GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware

July 10, 2026

Microsoft Threat Intelligence has recently identified a concerning trend involving the GigaWiper malware, which has begun to emerge in compromised environments since October 2025. This malware exhibits destructive capabilities that warrant attention from organizations and the broader security community.

A wiper inside a backdoor

Upon investigation, two distinct types of GigaWiper samples have been observed:

  • Standalone wiper binaries
  • Larger binaries featuring robust backdoor functionalities

Both variants are unstripped portable executable (PE) files developed in Golang. Notably, the standalone wiper’s code is fully integrated within the backdoor, functioning as one of its commands.

The standalone wiper binary

The standalone wiper operates at the physical disk level rather than merely deleting individual files. It identifies physical drives, locates the one containing the Windows installation, removes partition references from other drives, overwrites the raw disk content, and subsequently reboots the system.

Initially, the wiper enumerates physical disks via Windows Management Instrumentation (WMI), utilizing a specific query to gather the necessary device identifiers and disk metadata. This information guides its actions regarding each drive:

Figure 1. Query for enumerating physical disks through WMI

Following this, the malware determines the Windows installation drive and iterates through the remaining disks to remove their partition references. This is achieved using DeviceIoControl and IOCTLDISKCREATE_DISK, effectively wiping existing partition table entries. Upon successful execution, the malware confirms with a console message: “Partitions removed successfully.”

Next, it overwrites each drive, utilizing main.writeRandToDrive to write random data in chunks, with a fallback to a byte value of “1” if random generation fails. This approach may be designed to elude detection mechanisms that monitor for typical full-disk zeroing behavior.

After completing the wiping process, the malware triggers an immediate reboot using Windows shutdown functionality with restart and zero-delay options.

The wiper binary as a backdoor command

Further analysis reveals that the larger backdoor incorporates the same wiper functionality as a component. The code flow and function names mirror those of the standalone wiper, with the wiper’s main.main routine implemented in the backdoor as rabbittoolstoolwipemain.WipeMain.

Figure 2. Left: Standalone wiper functions. Right: The same wiper functions replicated in the backdoor

Backdoor capabilities

With the overlap of wiper routines established, the focus shifts to the additional capabilities of the backdoor. Beyond its destructive functions, the backdoor establishes persistence and implements command and control (C2) communication via RabbitMQ and Redis. Notably, some commands within the backdoor contain code from other malware families.

Persistence

The backdoor creates a registry key at HKCUSOFTWAREOneDriveEnvironment to monitor its execution count. If the key is absent, the malware assumes it is executing for the first time, creates the key, and sets it to “0.” A scheduled task named OneDrive Update is then established to run every minute and at system startup.

Figure 3. Command that creates scheduled task for persistence

On subsequent executions, if the registry key exists and is greater than “0,” the malware increments it, recognizes it is running as a scheduled task, and continues its operations.

Communication

GigaWiper employs two modes of communication:

  • RabbitMQ over AMQP for receiving commands from the C2 server
  • Redis server for updating command status and output

The malware decrypts a hard-coded configuration using AES with a predetermined key. For instance, one observed sample connects to a RabbitMQ C2 server at 185.182.193[.]21:5544 and a Redis server at 185.182.193[.]21:7542 for result uploads. The configuration also includes credentials for connecting to these servers.

To receive commands from the RabbitMQ C2 server, the malware declares a queue and binds it to a fanout exchange named “All,” ensuring that any command published is broadcast to all bound queues across infected clients. For targeted commands, a topic exchange named “Topic” is also declared, allowing for more precise command issuance.

Each command sent by the C2 server is structured as a cmd.Task with specific fields, including taskid, commandcode, and args.

To update the Redis server with command status and output, the malware sends a cmd.Result struct containing various fields, including error, target_ip, and status.

Commands

GigaWiper logs various command types categorized as follows:

  • “always run command” – Commands intended to run continuously (e.g., screen recording)
  • “manage command” – Commands for managing system elements like services or the Registry
  • “special command” / “shell command” – Modes of command 7

Each command is represented by a numeric code ranging from 1 to 20:


Command 1: Calls WipeMain, identical to the standalone wiper described earlier.


Command 2: Triggers a Blue Screen of Death (BSOD), preventing device booting by executing a series of destructive commands that disable Windows recovery and delete critical boot files.

Figure 4. Series of commands that lead to BSOD

Command 3: Calls RanMain and BigBangExtortMain to initiate a file encryption process that mimics ransomware behavior, generating random keys and initialization vectors (IVs) without saving them.

Files are encrypted in chunks and renamed with a .candy extension, while a hard-coded image is set as the wallpaper.

Figure 5. Image dropped by backdoor and set as the wallpaper

Command 4: Utilizes MinIO Client (mc) to upload files to remote storage, with command arguments specifying connection details.


Command 5: Encrypts or decrypts files using AES-256 in CBC mode, with command arguments controlling the operation.


Command 6: Executes a PE from a specified map, suggesting wiper functionality.


Command 7: Includes two types: shell command for executing PowerShell commands and special command for specific operations like purging command queues.


Command 8: Manages RabbitMQ routes, allowing for targeted command reception.


Command 9: Takes screenshots per active monitor, saving them as PNG files.


Command 10: Records the screen during user activity, saving recordings to a designated folder.


Command 11: Executes a PE from a specified map, indicating potential keylogger functionality.


Command 12: Calls WipeCMain to securely wipe the system, focusing solely on the Windows installation drive.

  • Utilizes multiple passes for secure wiping, overwriting with various byte patterns.

Command 13: Executes another wiper binary, indicated by logging messages.


Command 14: (not implemented)


Command 15: Collects system information, with arguments controlling the detail level.

  • Includes IP address, machine GUID, CPU, OS, and network configuration.

Command 16: Manages processes with specified operations.


Command 17: Manages services similarly to process management.


Command 18: Interacts with the Registry, allowing for various operations.


Command 19: Clears Windows event logs, ensuring it runs with Administrator privileges.


Command 20: Establishes a server for remote control, allowing keyboard and mouse access.

How GigaWiper was assembled

The standalone wiper, as command 1, is just one aspect of the multifaceted GigaWiper. The backdoor integrates components from at least three distinct malware families, including the wiping functionalities and a file-encrypting ransomware mechanism that lacks decryption capabilities.

RanMain and BigBangExtortMain

Command 3, managed by rabbittoolstoolranmaincmdextort.RanMain, encrypts files and renames them with a .candy extension, functioning as a wiper disguised as ransomware. The absence of a ransom note indicates no intent to decrypt files.

Notably, the BigBangExtortMain function shares similarities with a function used in the Crucio ransomware, suggesting a common threat actor behind both malware families.

Figure 6. Left: Crucio functions. Right: GigaWiper’s ran_main functions.

WipeCMain

Command 12 represents the third wiper family incorporated into GigaWiper, closely resembling command 1 but focusing solely on the Windows installation drive and employing more secure wiping methods.

Research indicates that WipeCMain is essentially identical to the standalone wiper tracked as FlockWiper, with its logic reimplemented in Golang. The two variants share a similar execution flow and many identical strings, although GigaWiper appears to be a more updated version. FlockWiper was first detected in June 2025, prior to GigaWiper’s emergence.

Additionally, observed FlockWiper samples reference “GRAT” in their program database paths, a name also found in several GigaWiper function names, hinting at a potential connection between the two malware families.

Figure 7. References to “GRAT” in function names

Defending against destructive threats

To fortify networks against GigaWiper, organizations are encouraged to implement several mitigation strategies:

  • Enable tenant-wide tamper protection features to prevent attackers from disabling security services or using antivirus exclusions.
  • Block direct access to known C2 infrastructure based on threat intelligence sources.
  • Activate cloud-delivered protection in Microsoft Defender Antivirus or equivalent solutions to guard against rapidly evolving threats.
  • Run endpoint detection and response (EDR) in block mode to remediate malicious artifacts, even when other antivirus solutions fail to detect them.
  • Allow full automated investigation and remediation to enable immediate action on alerts.
  • For Microsoft Defender XDR customers, implement attack surface reduction rules to enhance environmental security.

Microsoft Defender detections

Microsoft Defender customers can refer to the following detections:

Tactic Observed activity Microsoft Defender coverage
Execution Execution of malware components Microsoft Defender Antivirus
– Giga
– Wiper
– FlockWiper
– CutBrooch
Microsoft Defender for Endpoint
– ‘WprFlock’ malware detected
– ‘WprCree’ malware detected
– ‘FlockWiper’ malware detected
– ‘GigaWiper’ malware detected
– Possible ransomware activity
– Ransomware behavior detected in the file system

Microsoft Security Copilot

Microsoft Security Copilot, integrated within Microsoft Defender, offers AI-powered capabilities to assist security teams in incident analysis, file scrutiny, and incident reporting.

Customers can also deploy AI agents, including Microsoft Security Copilot agents, to enhance security task efficiency. Security Copilot is available as a standalone experience for specific security-related tasks.

Threat intelligence reports

Microsoft Defender XDR customers can access threat analytics reports in the Defender portal, providing up-to-date information on threat actors, malicious activities, and recommended actions to mitigate risks.

Indicators of compromise

Indicator Type Description
633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 SHA-256 GigaWiper backdoor
ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0c587b25a855c65948c913 SHA-256 GigaWiper backdoor
f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd SHA-256 GigaWiper backdoor
9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683 SHA-256 GigaWiper backdoor
3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd SHA-256 GigaWiper standalone wiper
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 SHA-256 Crucio
12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721 SHA-256 FlockWiper
db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674 SHA-256 FlockWiper
185.182.193[.]21 IP address GigaWiper C2
212.8.248[.]104 IP address GigaWiper C2

Learn more

For the latest insights from the Microsoft Threat Intelligence community, visit the Microsoft Threat Intelligence Blog. Stay informed about new publications and engage in discussions on social media platforms like LinkedIn, X (formerly Twitter), and Bluesky. Additionally, tune into the Microsoft Threat Intelligence podcast for stories and insights regarding the evolving threat landscape.

Tech Optimizer
GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware