Microsoft has recently reported the discovery of a new destructive backdoor for Windows systems, dubbed GigaWiper. This malware combines features from various malware families, offering capabilities that include ransomware-like encryption and multiple data-wiping functions.
Overview of GigaWiper
First detected in October 2025, GigaWiper is a Golang-based implant that allows attackers to execute a range of commands, effectively functioning as a modular tool for command-and-control (C2) operations. Microsoft’s threat intelligence team noted that this malware represents a significant evolution in the landscape of wiper malware, which typically focuses solely on destruction rather than extortion.
Functionality and Components
According to Microsoft, two distinct samples of GigaWiper have been found in victim environments. The first is a standalone wiper that operates at the physical disk level, overwriting raw disk content and removing partition metadata. This sample also reboots the system using Windows shutdown functionality.
The second sample incorporates the same disk-wiping capabilities but adds persistence and C2 communication features. It utilizes RabbitMQ over AMQP for command reception and Redis for updating command status. GigaWiper organizes its commands into categories, including options for continuous screen recording and system management.
Destructive Capabilities
GigaWiper includes a variety of destructive commands. One command disables Windows recovery, leading to a blue screen of death (BSOD), while another is based on Crucio ransomware, encrypting files with randomly generated keys that are not saved, making decryption impossible. Additionally, it can perform bulk encryption or decryption using AES-256 in CBC mode and upload stolen files to remote storage using MinIO Client.
The malware also executes PowerShell commands, captures screenshots and recordings, collects system information, clears Windows event logs, and allows remote control of the infected system.
Conclusion and Implications
Microsoft has confirmed that GigaWiper combines elements from at least three different malware families, including Crucio ransomware and a reimplementation of FlockWiper. This development highlights a trend toward more sophisticated and versatile malware tools that can both control and destroy infected systems.
While the full scale and impact of GigaWiper attacks remain unclear, the findings indicate a notable shift in the capabilities of wiper malware, emphasizing the need for heightened vigilance among users and organizations.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








