Microsoft Pulls Apart 'GigaWiper', a Windows Backdoor That's Really Three Old Wreckers in a Trench Coat

The malware lets its operator pick how to trash a machine: wipe the disk, kill the Windows drive, or fake a ransomware attack with a key that's thrown away.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial shot of a dark server room with a single rack unit pulled forward, its indicator lights glowing red instead of green, faint smoke
Share

Key points

  • Microsoft has analysed a destructive Windows backdoor it calls GigaWiper, which bundles three older wrecking tools into a single program.
  • The malware lets its operator pick between wiping the entire disk, overwriting only the Windows drive, or running fake ransomware that scrambles files with a key it never saves.
  • Unlike normal ransomware, files hit by GigaWiper's fake-encryption mode cannot be recovered even if a victim pays.
  • The design is modular, meaning the person running the attack chooses which flavour of destruction to launch at the moment of use.

Microsoft has taken apart a nasty piece of Windows malware, malicious software built to harm computers, and given it a name: GigaWiper.

The thing that makes it interesting is not that it destroys machines. Plenty of programs do that. It's how it's put together.

GigaWiper is not one tool. It's three older destructive programs stitched into a single backdoor, which is malware that gives a remote operator a way in and a menu of commands to run once they're inside.

Think of it less as a weapon and more as a toolbox with three drawers, each holding a different way to ruin someone's day.

What can GigaWiper actually do to a computer?

It offers three destruction modes, and the attacker picks which one to fire.

The first wipes the whole disk. Every drive attached to the machine gets overwritten, so the computer will not boot and the data is gone.

The second is narrower. It overwrites only the drive that holds Windows itself. The machine dies, but any secondary storage might survive.

The third is the sneaky one. It behaves like ransomware, the kind of attack where criminals scramble your files and demand payment for the key to unscramble them. Except here, there is no key to hand back. GigaWiper generates a scrambling key, uses it, and never saves it anywhere. Paying does nothing.

This pattern has a name in the industry. It's called a wiper dressed as ransomware, and it's been seen before in attacks aimed at Ukraine, where the goal was destruction and the ransom note was cover.

Why does the design matter?

Because it points to how modern destructive malware is being written.

Older wipers did one thing. GigaWiper's author took code from several existing families, wrapped them in a common shell, and exposed each as a command. The operator, sitting somewhere else, decides on the day whether to nuke the whole disk, take out just Windows, or run the fake-ransomware routine.

For defenders, that means one sample can look like three different attacks depending on which command was sent. As reported by The Hacker News, Microsoft's writeup treats the modular structure as the notable finding, not any single wrecking technique inside it.

It's a familiar pattern from ordinary crimeware. Banking trojans and remote-access tools have shipped as toolkits with pluggable modules for years. Destructive malware is now doing the same.

Should ordinary people be worried?

Not in the sense that GigaWiper is coming for a home laptop tomorrow. Tools like this are aimed at organisations: companies, hospitals, government offices, utilities.

But the practical lesson is the same one that has been true for a decade. If your files only exist on the machine in front of you, a single bad afternoon can erase them. Backups that are kept separate from the main computer, and tested now and then to make sure they actually restore, are the difference between an inconvenience and a catastrophe.

For businesses, the specific worry with a wiper-in-ransomware-clothing is worse than normal ransomware. You cannot negotiate your way out. If GigaWiper's third mode runs on your file servers, the files are gone, full stop. Recovery means backups or nothing.

Microsoft has not, as of writing, tied GigaWiper to a specific group or a specific campaign in the wild. The public detail is about the malware itself, not the hands using it.

© 2026 Threat Vectr