A new multi-purpose backdoor recently discovered by Microsoft marks a dangerous shift toward unified cyber-attack frameworks.
The backdoor, tracked as GigaWiper, is linked to a malware implant with extensive operational capabilities, allowing cyber threat actors to conduct both quiet espionage activity and destructive wiping operations.
Specifically, in its full version, GigaWiper is equipped with several flavors of wiping functionalities, including file-encrypting ransomware that leaves no way to decrypt the files.
These functionalities were also merged into a single robust backdoor, granting the actor more ways to control and destroy infected systems.
GigaWiper allows threat actors to maintain control over infected systems, execute commands, deploy additional tooling and ultimately trigger one of multiple destructive commands on demand.
In a malware analysis published on July 9 by Microsoft Security, the researchers assessed this new sophisticated tool was created by combining and reimplementing components from at least three previously separate malware families.
These include the Crucio ransomware strain and FlockWiper, as well as another related component or framework that has not yet been recovered.
Characteristics of GigaWiper
Microsoft Threat Intelligence detected GigaWiper in October 2025, when its researchers observed compromised environments being wiped with destructive tooling.
While no information about the targeted systems or the victims was shared, researchers quickly identified a versatile implant written in the Go programming language (Golang) that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware and system-level sabotage.
More precisely, they observed two types of samples:
- Standalone wiper binaries
- Larger binaries with robust backdoor functionality
The latter version of GigaWiper provides threat actors with the flexibility to choose their mode of destruction with three main components:
- A standalone wiper that operates at the physical disk level, overwriting raw disk content and removing partition metadata
- A destructive command that derives from Crucio ransomware and encrypts files with randomly generated keys that are never saved, making decryption impossible
- A wiping command that reimplements the logic of FlockWiper, a C-based malware reimplemented in Golang with additional multi-pass secure wiping
The consolidation of multiple destructive capabilities into a modular backdoor reflects “a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences,” the Microsoft researchers noted.
“GigaWiper exemplifies threat actors investing in operational efficiency, merging standalone tools into unified platforms that reduce their deployment footprint while expanding their destructive capabilities.”
Microsoft's Recommendations for Mitigating GigaWiper Threats
For organizations looking to mitigate the multiple threats posed by a GigaWiper, Microsoft researchers made the following recommendations:
- Turn on tenant-wide tamper protection features to prevent attackers from stopping security services or using antivirus exclusions.
- Block direct access to known C2 infrastructure where possible, informed by your organization’s threat intelligence sources
- Turn on cloud-delivered protection in your antivirus to cover rapidly evolving attacker tools and techniques
Additionally, Microsoft issued some Microsoft-specific mitigation recommendations:
- Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode
- Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume
- Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against techniques used by threat actors: “Block executable files from running unless they meet a prevalence, age, or trusted list criterion”
