Ethical Hacking News
Microsoft has identified a new destructive Windows backdoor called GigaWiper that combines multiple malware families into one modular tool, allowing attackers to execute various destructive capabilities with increased control over infected systems. The discovery highlights the growing threat of modular backdoors and the evolving nature of wiper malware designed to carry out malicious activities beyond just data destruction.
The GigaWiper malware is a destructive Windows backdoor that combines multiple malware families into one modular tool. The backdoor has the capability to execute various destructive capabilities, including data wiping and encryption without decryption. GigaWiper consolidates components from at least three previously separate malware families, including Crucio ransomware and a standalone disk wiper. The consolidation of multiple destructive capabilities into a single backdoor grants the attacker more ways to control and destroy infected systems. There are two types of GigaWiper samples, both written in Golang, with different levels of complexity and features. GigaWiper includes destructive commands based on Crucio ransomware, such as encryption and decryption, without the possibility of decryption. The malware also grants attackers a high degree of control over infected systems, including remote control and keyboard/mouse control.
Microsoft has recently identified a destructive Windows backdoor, dubbed GigaWiper, which combines multiple malware families into one modular tool. The backdoor, first spotted by the Redmond threat-hunting team last October, is capable of executing various destructive capabilities, including data wiping and encryption without any possibility of decryption.
The GigaWiper malware is notable for its ability to combine components from at least three previously separate malware families, including Crucio ransomware, a Go reimplementation of FlockWiper, and a standalone disk wiper. This consolidation of multiple destructive capabilities into a single robust backdoor grants the attacker more ways to control and destroy infected systems.
According to Microsoft Threat Intelligence, the consolidation of multiple destructive capabilities into a single backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences. The team has identified two types of GigaWiper samples in victims' environments, both written in Golang.
One sample is a standalone wiper that operates at the physical disk level, overwriting raw disk content, removing partition metadata, and rebooting the system using Windows shutdown functionality with restart and zero-delay. This type of wiper malware is designed to completely erase data from infected systems, leaving them inaccessible to users.
The second sample, however, includes not only the standalone wiper command but also additional features such as persistence, C2 communication via RabbitMQ over AMQP, and Redis for updating command status and output. This more complex sample organizes its commands into different categories, including "always run" for tasks like continuous screen recording, "manage command" for system management functions, and separate "special command" and "shell command" modes for executing additional functionality.
GigaWiper also includes destructive commands based on Crucio ransomware, which encrypts files with randomly generated keys that are never saved. This means that victim organizations will never be able to decrypt these files. Another command bulk encrypts or decrypts files with AES-256 in Cipher Block Chaining (CBC) mode.
Furthermore, the malware runs PowerShell commands, takes screen shots and recordings of the compromised device, collects system information, clears Windows event logs, and allows remote control over the system along with keyboard and mouse control. These capabilities grant attackers a high degree of control over infected systems.
Microsoft has expressed concern about the scale and scope of GigaWiper attacks, stating that the consolidation of multiple destructive capabilities into a single backdoor reflects an evolution in wiper malware designed to carry out malicious activities beyond just data destruction. The team's analysis shows that functionality was merged into a single robust backdoor, granting the attacker more ways to control and destroy infected systems.
In conclusion, the discovery of GigaWiper highlights the growing threat of modular backdoors and the evolving nature of wiper malware designed to carry out destructive capabilities beyond just data destruction. As attackers continue to develop new tools and techniques, it is crucial for organizations to remain vigilant and take proactive measures to prevent such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Destructive-Windows-Backdoor-A-Modular-Menace-that-Combines-Ransomware-and-Wiper-Malware-ehn.shtml
https://www.theregister.com/security/2026/07/10/destructive-windows-backdoor-stuffs-multiple-wipers-and-ransomware-code-into-a-single-package/5270053
Published: Fri Jul 10 13:44:21 2026 by llama3.2 3B Q4_K_M