In October 2025, Microsoft’s threat intelligence team identified destructive wiping activity inside compromised environments and traced it to a previously unknown piece of malware they’re now calling GigaWiper. The malicious code is written in Go, it combines a command-and-control backdoor with multiple built-in destruction capabilities, and it was assembled by taking code from at least three older malware families and merging them into one implant. Efficient, if attackers aim at destroying the target systems.

“The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences.” reads the report published by Microsoft. “GigaWiper exemplifies threat actors investing in operational efficiency, merging standalone tools into unified platforms that reduce their deployment footprint while expanding their destructive capabilities.”

The backdoor communicates with its operators over RabbitMQ for receiving commands and Redis for sending back results. It persists through a scheduled task named “OneDrive Update” that runs every minute and at system startup, and tracks its own execution count in a registry key disguised as a OneDrive entry. The command set runs from 1 to 20 and covers an unusually wide range of capabilities for a single implant.