A newly identified Windows backdoor, tracked as GigaWiper, has emerged as a modular threat that consolidates ransomware-like encryption with high-level data-wiping capabilities. Microsoft Threat Intelligence reported that the Golang-based implant was first observed in October, functioning as a “Swiss Army knife” for attackers by bundling multiple destructive tools into a single, highly flexible package. The malware’s design marks a departure from traditional wiper threats, which typically focus solely on system destruction, by instead providing operators with an array of on-demand commands for both extortion and permanent data loss.
According to Microsoft Threat Intelligence, the backdoor is distributed as an unstripped portable executable file. The software is designed to establish command-and-control (C2) communication using RabbitMQ over AMQP, while utilizing Redis to manage command status and output. This architecture allows attackers to maintain persistent control over infected environments, executing a variety of harmful tasks ranging from continuous screen recording to full system destruction.
Operational Capabilities and Modular Design
GigaWiper organizes its functionality into distinct command categories, allowing attackers to manage infected systems with granular control. The malware supports “always run” tasks, including silent screen recording and system information collection, alongside “manage command” functions for broader administrative control. Attackers can also deploy “special” and “shell” commands to trigger highly destructive actions, such as disabling Windows recovery tools or forcing a “blue screen of death” (BSOD) that renders the device unbootable.

The malware’s destructive suite incorporates components from at least three previously known malware families. This includes a standalone wiper that operates at the physical disk level—overwriting raw disk content and removing partition metadata—and a ransomware module based on the Crucio family. In cases where the ransomware command is deployed, files are encrypted with randomly generated keys that are not saved, effectively ensuring that data recovery is impossible for the victim. Another command enables bulk encryption or decryption of files using AES-256 in Cipher Block Chaining (CBC) mode.
Persistence and Data Exfiltration
Beyond its destructive features, GigaWiper is equipped with tools for active surveillance and data theft. The malware can execute PowerShell commands, capture screenshots, and facilitate remote control of the compromised system, including direct mouse and keyboard input. It also includes functionality to clear Windows event logs, a common tactic used to hide the presence of unauthorized activity and delay forensic investigation.

For exfiltration, the backdoor employs the MinIO Client (mc) to upload stolen files to remote storage providers. By consolidating these capabilities—ranging from persistent surveillance to permanent data destruction—the developers have created a toolset that allows for diverse attack strategies. Microsoft noted that the modular nature of the backdoor reflects an evolution in the actor’s tooling, granting them the ability to adapt their methods based on the specific environment or objectives within a target network.
Industry Implications and Security Guidance
The rise of modular backdoors like GigaWiper highlights the increasing complexity of modern wiper malware. While traditional wipers were often designed for immediate, irreversible destruction, the integration of ransomware and C2 management suggests that attackers are seeking more versatile tools that can be repurposed for different stages of an intrusion. Microsoft’s analysis emphasizes that these findings represent an ongoing evolution of threat actor capabilities, where disparate malware families are merged into single, robust platforms.

As of late February 2025, security professionals and IT administrators are encouraged to review their endpoint detection and response (EDR) configurations to identify signs of unauthorized Golang-based processes and unusual RabbitMQ or Redis traffic. Organizations should prioritize the implementation of robust backup strategies, as the permanent encryption and physical disk-wiping features of GigaWiper bypass standard decryption recovery methods. Users and administrators can monitor for official security advisories and threat intelligence updates through the Microsoft Security Blog to stay informed on emerging indicators of compromise related to this campaign.