Microsoft Flags GigaWiper, a Destructive Backdoor Merging Three Malware Families

Microsoft has detailed GigaWiper, a modular backdoor that combines a physical disk wiper, ransomware style file encryption, and a secure Windows drive wiping routine into a single implant capable of quiet surveillance before destructive action.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region4 min read
Server room with a red warning light illuminating a rack, representing a destructive malware incident

Server room with a red warning light illuminating a rack, representing a destructive malware incident

Microsoft has published new detail on GigaWiper, a Golang based backdoor that gives attackers persistent access to a compromised network while quietly holding several destructive options in reserve. Unlike a standalone wiper, GigaWiper is built as a full featured implant that supports reconnaissance, remote control, and data collection, with disk destruction available as one command among many rather than the tool's sole purpose.

Microsoft's threat intelligence team first observed GigaWiper activity in October 2025 while investigating environments that had already been wiped using separate destructive tools. Further analysis found that the standalone wiper samples and the larger backdoor shared code, and that the disk wiping capability had since been folded directly into the backdoor as an on demand function.

What makes GigaWiper notable is its composite design. The implant combines a physical disk wiping routine, a file encryption module built on code shared with the previously documented Crucio ransomware, and a secure Windows drive wiping function that reimplements the logic of an earlier tool known as FlockWiper. Bundling these three capabilities into one modular backdoor gives an operator the flexibility to maintain quiet, long term access for surveillance purposes and then pivot to destructive action, whether that means encrypting files without any recovery path, corrupting disks directly, or forcing a system into an unbootable state, all from the same foothold.

The malware communicates with its operators over RabbitMQ and Redis rather than more commonly monitored web based channels, supporting both broadcast commands sent to every infected host at once and targeted instructions sent to specific machines. Its command set covers screen capture, PowerShell execution, registry manipulation, log clearing, and VNC style remote access, in addition to the destructive functions that give the malware its name.

For organisations running critical infrastructure or regulated environments, the risk profile here differs meaningfully from conventional ransomware. Because the file encryption routine does not retain any decryption material, victims cannot recover encrypted data regardless of whether a ransom is paid, which places GigaWiper firmly in the same destructive category as earlier state linked wiper campaigns rather than a financially motivated extortion tool. Security teams that model ransomware and wiper attacks as separate risk categories with separate response plans should treat this convergence as a reason to revisit that assumption.

This kind of destructive, infrastructure focused threat sits alongside a broader set of stealth and evasion techniques MENA Cyber Wire has tracked in recent weeks, including TrojPix, a covert channel attack capable of exfiltrating data from air gapped networks using nothing more than a standard video cable, and Januscape, a sixteen year old Linux KVM flaw that allows a guest virtual machine to escape to its host. Both cases point to the same underlying trend, attackers investing in techniques that establish deep, quiet access to infrastructure well before any destructive or extortion focused action takes place.

Gulf enterprises are not immune to this shift. As Saudi Arabia's Vision 2030 giga projects and Dubai's financial and logistics sectors continue to expand their digital footprint, the operational technology and cloud environments underpinning that growth present exactly the kind of high value, high impact targets that justify an attacker's investment in a tool as versatile as GigaWiper. Regional threat modelling already flags this shift, as outlined in recent analysis of AI driven cyberattacks against GCC enterprises.

Security teams should treat any unexplained RabbitMQ or Redis traffic to unfamiliar external hosts as worth investigating, review backup and recovery procedures against a scenario where files are destroyed rather than merely encrypted, and ensure incident response plans account for destructive outcomes rather than assuming a ransom negotiation will always be on the table. This is a quietly escalating threat, and tracking these underlying infrastructural shifts early is essential for infrastructure operators to maintain operational resilience well before immediate breach headlines emerge.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Destructive Malware ThreatsCritical Infrastructure ProtectionEnterprise Incident Response