Microsoft has recently unveiled a sophisticated and destructive Windows backdoor known as GigaWiper, which grants its operators remote control over compromised systems, ultimately enabling them to execute various forms of irreversible damage.
Malware Families
The origins of GigaWiper were traced back to a series of destructive cyberattacks that occurred in October 2025. Researchers discovered that this malware was not a standalone wiping tool; rather, it is a composite of code derived from at least three distinct malware families, amalgamating their destructive capabilities into a single backdoor.
Once GigaWiper infiltrates a system, it maintains its presence through a scheduled task cleverly disguised as “OneDrive Update.” This task is programmed to execute at startup and every minute thereafter, ensuring the malware remains active and responsive to commands relayed via RabbitMQ servers, while also transmitting results through Redis.
According to Microsoft, the operators of GigaWiper have a range of destructive actions at their disposal, tailored to their specific objectives. One command can obliterate partition information, overwrite physical drives, and force a system restart. Another command focuses solely on the Windows installation drive, overwriting its contents multiple times.
Additionally, GigaWiper features a command that mimics ransomware behavior by encrypting files and appending the .candy extension. However, the encryption keys are generated randomly and are never stored, rendering any chance of file recovery impossible. Microsoft characterized this function as a malicious tool masquerading as ransomware, as it lacks a ransom note or any recovery mechanism.
Further analysis revealed connections between the encryption function of GigaWiper and the Crucio ransomware, which was previously documented by the US Cybersecurity and Infrastructure Security Agency (CISA) in 2023. Moreover, another wiping function within GigaWiper bears a striking resemblance to FlockWiper, an earlier program written in C. GigaWiper, however, has rewritten much of this code in the Go programming language and enhanced it with multi-pass disk wiping capabilities.
GigaWiper is equipped with 20 command codes that enable it to execute PowerShell instructions, gather information about the computer and antivirus software, manage processes and Windows services, modify the Registry, capture screenshots, and record activities on connected displays. Additionally, operators can erase Windows event logs, upload files to remote storage, and gain control over an infected computer through a remote-access function akin to VNC. This feature allows for screen streaming and input from keyboard and mouse after modifying Windows Firewall settings to permit the connection.
GigaWiper, A Persistent Threat
Microsoft’s research indicates that GigaWiper can linger on a system for surveillance and remote administration until the operator decides to activate its destructive functions. The integration of remote access, system management, and various wiping methods provides operators with a versatile toolkit within a single implant.
To combat this threat, Microsoft Defender includes detection capabilities for GigaWiper and its associated components. The company advises users to enable tamper protection, cloud-delivered antivirus solutions, and endpoint detection and response in block mode. Organizations are also encouraged to restrict connections to known command infrastructures and to monitor for unexpected scheduled tasks, disk operations, and alterations to Windows recovery settings. Most crucially, implementing mandatory cybersecurity training can empower employees to identify suspicious activities early, thereby mitigating the risk of similar threats infiltrating their systems.
The comprehensive technical analysis and indicators related to GigaWiper can be found in the latest Microsoft Security report.