{"id":8711,"date":"2026-07-10T08:56:31","date_gmt":"2026-07-10T08:56:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8711"},"modified":"2026-07-10T08:56:31","modified_gmt":"2026-07-10T08:56:31","slug":"microsoft-uncovers-gigawiper-a-backdoor-designed-for-destruction-on-demand","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8711","title":{"rendered":"Microsoft uncovers GigaWiper, a backdoor designed for destruction on demand"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Microsoft is warning defenders about a new backdoor that blurs the line between espionage malware and wipers.<\/p>\n<p>In a technical analysis published on Thursday, Microsoft Threat Intelligence detailed GigaWiper, a Golang-based implant first observed in October 2025 intrusions that combines remote administration capabilities with multiple disk-wiping and ransomware routines.<\/p>\n<p>Rather than building a new destructive tool from scratch, the operators assembled GigaWiper from several existing malware families, embedding them as modular commands inside a single backdoor.<\/p>\n<p>\u201cGigaWiper is particularly notable for its makeup,\u201d Microsoft researchers <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/07\/09\/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware\/\" target=\"_blank\" rel=\"noopener\">said<\/a>. \u201cThe consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences.\u201d<\/p>\n<p>Malware capabilities of the backdoor included multiple disk wiping logics, an irreversible Crucio ransomware encryption, persistence, and RabbitMQ and Redis-based communication.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>A backdoor for destruction on demand<\/h2>\n<p>According to Microsoft, GigaWiper exists in two forms. A standalone wiper and a larger backdoor whose command set embeds the standalone wiping functionality alongside numerous administrative features.<\/p>\n<p>Written in Go, the malware supports 20 command codes that enable operators to execute <a href=\"https:\/\/www.csoonline.com\/article\/4006326\/how-to-log-and-monitor-powershell-activity-for-suspicious-scripts-and-commands.html\">PowerShell <\/a>commands, manage Windows services and processes, manipulate the registry, capture screenshots, record displays, clear event logs, and remotely control infected systems through a Virtual Network Computing (<a href=\"https:\/\/www.csoonline.com\/article\/573427\/exposed-vnc-threatens-critical-infrastructure-as-attacks-spike.html\">VNC<\/a>)-like capability.<\/p>\n<p>Persistence is established through a scheduled task posing as a \u201cOneDrive Update,\u201d while command-and-control (C2) relies on <a href=\"https:\/\/www.csoonline.com\/article\/572033\/fbis-warning-about-iranian-firm-highlights-common-cyberattack-tactics.html?utm=hybrid_search#:~:text=RabbitMQ%20service%20on%20SolarWinds\">RabbitMQ<\/a> for receiving instructions and <a href=\"https:\/\/www.csoonline.com\/article\/1308535\/new-redis-attack-campaign-weakens-systems-before-deploying-cryptominer.html\">Redis <\/a>for returning command output. This architecture allows attackers to quietly maintain access and selectively activate destructive functionality when an objective has been achieved, the researchers added.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>The backdoor combines three malware families<\/h2>\n<p>Microsoft researchers found that GigaWiper integrates destructive code from multiple malware families instead of relying on a single wiping mechanism.<\/p>\n<p>These integrations show up in the form of separate commands that the backdoor supports.<\/p>\n<p>One command performs raw physical disk wiping by overwriting drives and removing partition metadata. Another borrows from the Crucio ransomware family, encrypting files with randomly generated keys that are intentionally never stored, making recovery impossible despite presenting itself like ransomware.<\/p>\n<p>A third command recreates the functionality of FlockWiper, implementing secure multi-pass wiping in Go to permanently erase data on Windows systems.<\/p>\n<p>\u201cWe tied GigaWiper to both Crucio and FlockWiper based on code analysis, shared execution flow, function naming, and unique strings,\u201d the researchers said. \u201cCrucio\u2019s code was the base for GigaWiper command 3, and FlockWiper was re-coded in Golang and updated for GigaWiper command 12,\u201d they noted, referring to the 20 listed commands the backdoor supports.<\/p>\n<p>The standalone wiper was implemented as command 1 from the list.<\/p>\n<p>Microsoft recommended hardening endpoints and identities, enabling behavioral detection and endpoint detection and response (EDR) capabilities, and using attack surface reduction controls to limit compromise risks. <\/p>\n<p>The company also urged defenders to maintain offline or otherwise resilient backups, as destructive malware like GigaWiper is designed to irreversibly wipe or encrypt data. To support detection, the researchers shared a list of indicators of compromise (IOCs), which included FlockWiper and Crucio file hashes and a couple of C2 IP addresses.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft is warning defenders about a new backdoor that blurs the line between espionage malware and wipers. In a technical analysis published on Thursday, Microsoft Threat Intelligence detailed GigaWiper, a Golang-based implant first observed in October 2025 intrusions that combines remote administration capabilities with multiple disk-wiping and ransomware routines. Rather than building a new destructive [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8712,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8711","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8711"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8711"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8711\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8712"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}