Microsoft details GigaWiper, a destructive backdoor built from multiple malware families

Microsoft details GigaWiper, a destructive backdoor built from multiple malware families

Microsoft says GigaWiper combines remote-control features with disk wiping, sabotage and unrecoverable file encryption.

Format News Brief
Read Time 2 min
Category Cyber Security
Updated Jul 11, 2026

Microsoft Threat Intelligence has published a technical analysis of GigaWiper, a destructive malware implant it says was first identified during wiping activity in October 2025. The July 9 report is notable because Microsoft describes the tool not as a one-off wiper, but as a modular backdoor that folds several destructive payloads into a single command platform.

According to Microsoft, GigaWiper is written in Go and can operate both as a standalone disk wiper and as a larger backdoor with command-and-control features. Its destructive options include overwriting raw disk content, removing partition metadata, forcing reboots, sabotaging boot files, and encrypting files with randomly generated keys that are not saved. That last behavior makes the ransomware-like component effectively unrecoverable rather than a conventional extortion tool.

Why it matters

The analysis points to a broader shift in destructive malware: attackers can now combine espionage, remote control, and multiple wiping modes in one implant. Microsoft says the backdoor communicates through RabbitMQ for commands and Redis for status updates, supports targeted command routing, and includes administrative functions such as process, service, registry, screenshot, screen-recording, and event-log-clearing capabilities.

Microsoft also links parts of GigaWiper to earlier malware families. One file-encryption command is assessed as heavily based on Crucio ransomware code, while another wiping command is described as a Go reimplementation of FlockWiper. Google Threat Intelligence Group and Binary Defense track the same activity as BLUERABBIT, Microsoft said.

Defensive takeaways

For defenders, the report is useful because it includes behavior details, indicators, and Microsoft Defender detection names. Microsoft recommends hardening endpoints against post-compromise destructive activity by enabling tamper protection, keeping cloud-delivered antivirus protection active, using endpoint detection and response in block mode, blocking known command-and-control infrastructure where possible, and enabling automated investigation and remediation. The central warning is that organizations should treat wipers as flexible platforms, not just final-stage tools that appear after an intrusion has already become obvious.

Sources

Cover photo by Tima Miroshnichenko on Pexels, used under the Pexels License.

Comments (0)

Leave a Comment

Loading comments...