GigaWiper Merges Three Malware Families Into One Destructive Backdoor


GigaWiper Merges Three Malware Families Into One Destructive Backdoor

Pierluigi Paganini
July 10, 2026

Microsoft uncovered GigaWiper, a modular Go backdoor combining three malware families with espionage, remote control, and destructive wiping features.

In October 2025, Microsoft’s threat intelligence team identified destructive wiping activity inside compromised environments and traced it to a previously unknown piece of malware they’re now calling GigaWiper. The malicious code is written in Go, it combines a command-and-control backdoor with multiple built-in destruction capabilities, and it was assembled by taking code from at least three older malware families and merging them into one implant. Efficient, if attackers aim at destroying the target systems.

“The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences.” reads the report published by Microsoft. “GigaWiper exemplifies threat actors investing in operational efficiency, merging standalone tools into unified platforms that reduce their deployment footprint while expanding their destructive capabilities.”

The backdoor communicates with its operators over RabbitMQ for receiving commands and Redis for sending back results. It persists through a scheduled task named “OneDrive Update” that runs every minute and at system startup, and tracks its own execution count in a registry key disguised as a OneDrive entry. The command set runs from 1 to 20 and covers an unusually wide range of capabilities for a single implant.

The destructive commands are the most interesting features. Command 1 wipes physical disks at the raw level, overwriting content in chunks and removing partition metadata from non-Windows drives before forcing a reboot. Command 2 triggers a Blue Screen of Death and prevents the machine from starting again by deleting critical boot and kernel files. Command 3 encrypts files with a randomly generated key that is never saved anywhere, renames them with a .candy extension, and drops a threatening image as the wallpaper.

The researcher pointed out that there’s no ransom note and no way to recover the files, because the actor never intended to offer decryption. Command 12 performs a more thorough multi-pass wipe of just the Windows installation drive, overwriting it with zeros, 0xFF values, and random bytes across multiple passes.

Beyond destruction, the backdoor includes a full remote-control suite. Command 20 opens a VNC-style remote desktop session over TCP with keyboard and mouse control, creating firewall rules named after legitimate Windows components to hide the traffic. Commands 9 and 10 handle screenshots and continuous screen recording when the user is active. Commands 15 through 18 manage system information collection, process control, service management, and registry navigation in a way that maintains session state between requests, essentially providing an interactive registry browser. Command 19 wipes Windows event logs, attempting to delete Security logs twice using different methods if the first fails, and for unknown reasons ends by printing the string “kharbvnmhkjbkjb” to the console.

The architectural story is what makes GigaWiper technically interesting. Microsoft identified that each of the three main destructive commands traces back to a separate, previously existing malware family developed by the same threat actor.

Command 3, the fake ransomware, is built on Crucio ransomware code. Crucio was documented in a CISA advisory in December 2023. The function BigBangExtortMain, which handles the file encryption in GigaWiper, shares its name and logic with the same function in Crucio.

“GigaWiper backdoor command 3 is heavily based on Crucio’s code, leading to the assessment that the same threat actor developed both malware families.” states Microsoft.

GigaWiper
Crucio functions. Right: GigaWiper’s ran_main functions. (Source Microsoft)

Command 12, the multi-pass secure wipe, is a Go reimplementation of FlockWiper, a C-based wiper that first appeared on VirusTotal in June 2025, several months before GigaWiper was observed. The logic and strings are nearly identical between the two, with GigaWiper’s version appearing to be a more updated iteration. FlockWiper’s compiled binaries contain program database paths referencing the string “GRAT,” and that same string appears repeatedly in GigaWiper’s function names, providing an additional thread connecting the two families.

“The name “GRAT” is also prevalent in several function names within the GigaWiper backdoor.” continues the report, “Although the FlockWiper binaries do not include “GRAT” functionality, the PDB paths provide another link between the two malware families.”

The string suggests the possible existence of a related framework or component that hasn’t been recovered yet.

Command 1, the standalone disk wiper, appears in GigaWiper as an exact replica of the standalone wiper binary Microsoft also observed being deployed separately. The function names and code flow are identical; the standalone wiper’s main routine simply reappears inside the backdoor as a callable command.

The modular structure changes what defenders need to think about. A traditional wiper gets deployed, runs, and destroys. GigaWiper sits on a system, maintains persistence, communicates back to operators, and can switch between quiet intelligence-gathering and full destruction on command, without requiring the attacker to deploy a new tool. The same implant that takes screenshots and manages processes today can wipe disks tomorrow.

The C2 infrastructure observed in samples used 185.182.193[.]21 on port 5544 for RabbitMQ command delivery and port 7542 for Redis result reporting. The RabbitMQ fanout exchange named “All” broadcasts commands to every infected host simultaneously, while a topic exchange named “Topic” enables targeted commands to specific machines.

“GigaWiper is a backdoor with extensive operational capabilities that allow a threat actor to maintain control over infected systems, execute commands, deploy additional tooling, and ultimately trigger one of multiple destructive commands on demand. It allows the threat actor to operate with flexibility, enabling both quiet espionage activity and destructive wiping operations.” concludes the report. “Overall, these findings show the evolution of the actor’s tooling over time. Functionality was merged into a single robust backdoor, granting the actor more ways to control and destroy infected systems.”

Microsoft’s recommended mitigations focus on preventing the defense-disabling steps that wipers typically rely on: enabling tamper protection to stop attackers from turning off security services, running endpoint detection and response in block mode, and enabling cloud-delivered protection to catch rapidly evolving tools. Blocking direct access to the known C2 infrastructure at 185.182.193[.]21 is the immediate network-level action available to organizations that can act on the published indicators.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


TL;DR

Meta stripped NameTag facial recognition code from its AI app one day after WIRED exposed it on 50 million phones. Meta says no decision has been made.

Meta removed nearly all traces of an unreleased facial recognition system from its smart glasses companion app on Friday, one day after WIRED reported that the software had been quietly embedded in an app installed on more than 50 million phones. The feature, which Meta internally called NameTag, was designed to convert faces captured by the company’s Ray-Ban smart glasses into unique biometric signatures and compare them against a database stored on the user’s device. WIRED also found that faces the system failed to recognise were cropped, indexed, and stored locally for future processing.

Andy Stone, Meta’s vice president of communications, told WIRED on Monday that the feature is “purely exploratory,” adding that no final decision has been made on what to do with it. That characterisation sits uneasily with the evidence WIRED documented. The version of Meta AI published the day of WIRED’s Thursday report contained several code libraries explicitly named for face recognition, a process for running the NameTag recognition pipeline, and a “Person recognised” alert the app would have shown if someone were identified.

Friday’s release stripped all of it out, along with a folder where the app would have stored the cropped images and biometric signatures of unrecognised faces. Meta did not answer WIRED’s questions about why the code was removed or whether the changes were planned before the story was published. A few fragments remain in the latest version, including an internal debug menu label and a dormant link meant to open a recognised person’s profile, pointing to parts of the system that are no longer there.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

The gap between Meta’s public statements and the code WIRED found is the central tension. Before the Thursday report, Stone dismissed the findings by writing that the company could not answer questions about how the system would work because “the feature does not exist.” Andrew Bosworth, Meta’s chief technology officer, called the reporting “incredibly misleading” and “absolutely dishonest.” Yet the code was functional enough to include three AI models, one to detect faces, another to crop them, and a third to encode them as biometric data, all embedded in the companion app for a product already at the centre of a mounting privacy crisis.

Meta declined to answer ten questions WIRED posed before publishing, including whether it had already created the database of face profiles NameTag uses, how long the app retains photographs and biometric data of unrecognised people, and whether that data would ever be sent back to Meta’s servers. The company also did not respond to questions about whether it was building NameTag for blind or low-vision users, or to criticism from privacy advocates who warned the system could let stalkers and abusers identify strangers in public.

NameTag first surfaced in February, when The New York Times, citing internal Meta documents, reported that the company was developing face recognition for its smart glasses and considering a launch as early as this year. One internal memo reportedly described releasing the feature during a “dynamic political environment” when privacy and civil liberties advocates would be distracted by other concerns. WIRED subsequently found that much of NameTag’s machinery had been built into the Meta AI app as early as January, months before any public acknowledgement, adding another layer to the company’s pattern of shipping first and disclosing later when it comes to its smart glasses.

Kade Crockford, director of the technology for liberty programme at the American Civil Liberties Union of Massachusetts, said the removal does not undo the original decision to ship the code and pointed to it as evidence that consumer privacy needs stronger legal protection than Congress has been willing to provide. The Massachusetts House of Representatives last week unanimously passed a consumer privacy bill that, if enacted as written, would impose strong enforcement provisions including a private right of action allowing aggrieved users to sue. “State lawmakers need to do their job and step up to protect consumer privacy,” Crockford said.

Meta’s sneaky tactics in slipping the face-recognition code into its smart glasses show exactly why data privacy bills need the teeth of strong enforcement,” Crockford added. “Companies like Meta prioritise their bottom line, so lawmakers need to speak in the only language its C-suite understands.” Whether a code removal prompted by investigative reporting constitutes a victory or merely a tactical retreat depends on what Meta does next, and on whether the regulatory pressure building on both sides of the Atlantic produces enforceable consequences before the feature quietly returns under a different name.



Source link