Destructive Windows backdoor stuffs multiple wipers and ransomware code into a single package

Jul 10, 2026 - 22:05
0 0
Destructive Windows backdoor stuffs multiple wipers and ransomware code into a single package

security

Microsoft says GigaWiper combines at least 3 malware families into one modular tool

A newly identified destructive Windows backdoor combines ransomware-like encryption with multiple data-wiping features, according to Microsoft.

Last October, the Redmond threat-hunting team first spotted attacks using the Golang-based implant they've named GigaWiper. 

Its developers stuffed multiple malware families into the software as on-demand commands, giving criminals a Swiss Army knife of command-and-control (C2) and destructive capabilities, including multiple wiping commands and file encryption without any possibility of decryption.

“The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences,” Microsoft Threat Intelligence wrote in a Thursday blog.

Microsoft declined to answer The Register's questions about the scale and scope of GigaWiper attacks.

In the blog, Redmond’s malware analysts said they uncovered two types of GigaWiper samples in victims’ environments, and both are unstripped portable executable files written in Golang. 

One is a standalone wiper that operates at the physical disk level, as opposed to deleting individual files. It overwrites raw disk content, removes partition metadata, and then reboots the system using Windows shutdown functionality with restart and zero-delay.

The second sample is the more interesting one. It includes the same disk-wiping functionality, but that’s just one component of the backdoor. This malware also establishes persistence and sets up C2 communication using RabbitMQ over AMQP for receiving commands from the C2 server, and Redis for updating command status and output.

GigaWiper also organizes its commands into different categories, including "always run" for tasks such as continuous screen recording, "manage command" for system management functions, and separate "special command" and "shell command" modes for executing additional functionality.

These include the standalone wiper command, along with another command that disables Windows recovery, triggers a blue screen of death (BSOD), and leaves the device unable to boot.

It also has a destructive command based largely on Crucio ransomware. It encrypts files with randomly generated keys that are never saved, which means victim organizations will never be able to decrypt these files.

Another command bulk encrypts or decrypts files with AES-256 in Cipher Block Chaining (CBC) mode, while a different command uses MinIO Client (mc) to upload stolen files to remote storage.

The malware also runs PowerShell commands, takes screen shots and recordings of the compromised device, collects system info, clears Windows event logs, and allows remote control over the system along with keyboard and mouse control - among other capabilities that attackers can use at will.

According to Redmond, GigaWiper combines components from at least three previously separate malware families, including Crucio ransomware, a Go reimplementation of FlockWiper, and a standalone disk wiper.

“Overall, these findings show the evolution of the actor’s tooling over time,” the security sleuths wrote. “Functionality was merged into a single robust backdoor, granting the actor more ways to control and destroy infected systems.” ®

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0

Comments (0)

User