Skip to main content
Emerging ThreatsMalware & Ransomware

Microsoft Uncovers GigaWiper Backdoor with Ransomware, Wiping Capabilities

System administrator working in server room with laptop displaying system interface.

“The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences,” Microsoft Threat Intelligence wrote in a Thursday blog.

Microsoft Threat Intelligence and the discovery of GigaWiper

Redmond’s threat-hunting team first spotted the Golang-based implant last October and has since labeled it GigaWiper. Microsoft’s analysts describe two distinct GigaWiper sample types recovered from victim environments; both are unstripped portable executable files written in Go. Microsoft declined to answer The Register’s questions about the scale and scope of GigaWiper attacks.

Two sample types: raw disk overwrite versus modular backdoor

One sample is a standalone disk wiper that operates at the physical disk level. According to Microsoft, it overwrites raw disk content, removes partition metadata, and then forces a reboot using Windows shutdown functionality with restart and zero-delay—actions that render normal recovery paths ineffective.

The second sample retains the same low-level disk-wiping capability but packages it inside a broader backdoor with persistence and remote-control features. That combination converts a single binary into a toolkit that can both spy on and irreparably destroy hosts.

Command-and-control, persistence and modular commands

GigaWiper establishes command-and-control using RabbitMQ over AMQP to receive instructions and uses Redis to update command status and output. Microsoft’s write-up describes a command taxonomy within the backdoor: an "always run" category (used for continuous screen recording), "manage command" for system management, and distinct "special command" and "shell command" modes for other functions.

Those functions are broad and deliberate. GigaWiper can disable Windows recovery, trigger a blue screen of death and leave a device unable to boot; it can run PowerShell commands; take screenshots and screen recordings; collect system information; clear Windows event logs; and grant remote keyboard and mouse control. It can also use MinIO Client (mc) to exfiltrate stolen files to remote storage.

Destructive payloads: Crucio-derived encryption and irreversible wiping

Among the most consequential capabilities is a destructive command based largely on Crucio ransomware. Microsoft reports that this encryption routine uses randomly generated keys that are never saved, meaning encrypted files cannot be recovered. Separately, GigaWiper includes a bulk encrypt/decrypt command using AES-256 in Cipher Block Chaining (CBC) mode and a disk-level wipe that removes partition metadata—actions that, combined, sharply reduce standard recovery options.

Code lineage: merging at least three malware families

Microsoft’s analysts attribute GigaWiper’s composition to at least three previously separate malware families: Crucio ransomware, a Go reimplementation of FlockWiper, and a standalone disk wiper. As Redmond’s malware analysts put it, “Overall, these findings show the evolution of the actor’s tooling over time. Functionality was merged into a single robust backdoor, granting the actor more ways to control and destroy infected systems.”

What this means for technologists, affected enterprises, and adversaries

  • Technologists and security teams: watch for RabbitMQ/AMQP and Redis artifacts on compromised networks and recognize that a single binary may contain both remote-control telemetry and irreversible disk-overwrite routines.
  • Affected enterprises and procurement leaders: the combination of raw-disk overwrites, disabled Windows recovery, and unsavable encryption keys makes traditional post-incident recovery and decryption approaches ineffective unless offline backups and recovery infrastructure are already isolated and intact.
  • Adversaries and threat actors: the consolidation of separate malware capabilities into a modular backdoor demonstrates a toolset that can be flexibly applied for espionage, extortion-like encryption, or outright destruction—depending on the commands issued.

GigaWiper’s arrival, as Microsoft describes it, is notable not because it introduces a single novel trick but because it bundles multiple irreversible tricks into one remotely controlled package. The result, according to Redmond’s analysts, is a platform that expands the actor’s options for both control and destruction. Microsoft’s refusal to provide details on scale and scope leaves the question of how widely GigaWiper has been deployed open for now.

Read the original report: https://www.theregister.com/security/2026/07/10/destructive-windows-backdoor-stuffs-multiple-wipers-and-ransomware-code-into-a-single-package/5270053