Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.
TL;DR: Malicious programs designed to wipe hard disk drives clean are dangerous enough, but they become a systemic risk when that same capability gets built into a remote-controlled backdoor. Microsoft has now documented one such tool, a multi-faceted platform equipped with an unusually wide range of destruction capabilities.
Security analysts at Microsoft Threat Intelligence recently uncovered GigaWiper, a destructive backdoor assembled by combining several different malware families into one package.
GigaWiper is technically a backdoor, in that it's designed to spy on a victim's machine and receive commands remotely. But it's also an incredibly dangerous "wiper," since it packs multiple payloads capable of erasing both files and partition or volume logic from local storage drives.
Microsoft Threat Intelligence first spotted GigaWiper in October 2025. The malware is written in Go, and it includes three main data-wiping capabilities. First, a "standalone" wiper overwrites data on a disk in raw mode, operating at the physical disk level rather than checking file or partition metadata.
Second, a "fake" ransomware module derived from the Crucio malware family encrypts files but never saves the encryption key anywhere, so there's no way to recover them. Finally, the third wiper reimplements the logic of FlockWiper malware and can erase the Windows system drive using a multi-pass "secure" wiping process.
This AI-generated image is dropped on an infected system and set as the wallpaper after files are encrypted.
Data destruction commands are only part of the wider capabilities the backdoor can deploy when instructed from a command-and-control (C2) server. In total, GigaWiper supports 20 different remotely-issued commands, several of which carry serious security implications for both individual users and organizations.
The backdoor's surveillance functionality is just as extensive as its destructive side, starting with screenshot capture and even video recording. When instructed to do so, GigaWiper can stream a "live" feed of the user's screen with support for remote keyboard and mouse input. The malware implements TCP-based streaming that conceals itself by deploying custom exceptions in the Windows Firewall.
GigaWiper also includes additional, albeit not-so destructive capabilities for monitoring and managing a Windows system. The malware can collect extensive information about the machine and its software environment, while offering broad management capabilities over software processes, Windows event logs, and the system registry.

Microsoft says GigaWiper was assembled from at least three previously separate malware families, and it directly ties the backdoor's code to both Crucio and FlockWiper through shared execution flow, function naming, and matching strings. (Microsoft's own detection signatures also reference a third component it calls CutBrooch, likely corresponding to the standalone wiper module.)
Whoever is operating GigaWiper's C2 infrastructure can maintain extensive control over infected systems and trigger a destructive command whenever they choose.
Redmond has provided a few mitigating measures organizations can take to blunt an infection like GigaWiper before it causes lasting damage. Turning on tamper protection in Microsoft Defender is one of them, and enabling the antimalware service's cloud-based protection to catch rapidly evolving threats before local virus signatures are updated.










English (US) ·