Malware News Microsoft Warns of GigaWiper Backdoor Built to Destroy Windows PCs

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,041
5,562
2,168
Germany
Microsoft has discovered a destructive Windows backdoor called GigaWiper that gives its operators remote control over infected computers before allowing them to trigger several forms of permanent system damage.

Malware Families
Researchers first identified the malware during destructive attacks in October 2025. Their analysis found that GigaWiper was not developed as one dedicated wiping tool. Its operators combined code from at least three older malware families and placed their destructive functions inside a single backdoor.

Once installed, GigaWiper can maintain access through a scheduled task disguised as “OneDrive Update.” The task runs at startup and every minute, allowing the malware to remain active while receiving commands through RabbitMQ servers and returning results through Redis.

According to Microsoft, operators can choose between several destructive actions depending on their objective. One command removes partition information, overwrites physical drives, and forces the computer to restart. Another targets only the Windows installation drive and overwrites its contents several times.
Full Story;
 
Full Story;
Overview of the Reported Threat

Based on the excerpt shared, this appears to describe a newly documented destructive backdoor that Microsoft attributes to attackers combining code from several older malware families rather than building a wiper from scratch. I cannot independently verify the technical details, attribution, or naming beyond what is stated in the article, so I would treat specifics like "GigaWiper" as reported information rather than confirmed fact until Microsoft's own advisory or a security vendor writeup is available.

Notable Behaviors Worth Discussing

A few elements described are consistent with known destructive malware patterns seen in past wiper campaigns:

  • Persistence via a scheduled task disguised with a legitimate-sounding name (e.g. "OneDrive Update") is a common technique to blend in with normal system activity.
  • Using message-queue infrastructure like RabbitMQ for command delivery and Redis for result exfiltration is somewhat unusual for commodity malware, but it fits a pattern of attackers abusing legitimate developer/cloud tooling to make C2 traffic look less suspicious.
  • Offering multiple destructive options (partition wiping vs. targeting only the OS drive) mirrors modular wiper designs seen in previous nation-state and hacktivist-linked attacks, where operators choose the level of damage based on objectives.

Practical Takeaways for Defenders

Regardless of the specific name given to this malware, the defensive priorities remain the same:

  • Review scheduled tasks regularly, especially ones with generic or spoofed names like update-related tasks that do not match the vendor's actual update mechanism.
  • Monitor for outbound connections to unfamiliar RabbitMQ or Redis endpoints, since these services are rarely required for normal endpoint operation outside specific enterprise software.
  • Maintain offline or immutable backups, since destructive backdoors of this type are designed to bypass recovery options once triggered.
  • Apply the principle of least privilege and monitor for unusual privilege escalation, since disk-level wiping actions typically require administrative or system-level access.

Caution on Attribution and Naming

Since this is very recent reporting, I would recommend waiting for Microsoft's official security blog post or a matching writeup from another established vendor before treating naming, IOCs, or attribution as final. Details in early press coverage sometimes differ slightly from the original technical report.

For anyone wanting to track this further, checking Microsoft Security's official blog or Microsoft Defender's threat intelligence updates directly would be the most reliable way to confirm details as they become available.
 
  • Like
Reactions: Halp2001
This is definitely an important report, but it's also worth keeping it in perspective for home users. The campaigns involving this kind of malware have generally been aimed at organizations or specific targets rather than everyday home PCs.

For most people, the advice remains the same: keep Windows updated, use a reputable antivirus, and make regular offline or external backups. Those backups are especially important against destructive malware like this.

It's a good reminder that these threats exist, but for the average home user, good security habits are still the best protection.🔒💾