GigaWiper Malware: A New Breed of Cyber Weapon
Microsoft has sounded the alarm on a new multi-purpose backdoor that marks a worrying evolution in cyber-attack toolkits. Dubbed GigaWiper malware, this implant does not just steal data or lock files — it does both, and then wipes the system clean.
Discovered by Microsoft Threat Intelligence in October 2025, GigaWiper is written in Go (Golang). It gives attackers a single, unified platform to conduct quiet espionage, execute commands, deploy extra tools, and then trigger one of several destructive actions on demand.
This is not your average wiper. It is a modular backdoor that consolidates capabilities from at least three separate malware families: the Crucio ransomware strain, the FlockWiper wiper, and another unrecovered component. The result is a flexible, dangerous weapon.
How GigaWiper Works: Two Flavors, Three Ways to Destroy
Microsoft’s analysis, published on July 9, identified two types of GigaWiper samples in the wild.
Standalone Wiper vs. Full Backdoor
The first type is a standalone wiper binary — lean, mean, and purely destructive. The second type is a larger binary packed with full backdoor functionality. That second version is the real worry.
It gives attackers three distinct destructive modes to choose from:
- Disk-level wiping: Overwrites raw disk content and removes partition metadata. The target drive is left structurally dead.
- Fake ransomware (Crucio-derived): Encrypts files using randomly generated keys that are never saved. Decryption is mathematically impossible. This is extortion theater — the attacker never intends to unlock anything.
- FlockWiper reimplementation: A Golang version of the original C-based FlockWiper, enhanced with multi-pass secure wiping. It scrubs data so thoroughly that recovery tools are useless.
Having all these options inside a single backdoor is what makes GigaWiper malware stand out. Attackers no longer need to deploy separate tools for espionage and destruction. One implant does it all.
Why This Shift Matters
Traditional wiper malware has one job: destroy data and cause chaos. Think of the NotPetya attacks of 2017, which were pure destruction with no real extortion. GigaWiper changes that equation.
Microsoft researchers noted that this consolidation reflects “a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort.” The fake ransomware component adds a layer of confusion. Victims may think they can pay and recover. They cannot.
The backdoor also reduces the attacker’s deployment footprint. One implant means fewer dropped binaries, less network chatter, and a smaller chance of being caught before the payload fires. For defenders, that is a nightmare scenario.
Microsoft assessed that GigaWiper was built by combining and reimplementing components from Crucio, FlockWiper, and an as-yet-unrecovered framework. This suggests the authors had deep code-level knowledge of those older families.
How to Defend Against GigaWiper
Microsoft published a set of mitigation recommendations for organizations worried about GigaWiper malware. They fall into two buckets: general security hygiene and Microsoft-specific settings.
General Mitigations
- Enable tenant-wide tamper protection. This prevents attackers from stopping security services or adding antivirus exclusions.
- Block direct access to known C2 infrastructure. Use threat intelligence feeds to keep command-and-control servers off your network.
- Turn on cloud-delivered protection. This helps your antivirus keep up with rapidly evolving tools and techniques.
Microsoft-Specific Recommendations
- Run EDR in block mode. Microsoft Defender for Endpoint can block malicious artifacts even when your non-Microsoft antivirus misses them or when Defender Antivirus is in passive mode.
- Enable full automated investigation and remediation. This allows Defender for Endpoint to take immediate action on alerts, reducing breach impact significantly.
- Apply attack surface reduction rules. Specifically, enable the rule that blocks executable files from running unless they meet a prevalence, age, or trusted list criterion.
These steps are not theoretical. They are the same defenses that help stop ransomware attacks and other advanced threats. Wipers like GigaWiper move fast — your defenses need to be automated and always-on.
The Bigger Picture: Wiper Malware Is Evolving
GigaWiper is not just another malware sample. It is a sign that threat actors are investing in operational efficiency. They are merging standalone tools into unified platforms. That reduces their risk and increases yours.
For defenders, the takeaway is clear: you cannot treat espionage threats and destructive threats as separate problems anymore. The same implant that steals your credentials today can wipe your servers tomorrow.
Microsoft did not disclose who was targeted or how the initial compromise occurred. But the company did share detection signatures through its security products. If you are running Microsoft Defender for Endpoint with cloud-delivered protection and EDR in block mode, you are already better positioned to spot GigaWiper before it triggers its payload.
The clock is ticking. Wipers do not negotiate. They just delete.