Microsoft: GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware

Microsoft: GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware

GigaWiper: A Modular Backdoor with Destructive Capabilities Emerges in 2025

In October 2025, Microsoft Threat Intelligence uncovered GigaWiper, a sophisticated Golang-based backdoor that integrates multiple destructive payloads into a single, modular implant. Unlike traditional wipers designed solely for data destruction GigaWiper combines disk wiping, fake ransomware, and system sabotage with robust command-and-control (C2) functionality, offering threat actors unprecedented flexibility in their attacks.

Key Features of GigaWiper

GigaWiper is not a standalone tool but an amalgamation of at least three distinct malware families, repurposed as on-demand commands within a unified backdoor. Its destructive capabilities include:

  1. Physical Disk Wiping

    • Operates at the raw disk level, overwriting partition metadata and disk content.
    • Uses multi-pass secure wiping (zeros, 0xFF, random bytes) to evade detection.
    • Targets all drives except the Windows installation disk (unless specified).
  2. Fake Ransomware (Crucio-Based)

    • Encrypts files with randomly generated AES keys that are never saved, making decryption impossible.
    • Drops a hard-coded wallpaper (image_danger.jpg) but no ransom note, confirming its true intent is destruction, not extortion.
    • Excludes critical system files (.exe, .dll) to ensure the system remains bootable until further sabotage.
  3. System-Level Sabotage

    • Triggers Blue Screen of Death (BSOD) by corrupting boot and kernel files.
    • Clears Windows event logs, including Security logs, to erase forensic evidence.
    • Disables recovery options, preventing system restoration.

Backdoor Functionality & Persistence

Beyond destruction, GigaWiper functions as a full-featured backdoor, enabling:

  • Persistence via Scheduled Tasks

    • Creates a task named "OneDrive Update" that runs every minute and on startup.
    • Uses a registry key (HKCU\SOFTWARE\OneDrive\Environment) to track execution count.
  • Dual C2 Communication Channels

    • RabbitMQ (AMQP) for receiving commands.
    • Redis for uploading command outputs and status updates.
    • Hard-coded C2 servers (e.g., 185.182.193[.]21:5544) with AES-encrypted configurations.
  • 20+ Command Capabilities
    GigaWiper supports a wide range of operations, including:

    • File encryption/decryption (AES-256-CBC, with optional key storage).
    • Screen capture & recording (saves to C:\ProgramData\output).
    • Process & service management (kill, suspend, resume, list).
    • Registry manipulation (interactive session-like control).
    • Remote VNC-like control (TCP-based keyboard/mouse input and screen streaming).
    • MinIO file exfiltration (uploads files to attacker-controlled storage).

Origins & Code Reuse

Microsoft’s analysis reveals GigaWiper’s modular design stems from the reimplementation of older malware families:

  • Command 3 (Fake Ransomware) derives from Crucio ransomware (CISA-documented in 2023).
  • Command 12 (Secure Wiping) is a Golang port of FlockWiper, a C-based wiper first seen in June 2025.
  • "GRAT" references in FlockWiper’s PDB paths (A:\GRAT\CWipeNew\Release\CWipeNew.pdb) and GigaWiper’s function names suggest a shared development framework.

Impact & Evolution of Wiper Malware

GigaWiper represents a significant shift in wiper malware, moving from single-purpose destruction tools to multi-functional backdoors that enable:

  • Espionage (screen recording, keylogging, data exfiltration).
  • Lateral movement (process/service manipulation, registry control).
  • On-demand destruction (wiping, BSOD, fake ransomware).

Its modular architecture reduces the attacker’s deployment footprint while expanding destructive potential, making it a highly efficient tool for both cybercrime and nation-state actors.

Indicators of Compromise (IOCs)

Microsoft has released the following SHA-256 hashes and C2 IPs for detection:

  • GigaWiper Backdoor:
    • 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001
    • ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913
  • Standalone Wiper:
    • 3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd
  • Crucio Ransomware:
    • 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3
  • FlockWiper:
    • 12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721
  • C2 Infrastructure:
    • 185.182.193[.]21 (RabbitMQ/Redis)
    • 212.8.248[.]104

GigaWiper underscores the growing convergence of espionage and destructive malware, where backdoors are no longer just for surveillance but also for maximizing operational impact whether through data theft, system disruption, or irreversible destruction.

Source: https://www.microsoft.com/en-us/security/blog/2026/07/09/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware/

Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-threat-intelligence

"id": "mic1783680524",
"linkid": "microsoft-threat-intelligence",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'type': 'Multiple (potential targets)'}],
 'attack_vector': 'Modular backdoor with C2 communication (RabbitMQ/Redis)',
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'file_types_exposed': ['AES-encrypted files',
                                        'System logs',
                                        'Screen recordings'],
                 'sensitivity_of_data': 'High (potential PII, operational '
                                        'data)',
                 'type_of_data_compromised': ['Screen captures',
                                              'Process/service data',
                                              'Registry data',
                                              'File exfiltration via MinIO']},
 'date_detected': '2025-10',
 'date_publicly_disclosed': '2025-10',
 'description': 'In October 2025, Microsoft Threat Intelligence uncovered '
                'GigaWiper, a sophisticated Golang-based backdoor that '
                'integrates multiple destructive payloads into a single, '
                'modular implant. GigaWiper combines disk wiping, fake '
                'ransomware, and system sabotage with robust '
                'command-and-control (C2) functionality, offering threat '
                'actors unprecedented flexibility in their attacks.',
 'impact': {'data_compromised': True,
            'downtime': 'Irreversible system disruption (BSOD, disk wiping)',
            'operational_impact': 'Permanent data loss, system inoperability',
            'systems_affected': ['Windows systems']},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'GigaWiper represents a shift from single-purpose wipers '
                    'to multi-functional backdoors, enabling espionage, '
                    'lateral movement, and on-demand destruction. Its modular '
                    'architecture reduces deployment footprint while expanding '
                    'destructive potential.',
 'motivation': ['Data Destruction', 'Espionage', 'System Sabotage'],
 'post_incident_analysis': {'corrective_actions': ['Patch systems against '
                                                   'known vulnerabilities '
                                                   'exploited by similar '
                                                   'malware',
                                                   'Isolate critical systems '
                                                   'to limit lateral movement',
                                                   'Deploy endpoint detection '
                                                   'for Golang-based malware'],
                            'root_causes': 'Modular malware design repurposing '
                                           'older wiper/ransomware families '
                                           '(Crucio, FlockWiper)'},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'Fake ransomware (Crucio-based)'},
 'recommendations': ['Monitor for IOCs (SHA-256 hashes, C2 IPs)',
                     'Enhance detection for dual C2 communication channels '
                     '(RabbitMQ/Redis)',
                     'Implement forensic readiness for disk-wiping attacks',
                     'Review scheduled tasks and registry keys for persistence '
                     'mechanisms'],
 'references': [{'date_accessed': '2025-10',
                 'source': 'Microsoft Threat Intelligence'}],
 'response': {'third_party_assistance': 'Microsoft Threat Intelligence'},
 'title': 'GigaWiper: A Modular Backdoor with Destructive Capabilities Emerges '
          'in 2025',
 'type': ['Backdoor', 'Wiper', 'Fake Ransomware']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.