At a glance
| Malware family | GigaWiper (Golang backdoor; code ties to Crucio and FlockWiper) |
| Threat actor | Not publicly named by Microsoft; suspected single developer |
| Target / victims | Windows systems; victim scope not disclosed |
| Delivery vector | Post-compromise deployment after attacker access |
| Key capabilities | Disk wiping, fake ransomware, remote control, spyware |
| Source | Microsoft Threat Intelligence |
TL;DR
Microsoft has detailed a destructive Windows backdoor named GigaWiper. The tool packs three older malware families into one implant. Operators can wipe disks, fake a ransomware attack, or quietly spy before they pull the trigger.
What GigaWiper does
GigaWiper is not one tool. Instead, it bundles several destructive programs as numbered commands. As Microsoft puts it, “It’s not a single, purpose-built tool, but an amalgamation of separate malware families.” Operators then pick their method of destruction on demand.
Three of the commands break a machine in different ways. One wipes the physical disk and strips out partition data. Another overwrites the Windows drive with multiple passes. A third scrambles files and drops a ransomware disguise.
Delivery
The GigaWiper backdoor is a post-access tool. In other words, attackers run it after they already hold a foothold. So there is no patch to chase, and no single flaw to fix.
Microsoft first spotted the destructive activity in October 2025. Investigators then found two sample types: a standalone wiper and a larger backdoor. Notably, the wiper’s code sits fully inside the backdoor as one command.
Infection chain
Once running, GigaWiper hides in plain sight. It disguises persistence as a OneDrive updater task. That task runs at startup, then repeats every minute.
The malware also tracks its own run count through a registry entry themed around OneDrive. Because these names mimic Microsoft software, the activity blends into normal system noise. This descriptive pattern, rather than any exact path, is the useful tell for defenders.
Three ways to destroy a system
The raw disk wiper reboots the machine after it overwrites drive content. The Windows-drive wiper adds several passes of different byte values for deeper destruction. Meanwhile, the fake ransomware command renames files and leaves them beyond recovery.
Command-and-control and data theft
GigaWiper talks to its operators through legitimate services. According to SC Media, it routes traffic through RabbitMQ, Redis, and MinIO, which makes detection harder. Commands arrive over a message queue, and results flow back through a separate channel.
The backdoor supports 20 numbered commands. These cover screenshots, screen recording, process control, log wiping, and system profiling. One command opens a hidden VNC-style session, so attackers gain full remote control.
The fake ransomware stands out most. “The key and IV are randomly generated but not saved anywhere, and no ransom note is dropped,” Microsoft wrote. As a result, victims cannot recover their files. Microsoft flatly calls it “a wiper disguised as ransomware.”

Who built GigaWiper
Microsoft confirmed the code links through analysis. The fake ransomware command borrows from Crucio ransomware. The multi-pass wiper matches FlockWiper, recoded in Golang. Furthermore, a shared “GRAT” tag ties the tools to one developer.
Attribution to a named group stays unconfirmed. Microsoft did not name an actor. However, The Hacker News reports that the same files surface in a second study as “BLUERABBIT,” flagged by Binary Defense, with matching hashes and servers. THN also connects Crucio to a 2023 CISA advisory linked to attacks on water and energy sites. Treat that wider link as suspected, not proven.
How to defend against the GigaWiper backdoor
Clean backups matter most here. Keep offline copies, since the fake ransomware saves no key. Early detection is the other half of the fight.
Microsoft recommends tamper protection, cloud-delivered antivirus, and endpoint detection in block mode. Beyond that, watch for odd scheduled tasks, unexpected disk operations, and changes to Windows recovery settings.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.