Microsoft disclosed a destructive Go-based Windows backdoor dubbed GigaWiper that has been observed in compromised environments since October 2025, combining espionage, remote access, and sabotage functions in a single modular implant. The malware supports about 20 command codes and can wipe physical disks, overwrite the Windows drive, trigger BSOD-based disruption, clear event logs, manipulate processes, services, and the registry, capture screenshots, record screens, and provide hidden VNC-like remote control. It also masquerades as OneDrive and uses RabbitMQ, Redis, and in some reporting MinIO for command, result handling, and data exfiltration.
Microsoft said GigaWiper appears to be assembled from at least three malware families, with code overlaps linking it to Crucio and FlockWiper and references to a broader framework labeled GRAT. One destructive component mimics ransomware by encrypting files without preserving a recovery key, making restoration impossible except from clean backups, while another performs multi-pass secure wiping. Separate reporting said the same hashes and command-and-control infrastructure matched Binary Defense's earlier BLUERABBIT findings, and cited broader research associating related tooling with likely Iran-linked operations targeting Israeli organizations, though Microsoft did not publicly attribute the activity to a country.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft published a technical analysis of GigaWiper, describing code links to Crucio and FlockWiper, its use of RabbitMQ and Redis infrastructure, and capabilities including disk wiping, fake ransomware-style irreversible encryption, log clearing, screenshots, screen recording, and VNC-like remote control. The company also released indicators of compromise, including SHA-256 hashes, command-and-control IP addresses, Defender detections, and mitigation guidance.
Microsoft Threat Intelligence said it first observed the destructive Golang-based backdoor GigaWiper in compromised environments beginning in October 2025. The malware combined command-and-control, persistence, espionage-style functions, and multiple destructive payloads in a single modular implant.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
malwarebytes.com
Open sourcesecurityweek.com
Open sourcecybersecuritynews.com
Open sourcesecurityaffairs.com
Open sourcescworld.com
Open sourcehackread.com
Open sourcetrojan-killer.net
Open sourcethehackernews.com
Open sourcemicrosoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.