Microsoft has detailed a destructive new backdoor called GigaWiper that bundles three separate strains of wiping and fake-ransomware malware into a single tool, giving an attacker a menu of ways to destroy a compromised network on command. Microsoft Threat Intelligence first spotted the malware wiping systems in October 2025 and has now published a code-level teardown of how it works.
What makes GigaWiper unusual is its construction. Rather than one purpose-built wiper, it is an amalgamation: the operator can trigger raw disk wiping, a phony ransomware routine that encrypts files with keys that are thrown away, or a multi-pass secure wipe of the Windows drive, all as numbered commands inside one backdoor.
Why this matters
Wipers exist to destroy, not to extort, and their appearance usually signals sabotage rather than a payday. By folding several destructive tools into a modular backdoor that also handles espionage-style tasks like screen recording and keylogging, GigaWiper lets a single implant switch between quiet spying and outright destruction. Microsoft frames it as attackers investing in operational efficiency, merging standalone tools into one platform that is easier to deploy and harder to spot.
How it works
GigaWiper is written in the Go language and takes commands from a RabbitMQ server, reporting results back through a Redis server. One observed sample used 185[.]182[.]193[.]21 for both. Persistence is handled by a scheduled task disguised as OneDrive Update that runs every minute. The backdoor exposes 20 numbered commands. Command 1 wipes physical disks and reboots. Command 3 imitates ransomware, encrypting files, renaming them with a .candy extension and changing the wallpaper, but the encryption keys are random and never saved, so recovery is impossible. Command 12 performs a slower multi-pass wipe of the Windows drive. Others clear event logs, take screenshots, and open a hidden VNC-style remote-control channel.
Assembled from older malware
Microsoft tied GigaWiper's parts to at least three previously separate families used by the same actor. The fake-ransomware routine reuses code from Crucio ransomware, named in a 2023 CISA advisory, while the multi-pass wiper is a Go rewrite of a C-based wiper Microsoft tracks as FlockWiper. Shared function names referencing GRAT appear across both. Microsoft did not tie the activity to a named group or country in this report. Destructive campaigns of this kind echo earlier wiper operations we have covered, from the wiper disguised as a CrowdStrike fix to destruction dressed up as ransomware with no real decryption.
What you should do
Because GigaWiper leaves no path to recovery, prevention and isolation matter most. Microsoft recommends tightening credential hygiene and lateral-movement controls, watching for the bogus OneDrive Update scheduled task, and treating tested, offline backups as the primary safeguard. Selected defanged indicators include the C2 address 185[.]182[.]193[.]21 (ports 5544 and 7542), a secondary IP 212[.]8[.]248[.]104, and sample hash 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001.
Read the original Microsoft analysis for the full command breakdown.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.