Microsoft Warns of GigaWiper Backdoor Built to Destroy Windows PCs
Microsoft details GigaWiper, a destructive Windows backdoor that can wipe disks, encrypt files and give attackers
Summary
Microsoft has identified GigaWiper, a destructive Windows backdoor that combines code from older malware families to offer remote access and system destruction capabilities. First seen in October 2025, GigaWiper can wipe disks, encrypt files with the .candy extension (without recovery options), and maintain persistence through a disguised scheduled task. It also supports extensive command codes for system management, data exfiltration, and remote control.
Full text
Security Malware MicrosoftMicrosoft Warns of GigaWiper Backdoor Built to Destroy Windows PCs Microsoft details GigaWiper, a destructive Windows backdoor that can wipe disks, encrypt files and give attackers remote access to compromised systems globally. byWaqasJuly 9, 20262 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Microsoft has discovered a destructive Windows backdoor called GigaWiper that gives its operators remote control over infected computers before allowing them to trigger several forms of permanent system damage. Malware Families Researchers first identified the malware during destructive attacks in October 2025. Their analysis found that GigaWiper was not developed as one dedicated wiping tool. Its operators combined code from at least three older malware families and placed their destructive functions inside a single backdoor. Once installed, GigaWiper can maintain access through a scheduled task disguised as “OneDrive Update.” The task runs at startup and every minute, allowing the malware to remain active while receiving commands through RabbitMQ servers and returning results through Redis. According to Microsoft, operators can choose between several destructive actions depending on their objective. One command removes partition information, overwrites physical drives, and forces the computer to restart. Another targets only the Windows installation drive and overwrites its contents several times. A separate command behaves like ransomware by encrypting files and adding the .candy extension. However, the encryption keys are randomly generated and never saved, leaving no method for restoring the affected files. Microsoft described the function as a destructive tool presented as ransomware because it does not provide a ransom note or a recovery process. Furthermore, the code analysis carried out by researchers connected the encryption function to Crucio ransomware, which was documented (PDF) by the US Cybersecurity and Infrastructure Security Agency (CISA) in 2023. Microsoft also found that another wiping function closely matches FlockWiper, an older program written in C. However, GigaWiper recreates much of that code in the Go programming language and adds multi-pass disk wiping. GigaWiper also supports 20 command codes that can run PowerShell instructions, collect computer and antivirus information, manage processes and Windows services, modify the Registry, take screenshots and record activity on connected displays. Operators can also clear Windows event logs, upload files to remote storage, and control an infected computer through a remote-access function similar to VNC. That function can stream the screen and accept keyboard and mouse input after changing Windows Firewall rules to permit the connection. Understand the GigaWiper backdoor threat (Credit: Hackread.com) GigaWiper, A Persistent Threat Microsoft’s findings show that GigaWiper can remain on a computer for surveillance and remote administration before an operator activates its destructive functions. Combining remote access, system management and several wiping methods gives the operator multiple options within one implant. Microsoft Defender includes detections for GigaWiper and related components. Microsoft recommends enabling tamper protection, cloud-delivered antivirus protection and endpoint detection and response in block mode. On the other hand, organisations should restrict connections to known command infrastructure and monitor unexpected scheduled tasks, disk operations and changes to Windows recovery settings. Most importantly, compulsory cybersecurity training can help employees recognise suspicious activity early and reduce the risk of similar threats gaining a foothold. The full technical analysis and indicators are available in the Microsoft Security report on GigaWiper. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts backdoorCrucioCybersecurityFlockWiperGigaWiperMalwareMicrosoftWindows Leave a Reply Cancel reply View Comments (0) Related Posts Read More Malware Security WordPress Captcha Plugin Contains Backdoor- 300,000 Websites at Risk A warning has been issued by researchers disclosing the identification of a backdoor in yet another WordPress plugin… byWaqas Read More Cyber Attacks Security SoundCloud Hit by Cyberattack, Breach Affects 20% of its Users SoundCloud confirms a breach affecting an estimated 20% of users, resulting in stolen email addresses. The company is dealing with follow-up DoS attacks by unnamed attackers while media reports allege involvement of ShinyHunters. byDeeba Ahmed Read More Security FBI accessing computers across US to remove malicious web shells FBI is Accessing Computers Across the Us to Prevent Hafnium from Exploiting MS Exchange Server Vulnerabilities - All without telling owners. byDeeba Ahmed Read More Security Malware NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar RAT onto developer systems. byDeeba Ahmed
Indicators of Compromise
- malware — GigaWiper
- malware — Crucio ransomware
- malware — FlockWiper