Press play to start listening
Microsoft has discovered a destructive Windows backdoor called GigaWiper that gives its operators remote control over infected computers before allowing them to trigger several forms of permanent system damage.
Malware Families
Researchers first identified the malware during destructive attacks in October 2025. Their analysis found that GigaWiper was not developed as one dedicated wiping tool. Its operators combined code from at least three older malware families and placed their destructive functions inside a single backdoor.
Once installed, GigaWiper can maintain access through a scheduled task disguised as “OneDrive Update.” The task runs at startup and every minute, allowing the malware to remain active while receiving commands through RabbitMQ servers and returning results through Redis.
According to Microsoft, operators can choose between several destructive actions depending on their objective. One command removes partition information, overwrites physical drives, and forces the computer to restart. Another targets only the Windows installation drive and overwrites its contents several times.
A separate command behaves like ransomware by encrypting files and adding the .candy extension. However, the encryption keys are randomly generated and never saved, leaving no method for restoring the affected files. Microsoft described the function as a destructive tool presented as ransomware because it does not provide a ransom note or a recovery process.
Furthermore, the code analysis carried out by researchers connected the encryption function to Crucio ransomware, which was documented (PDF) by the US Cybersecurity and Infrastructure Security Agency (CISA) in 2023.
Microsoft also found that another wiping function closely matches FlockWiper, an older program written in C. However, GigaWiper recreates much of that code in the Go programming language and adds multi-pass disk wiping.
GigaWiper also supports 20 command codes that can run PowerShell instructions, collect computer and antivirus information, manage processes and Windows services, modify the Registry, take screenshots and record activity on connected displays.
Operators can also clear Windows event logs, upload files to remote storage, and control an infected computer through a remote-access function similar to VNC. That function can stream the screen and accept keyboard and mouse input after changing Windows Firewall rules to permit the connection.
GigaWiper, A Persistent Threat
Microsoft’s findings show that GigaWiper can remain on a computer for surveillance and remote administration before an operator activates its destructive functions. Combining remote access, system management and several wiping methods gives the operator multiple options within one implant.
Microsoft Defender includes detections for GigaWiper and related components. Microsoft recommends enabling tamper protection, cloud-delivered antivirus protection and endpoint detection and response in block mode.
On the other hand, organisations should restrict connections to known command infrastructure and monitor unexpected scheduled tasks, disk operations and changes to Windows recovery settings. Most importantly, compulsory cybersecurity training can help employees recognise suspicious activity early and reduce the risk of similar threats gaining a foothold.
The full technical analysis and indicators are available in the Microsoft Security report on GigaWiper.
