Securityaffairs

GigaWiper Merges Three Malware Families Into One Destructive Backdoor


GigaWiper Merges Three Malware Families Into One Destructive Backdoor

Pierluigi Paganini
July 10, 2026

Microsoft uncovered GigaWiper, a modular Go backdoor combining three malware families with espionage, remote control, and destructive wiping features.

In October 2025, Microsoft’s threat intelligence team identified destructive wiping activity inside compromised environments and traced it to a previously unknown piece of malware they’re now calling GigaWiper. The malicious code is written in Go, it combines a command-and-control backdoor with multiple built-in destruction capabilities, and it was assembled by taking code from at least three older malware families and merging them into one implant. Efficient, if attackers aim at destroying the target systems.

“The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences.” reads the report published by Microsoft. “GigaWiper exemplifies threat actors investing in operational efficiency, merging standalone tools into unified platforms that reduce their deployment footprint while expanding their destructive capabilities.”

The backdoor communicates with its operators over RabbitMQ for receiving commands and Redis for sending back results. It persists through a scheduled task named “OneDrive Update” that runs every minute and at system startup, and tracks its own execution count in a registry key disguised as a OneDrive entry. The command set runs from 1 to 20 and covers an unusually wide range of capabilities for a single implant.

The destructive commands are the most interesting features. Command 1 wipes physical disks at the raw level, overwriting content in chunks and removing partition metadata from non-Windows drives before forcing a reboot. Command 2 triggers a Blue Screen of Death and prevents the machine from starting again by deleting critical boot and kernel files. Command 3 encrypts files with a randomly generated key that is never saved anywhere, renames them with a .candy extension, and drops a threatening image as the wallpaper.

The researcher pointed out that there’s no ransom note and no way to recover the files, because the actor never intended to offer decryption. Command 12 performs a more thorough multi-pass wipe of just the Windows installation drive, overwriting it with zeros, 0xFF values, and random bytes across multiple passes.

Beyond destruction, the backdoor includes a full remote-control suite. Command 20 opens a VNC-style remote desktop session over TCP with keyboard and mouse control, creating firewall rules named after legitimate Windows components to hide the traffic. Commands 9 and 10 handle screenshots and continuous screen recording when the user is active. Commands 15 through 18 manage system information collection, process control, service management, and registry navigation in a way that maintains session state between requests, essentially providing an interactive registry browser. Command 19 wipes Windows event logs, attempting to delete Security logs twice using different methods if the first fails, and for unknown reasons ends by printing the string “kharbvnmhkjbkjb” to the console.

The architectural story is what makes GigaWiper technically interesting. Microsoft identified that each of the three main destructive commands traces back to a separate, previously existing malware family developed by the same threat actor.

Command 3, the fake ransomware, is built on Crucio ransomware code. Crucio was documented in a CISA advisory in December 2023. The function BigBangExtortMain, which handles the file encryption in GigaWiper, shares its name and logic with the same function in Crucio.

“GigaWiper backdoor command 3 is heavily based on Crucio’s code, leading to the assessment that the same threat actor developed both malware families.” states Microsoft.

GigaWiper
Crucio functions. Right: GigaWiper’s ran_main functions. (Source Microsoft)

Command 12, the multi-pass secure wipe, is a Go reimplementation of FlockWiper, a C-based wiper that first appeared on VirusTotal in June 2025, several months before GigaWiper was observed. The logic and strings are nearly identical between the two, with GigaWiper’s version appearing to be a more updated iteration. FlockWiper’s compiled binaries contain program database paths referencing the string “GRAT,” and that same string appears repeatedly in GigaWiper’s function names, providing an additional thread connecting the two families.

“The name “GRAT” is also prevalent in several function names within the GigaWiper backdoor.” continues the report, “Although the FlockWiper binaries do not include “GRAT” functionality, the PDB paths provide another link between the two malware families.”

The string suggests the possible existence of a related framework or component that hasn’t been recovered yet.

Command 1, the standalone disk wiper, appears in GigaWiper as an exact replica of the standalone wiper binary Microsoft also observed being deployed separately. The function names and code flow are identical; the standalone wiper’s main routine simply reappears inside the backdoor as a callable command.

The modular structure changes what defenders need to think about. A traditional wiper gets deployed, runs, and destroys. GigaWiper sits on a system, maintains persistence, communicates back to operators, and can switch between quiet intelligence-gathering and full destruction on command, without requiring the attacker to deploy a new tool. The same implant that takes screenshots and manages processes today can wipe disks tomorrow.

The C2 infrastructure observed in samples used 185.182.193[.]21 on port 5544 for RabbitMQ command delivery and port 7542 for Redis result reporting. The RabbitMQ fanout exchange named “All” broadcasts commands to every infected host simultaneously, while a topic exchange named “Topic” enables targeted commands to specific machines.

“GigaWiper is a backdoor with extensive operational capabilities that allow a threat actor to maintain control over infected systems, execute commands, deploy additional tooling, and ultimately trigger one of multiple destructive commands on demand. It allows the threat actor to operate with flexibility, enabling both quiet espionage activity and destructive wiping operations.” concludes the report. “Overall, these findings show the evolution of the actor’s tooling over time. Functionality was merged into a single robust backdoor, granting the actor more ways to control and destroy infected systems.”

Microsoft’s recommended mitigations focus on preventing the defense-disabling steps that wipers typically rely on: enabling tamper protection to stop attackers from turning off security services, running endpoint detection and response in block mode, and enabling cloud-delivered protection to catch rapidly evolving tools. Blocking direct access to the known C2 infrastructure at 185.182.193[.]21 is the immediate network-level action available to organizations that can act on the published indicators.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)







Source link