GigaWiper: Golang Backdoor Combines Disk Wiping, Fake Ransomware, and Spyware Capabilities

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Key Takeaways
  • Threat identified: Microsoft Threat Intelligence details GigaWiper, a Golang-based destructive backdoor it first saw in October 2025.
  • Modular design: The implant merges a disk wiper, fake ransomware, and FlockWiper into on-demand commands, while also functioning as spyware.
  • Malware lineage: GigaWiper is linked to the Crucio and FlockWiper malware families, with Crucio previously tied to an Iran-linked threat group by CISA.

Microsoft Threat Intelligence details the anatomy of GigaWiper, a sophisticated Go programming language (Golang)-based backdoor it identified in October 2025 that combines robust command-and-control (C2) capabilities with multiple destructive payloads targeting Windows systems. 

GigaWiper is an amalgamation of at least three separate malware families stitched together, using on-demand commands and a new backdoor functionality. The backdoor includes a standalone wiper that operates at the physical disk level, overwriting raw content and removing partition metadata before rebooting.

A Backdoor Built From Multiple Malware Families

GigaWiper also carries a destructive command derived from Crucio ransomware, encrypting files with randomly generated keys that are never saved, which makes decryption impossible, and renaming them with the .candy extension. 

Left: Crucio functions. Right: GigaWiper’s ran_main functions | Source:Microsoft
Left: Crucio functions. Right: GigaWiper’s ran_main functions | Source:Microsoft

A command reimplements the logic of FlockWiper, a C-based wiper first uploaded to VirusTotal in June 2025, recoded in Golang with added multi-pass secure wiping. Beyond destruction, GigaWiper supports 20 commands that include spyware capabilities such as:

C2 Over RabbitMQ and Redis

The backdoor uses two communication channels: 

Binary Defense first saw the same files (as BLUERABBIT) in March 2026, saying it was suspected of targeting entities in Israel.

Attribution, and Malware Lineage

Microsoft tied GigaWiper to both Crucio and FlockWiper through analysis indicating the same threat actor developed all three tools; the debug-path string "GRAT" appears in both FlockWiper binaries and GigaWiper's function names. 

Crucio's code was previously listed in a December 2023 CISA advisory on CyberAv3ngers [PDF], a group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) tied to 2023 intrusions into U.S., Israeli, U.K., and Irish water and energy infrastructure. 

Microsoft says Microsoft Defender includes detections for GigaWiper and recommends:

Last year, a suspected Iran-nexus password spray attack targeted Microsoft 365 users in the UAE and Israel and Iranian-backed APT42 deployed phishing campaigns in Israel.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: