Microsoft has detailed GigaWiper, a destructive Windows backdoor that combines disk-wiping, fake ransomware, and espionage capabilities into a single operational package. The malware, analyzed by Microsoft’s Threat Intelligence team, represents a worrying evolution in modular malware design — packing multiple destructive functions that can be triggered independently or in sequence.
GigaWiper’s disk-wiping component is designed to render systems inoperable by overwriting critical system files and partition tables. Its fake ransomware module displays a ransom note and encrypts a subset of files to create the impression of a criminal operation, but no genuine decryption capability exists. The spyware module exfiltrates credentials, browser data, and documents to a remote command-and-control server.
The backdoor is delivered through phishing campaigns targeting enterprise environments. Microsoft recommends organizations ensure endpoint detection systems are updated, restrict PowerShell execution policies, and monitor for unusual disk activity. The multi-capability design suggests a state-aligned threat actor with objectives spanning espionage, sabotage, and disinformation.
