[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPV0_JJr6EzKh_d2d14TYTboNGSmz7Wb2GFl8kYbhpTQ":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"c0c43d0b-53bf-4b77-ae35-649c121d6a9c","GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware","gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware-ad8cf5","GigaWiper is a destructive backdoor that combines multiple wiping and ransomware-like capabilities into a single operational platform. This blog analyzes how the malware incorporates code from several previously separate malware families and provides guidance to help defenders detect and defend against similar threats. The post GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware appeared first on Microsoft Security Blog.","Microsoft Threat Intelligence uncovered GigaWiper in October 2025, a modular Golang-based backdoor that consolidates multiple destructive malware families into a single platform. The malware combines disk wiping capabilities, fake ransomware encryption derived from Crucio, and FlockWiper-based secure wiping logic into flexible on-demand commands. GigaWiper represents a shift in wiper malware toward operational efficiency, merging standalone tools to reduce deployment footprint while expanding destructive capabilities.","Microsoft identifies GigaWiper, a sophisticated Golang backdoor combining disk wiping, ransomware, and destructive","Share Link copied to clipboard! TagsMalwareThreats intelligenceCyberattacker techniques, tools, and infrastructureContent typesResearchProducts and servicesMicrosoft DefenderMicrosoft Defender for EndpointTopicsThreat intelligence In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. GigaWiper is particularly notable for its makeup. It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction: A standalone wiper that operates at the physical disk level, overwriting raw disk content and removing partition metadata. A destructive command that derives from Crucio ransomware and encrypts files with randomly generated keys that are never saved, making decryption impossible. A wiping command that reimplements the logic of FlockWiper, a C-based malware reimplemented in Golang with additional multi-pass secure wiping. The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences. GigaWiper exemplifies threat actors investing in operational efficiency, merging standalone tools into unified platforms that reduce their deployment footprint while expanding their destructive capabilities. In this blog, we provide a code-level analysis of GigaWiper’s architecture. We’re sharing these findings, along with Microsoft Defender detections and mitigation recommendations, to enable organizations and the security community to investigate and defend against GigaWiper and similar destructive threats. A wiper inside a backdoor Beginning in October 2025, Microsoft Threat Intelligence started observing compromised environments being wiped with destructive tooling. Looking closely at the intrusions, we observed two types of GigaWiper samples: Standalone wiper binaries Larger binaries with robust backdoor functionality Both sample types are unstripped portable executable (PE) files written in Golang. Comparing the two samples showed that the standalone wiper’s code is fully embedded inside the backdoor as one of the commands. The standalone wiper binary The standalone wiper is an unstripped PE written in Golang. Instead of deleting individual files, it wipes at the physical disk level. It identifies physical drives, determines which drive contains the Windows installation, removes partition references from other drives, overwrites raw disk content, and then reboots the system. The wiper starts by enumerating physical disks through Windows Management Instrumentation (WMI) using the following query, giving it the device identifiers and disk metadata it needs before deciding how to handle each drive: Figure 1. Query for enumerating physical disks through WMI The malware then calls main.FindWindowsDrive to determine which physical disk contains the Windows installation (for example, \\\\.\\PHYSICALDRIVE0). With that drive identified, it iterates the remaining disk list and calls main.unallocateDrive on each non-Windows drive to remove their partition references. This is achieved with DeviceIoControl and IOCTL_DISK_CREATE_DISK, which reinitializes the disk’s partitioning metadata and effectively wipes the existing partition table entries. If successful, the malware prints to the console “Partitions removed successfully.” Next, it proceeds to wipe each drive. It calls main.writeRandToDrive to overwrite each drive in chunks of size 0xA00000. The first byte of each buffer is randomized with crypto\u002Frand.Read, while the rest is filled with zeros. If random generation fails, it uses the byte value “1” instead. This pattern might be intended to avoid detections or mitigations that look for conspicuous full-disk zeroing behavior. After it finishes wiping the drives, the malware forces an immediate reboot by invoking Windows shutdown functionality with restart and zero-delay options. The wiper binary as a backdoor command Next, we analyzed the larger backdoor. The same wiper functionality is also present as one component of the backdoor. The code flow and function names in the larger backdoor are identical to those of the standalone wiper, with the wiper’s main.main routine implemented in the backdoor as the rabbit_tools_tool_wipe_main.WipeMain function. Figure 2. Left: Standalone wiper functions. Right: The same wiper functions replicated in the backdoor Backdoor capabilities With the wiper routine overlap established, this section focuses on the backdoor’s additional capabilities. Beyond destructive functionality, the backdoor sets persistence and implements C2 communication over RabbitMQ and Redis. In analyzing these backdoor capabilities, we discovered that some backdoor commands contain code from additional malware families. Persistence The backdoor creates and uses the registry key HKCU\\SOFTWARE\\OneDrive\\Environment to track its execution count. If the key is absent on the system, the malware determines that it’s running on the system for the first time and proceeds to create the key, setting it to “0”. It then creates a new scheduled task named OneDrive Update by running the following command before printing “Task created. Original process exiting.” and exiting the process. The scheduled task is configured to essentially run every minute in addition to running once on system startup. Figure 3. Command that creates scheduled task for persistence In subsequent executions, when the registry key exists and is greater than “0”, the malware increments it, determines that it is running as a scheduled task (prints “Running from Task Scheduler…”), and continues execution normally. Communication GigaWiper uses two modes of communication: RabbitMQ over AMQP for receiving commands from the C2 server Redis server for updating command status and output The malware decrypts a hard-coded configuration using AES with a hard-coded key. For example, one observed sample uses 185.182.193[.]21:5544 as a RabbitMQ C2 server, and 185.182.193[.]21:7542 for a Redis server, where it uploads results. The configuration also specifies the credentials to use to connect to the RabbitMQ and Redis servers. To receive commands from the RabbitMQ C2 server, the malware declares a queue and binds it to a fanout exchange named “All”. Because “All” is a fanout exchange, any command published to it is broadcast to every bound queue across infected clients. To enable targeted commands, the malware also declares a topic exchange named “Topic”. The backdoor binds the queue to “Topic” when the actor issues command 8 (See Commands section) and provides a routing key. Each command sent by the C2 server is a cmd.Task structure with the following fields: task_id command_code args To update the Redis server with command status and output, the malware sends it a cmd.Result struct with the following fields: error target_ip task_id target_computer_name output pwd time status work_status Commands GigaWiper logs several types of commands using specific categories: “always run command” – Commands that are meant to run continuously (like screen recording) “manage command” – Commands used to manage things on the system like services or the Registry “special command” \u002F “shell command” – Modes of command 7 Each command is represented by a numeric command code from 1 to 20: Command 1: Calls WipeMain, which is identical to the standalone wiper described in the last section Command 2: Triggers a Blue screen error (BSOD) and prevents the device from booting This is achieved by running a sequence of hard-coded destruc","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F07\u002F09\u002Fgigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware\u002F","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002Fwp-content\u002Fuploads\u002F2026\u002F07\u002FGigaWiper-featured.png","2026-07-09T15:00:00+00:00","2026-07-09T16:00:21.569877+00:00",9,[18,21,24,26,28,31],{"name":19,"type":20},"Unknown (observed by Microsoft Threat Intelligence)","threat_actor",{"name":22,"type":23},"GigaWiper","product",{"name":25,"type":23},"Crucio",{"name":27,"type":23},"FlockWiper",{"name":29,"type":30},"Microsoft","vendor",{"name":32,"type":33},"Golang","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":34,"icon":36,"name":37,"slug":38},null,"Malware","malware",[40,45,47],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"7d8b5ab8-ea0b-4ced-ae97-ec251b86993a","Ransomware","ransomware",{"category":46},{"id":34,"icon":36,"name":37,"slug":38},{"category":48},{"id":49,"icon":36,"name":50,"slug":51},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[53,55,57],{"type":38,"value":22,"context":54},"Golang-based destructive backdoor combining disk wiping, ransomware, and system sabotage capabilities",{"type":38,"value":25,"context":56},"Ransomware family whose encryption logic was incorporated into GigaWiper",{"type":38,"value":27,"context":58},"C-based malware reimplemented in Golang within GigaWiper with multi-pass secure wiping"]