive code from multiple malware families instead of relying on a single wiping mechanism.

These integrations show up in the form of separate commands that the backdoor supports.

One command performs raw physical disk wiping by overwriting drives and removing partition metadata. Another borrows from the Crucio ransomware family, encrypting files with randomly generated keys that are intentionally never stored, making recovery impossible despite presenting itself like ransomware.

A third command recreates the functionality of FlockWiper, implementing secure multi-pass wiping in Go to permanently erase data on Windows systems.

“We tied GigaWiper to both Crucio and FlockWiper based on code analysis, shared execution flow, function naming, and unique strings,” the researchers said. “Crucio’s code was the base for GigaWiper command 3, and FlockWiper was re-coded in Golang and updated for GigaWiper command 12,” they noted, referring to the 20 listed commands the backdoor supports.

The standalone wiper was implemented as command 1 from the list.

Microsoft recommended hardening endpoints and identities, enabling behavioral detection and endpoint detection and response (EDR) capabilities, and using attack surface reduction controls to limit compromise risks.

The company also urged defenders to maintain offline or otherwise resilient backups, as destructive malware like GigaWiper is designed to irreversibly wipe or encrypt data. To support detection, the researchers shared a list of indicators of compromise (IOCs), which included FlockWiper and Crucio file hashes and a couple of C2 IP addresses.

Categories

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *