Microsoft has detailed a destructive Go-based backdoor called GigaWiper that has been active for more than eight months, combining wiper functionality, ransomware-like encryption, and extensive remote control features into a single modular implant.

According to Microsoft, GigaWiper folds several destructive capabilities into on-demand backdoor commands, letting an attacker execute a standalone wiper, trigger a ransomware-style encryption routine, or run a wiping command that performs multiple erase passes. Microsoft notes that this consolidation marks a shift for wiper malware, which is typically built solely for destruction rather than for extortion with real-world consequences.

Disk-Level Destruction

First observed in October 2025, GigaWiper’s wiper operates at the physical disk level. It uses Windows Management Instrumentation (WMI) to enumerate drives and identify the Windows partition, strips partition references from non-Windows drives, wipes each drive, and then forces a reboot. The backdoor component carries identical wiping code, function names, and flow, indicating shared authorship between the two pieces.

Persistence and Remote Control

GigaWiper establishes persistence and command-and-control communication using RabbitMQ and Redis. Depending on the commands it receives, the backdoor can:

  • Execute the wiper or trigger a Blue Screen of Death
  • Upload files to a remote server via MinIO Client
  • Run executables or PowerShell commands
  • Take screenshots and record the screen
  • Collect system information
  • Wipe the Windows installation

The malware also supports two file-encrypting commands, one destructive (using random keys that are never saved) and one designed for bulk encryption and decryption. It further includes managers for processes, the registry, RabbitMQ routes, and services, can clear Windows event logs, and can spin up a server for full remote control of infected systems.

Links to Other Malware Families

Microsoft found that the wiping commands in GigaWiper originate from separate, older malware previously used by the same threat actor, now stitched into a single implant with added backdoor capabilities. The encryption code suggests GigaWiper was built by the developer behind Crucio ransomware, while an identical wiping function, ported to Go, links it to FlockWiper, a wiper that emerged in June 2025.

Microsoft describes GigaWiper as giving the threat actor flexibility to maintain persistent control, deploy additional tooling, and switch between quiet espionage activity and destructive wiping operations on demand.