Microsoft Exposes GigaWiper, a New Malware That Spies on Victims Before Destroying Them

A newly discovered backdoor called GigaWiper quietly watches infected computers for months, then wipes or encrypts everything on command, with no way to recover the data.

ThreatVectr Newsdesk· 3 min read
Close-up, editorial news photograph, 16:9 framing, of a server rack in a dark data centre with one hard drive pulled halfway out, its surface reflecting faint r
Share

Key points

  • Microsoft published a technical breakdown of GigaWiper on Thursday, November 2025, naming it as a backdoor first seen in October 2025 intrusions.
  • GigaWiper bundles the destructive code of three separate malware families, Crucio ransomware, FlockWiper, and a raw disk-wiping tool, into one backdoor program.
  • The malware hides its persistence, meaning its ability to survive a reboot, by disguising itself as a routine "OneDrive Update" scheduled task.
  • Crucio encrypts files with keys that are never saved anywhere, making recovery impossible even if a victim pays.
  • Microsoft recommends maintaining offline backups, because no decryption tool can undo this type of destruction.

A new piece of malicious software called GigaWiper does something unusual: it waits. Most destructive malware charges in and starts deleting things immediately. GigaWiper first acts as a remote-access backdoor, giving its operators quiet, persistent control over a victim's machine. Then, when they decide the moment is right, it destroys everything.

Microsoft's threat-intelligence team published its analysis on Thursday, detailing a tool they first spotted in intrusions dating back to October 2025. The write-up, shared with CSO Online, describes GigaWiper as a modular backdoor, meaning a single program whose individual parts can be switched on independently, like channels on a remote control.

How does GigaWiper actually work?

GigaWiper arrives as one of two things: a stripped-down standalone wiper, or a larger backdoor carrying 20 separate commands. Those commands let the operators run scripts, manage software processes, take screenshots, record the screen, and even remotely control the infected machine as if they were sitting in front of it.

The malware plants itself on a Windows computer by creating a scheduled task, a built-in Windows feature that runs programs automatically at set times, disguised as a "OneDrive Update." From there it phones home using two messaging technologies called RabbitMQ and Redis, software tools normally used by businesses to pass data between servers. Here, they carry attack instructions in one direction and stolen output in the other.

The destructive side is where GigaWiper stands apart. Microsoft researchers found it borrows wiping code from three existing malware families rather than building its own from scratch. One set of commands simply overwrites the physical contents of every disk and erases the partition table, the index a computer uses to find its own files. Another set uses code from a family called Crucio, which encrypts files with randomly generated keys that are never stored anywhere. A third set reimplements a wiper called FlockWiper, performing multiple overwrite passes to make data unrecoverable.

Because the Crucio-based encryption throws away its own keys, there is nothing to decrypt later. No ransom payment helps. The data is gone.

If you are an IT or security professional at an organisation, Microsoft's guidance is direct: keep offline backups that malware cannot reach, turn on endpoint detection and response software (security tools that watch for suspicious behaviour in real time), and use your operating system's built-in attack-surface reduction controls to limit what programs can do. Microsoft has also published a list of file signatures and network addresses tied to GigaWiper to help defenders spot it.

For ordinary employees, the practical step is the same one that applies to most intrusions: be cautious with unexpected email attachments or links, because that is almost always how attackers get their first foothold before tools like GigaWiper are ever deployed.

© 2026 Threat Vectr