Microsoft has detailed GigaWiper malware, a destructive Windows backdoor that gives an intruder remote control first and destructive options later. The company says its threat intelligence team identified the activity while investigating wiping attacks in October 2025, then found a Go-based implant that combines command-and-control features with disk wiping, fake ransomware, and system sabotage.[1]
The practical point is simple: this is not a vulnerability with one patch to install. GigaWiper is a post-compromise tool. If it appears on a Windows endpoint, the attacker may already be close enough to spy, stage files, exfiltrate data, erase logs, or destroy the machine. That makes early detection, endpoint containment, and tested offline backups more important than waiting for a ransom note that may never lead to recovery.
Microsoft describes three destructive paths inside the toolset. One component overwrites raw disk content and the partition table before rebooting. Another borrows from Crucio-style fake ransomware, encrypting files and adding a .candy extension without preserving a usable recovery key. A third is a Go rewrite of FlockWiper that targets the Windows drive with repeated overwrite passes.[1] That fake-ransomware angle should sound familiar to defenders: HowToFix has previously covered fake ransomware used as a distraction, and older wiper incidents such as the Meteor attack on Iranian railway systems.
GigaWiper also includes spying and operator-control functions. Microsoft says samples can capture screenshots across monitors, record the screen, open a hidden VNC session, run shell commands, manage services and processes, change registry keys, and clear Windows event logs.[1] In other words, the same implant can support reconnaissance, data theft, and destructive impact depending on what the operator chooses after access is established.
The stealth details are useful for triage. Microsoft says GigaWiper masquerades as OneDrive by creating a scheduled task named OneDrive Update that repeats every minute and by storing state under HKCUSOFTWAREOneDriveEnvironment. It also uses a firewall rule named Microsoft.Windows.CloudExperienceHost. For command traffic, Microsoft observed legitimate-looking infrastructure patterns: RabbitMQ for tasking, Redis for task status, and MinIO for exfiltration storage.[1]
What Windows defenders should check now
Start with exposed endpoints and servers where a destructive tool would have the most impact: domain-joined workstations used by administrators, file servers, backup consoles, jump boxes, and systems with broad network shares. Hunt for the OneDrive Update scheduled task, the OneDrive registry path above, unusual RabbitMQ or Redis connections from desktop machines, and suspicious use of takeown or icacls against boot-related files such as bootmgr or ntoskrnl.exe.
Network teams should block or at least alert on the two C2 IP indicators Microsoft published: 185.182.193[.]21 and 212.8.248[.]104. Endpoint teams should compare suspicious binaries against Microsoft’s published SHA-256 list, including 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001, ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913, f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd, and 9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683 for the backdoor itself.[1]
Microsoft recommends enabling tamper protection, cloud-delivered protection, endpoint detection and response in block mode, and full automated investigation and remediation where available.[1] Organizations that rely on Microsoft Defender should also review current engine coverage and recent Defender incidents. That advice lines up with the broader lesson from recent Windows security stories, including the site’s earlier coverage of RoguePlanet in Microsoft Defender: keep the protection stack updated, but verify the defensive controls are actually enforcing policy on the endpoints that matter.
Because GigaWiper can behave like a backdoor before it behaves like a wiper, response should not stop at removing one binary. Treat any hit as a possible intrusion. Preserve volatile evidence where possible, isolate the host, rotate credentials used on that machine, inspect lateral movement paths, and confirm that backups are offline, clean, and restorable. If the fake-ransomware branch runs, the absence of a ransom demand is itself a warning sign: the goal may be irreversible disruption, not payment.
References
- Microsoft Security Blog. GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware. Published July 9, 2026.
- The Hacker News. New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware. Published July 9, 2026.
- CISA. IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors. Published December 2023.
Leave a Comment