VYPR
researchPublished Jul 9, 2026· 2 sources

GigaWiper Backdoor Merges Destructive Payloads for Enhanced Efficiency

Microsoft details GigaWiper, a sophisticated Golang backdoor that consolidates multiple destructive malware functionalities into a single implant, increasing threat actor efficiency.

Microsoft Threat Intelligence has identified a sophisticated Golang-based backdoor, dubbed GigaWiper, which represents a significant evolution in destructive malware. First observed in October 2025, GigaWiper is not a singular tool but an amalgamation of distinct malware families, integrated as on-demand commands within a robust backdoor framework. This modular approach grants threat actors the flexibility to deploy various destructive payloads, including disk wiping, ransomware-like encryption, and system sabotage, all from a single implant.

The consolidation of these capabilities into a unified platform highlights a trend among threat actors towards operational efficiency. Instead of managing and deploying multiple standalone tools, GigaWiper allows for a reduced deployment footprint while simultaneously expanding its destructive potential. This makes it a more versatile and potent threat compared to traditional, single-purpose wiper malware.

Analysis reveals that GigaWiper exists in two forms: standalone wiper binaries and larger binaries containing the backdoor functionality. Crucially, the code for the standalone wiper is fully embedded within the backdoor, accessible as a specific command. This means the backdoor can initiate destructive actions without needing to deploy a separate wiper executable.

The standalone wiper component operates at the physical disk level. It identifies and targets Windows installation drives, overwrites raw disk content, and removes partition metadata from other drives before forcing a system reboot. This method ensures data is irrecoverable by directly manipulating the disk's physical sectors and partition tables, bypassing file system-level deletions.

Beyond its wiping capabilities, the GigaWiper backdoor establishes persistence through registry keys and scheduled tasks, ensuring its continued presence on compromised systems. It communicates with command-and-control (C2) servers using RabbitMQ and Redis protocols. The backdoor also incorporates code from other malware families, including a destructive command derived from the Crucio ransomware, which encrypts files with unrecoverable keys, and a reimplementation of the FlockWiper malware for secure, multi-pass data destruction.

This integration of diverse destructive functions—disk wiping, unrecoverable file encryption, and secure data erasure—into a single, modular backdoor underscores a strategic shift by threat actors. They are prioritizing tools that offer versatility and efficiency, enabling them to adapt their attack methods and maximize impact with minimal operational overhead.

Microsoft is providing detailed code-level analysis of GigaWiper's architecture, along with specific Microsoft Defender detections and mitigation recommendations. This information is intended to help organizations and the broader security community understand and defend against GigaWiper and similar advanced destructive threats that combine backdoor functionality with potent wiping and encryption capabilities.

This new analysis from Microsoft provides further technical details on GigaWiper's origins, tracing its fake ransomware component back to the Crucio malware and its multi-pass wiper to FlockWiper, both previously linked to Iran-nexus groups. Additionally, the report highlights the discovery of a recurring tag, "GRAT," within FlockWiper's debug paths and GigaWiper's function names, suggesting a potential connection to an as-yet-undisclosed component and hinting at ongoing development of the malware platform.

Synthesized by Vypr AI