GigaWiper: Golang Backdoor Combines Disk Wiping, Fake Ransomware, and Spyware Capabilities
- Threat identified: Microsoft Threat Intelligence details GigaWiper, a Golang-based destructive backdoor it first saw in October 2025.
- Modular design: The implant merges a disk wiper, fake ransomware, and FlockWiper into on-demand commands, while also functioning as spyware.
- Malware lineage: GigaWiper is linked to the Crucio and FlockWiper malware families, with Crucio previously tied to an Iran-linked threat group by CISA.
Microsoft Threat Intelligence details the anatomy of GigaWiper, a sophisticated Go programming language (Golang)-based backdoor it identified in October 2025 that combines robust command-and-control (C2) capabilities with multiple destructive payloads targeting Windows systems.
GigaWiper is an amalgamation of at least three separate malware families stitched together, using on-demand commands and a new backdoor functionality. The backdoor includes a standalone wiper that operates at the physical disk level, overwriting raw content and removing partition metadata before rebooting.
A Backdoor Built From Multiple Malware Families
GigaWiper also carries a destructive command derived from Crucio ransomware, encrypting files with randomly generated keys that are never saved, which makes decryption impossible, and renaming them with the .candy extension.
A command reimplements the logic of FlockWiper, a C-based wiper first uploaded to VirusTotal in June 2025, recoded in Golang with added multi-pass secure wiping. Beyond destruction, GigaWiper supports 20 commands that include spyware capabilities such as:
- taking screenshots,
- recording screen activity,
- opening a hidden VNC session,
- collecting system and antivirus information.
C2 Over RabbitMQ and Redis
The backdoor uses two communication channels:
- RabbitMQ over AMQP for receiving commands from the C2 server,
- Redis for updating command status and output.
Binary Defense first saw the same files (as BLUERABBIT) in March 2026, saying it was suspected of targeting entities in Israel.
Attribution, and Malware Lineage
Microsoft tied GigaWiper to both Crucio and FlockWiper through analysis indicating the same threat actor developed all three tools; the debug-path string "GRAT" appears in both FlockWiper binaries and GigaWiper's function names.
Crucio's code was previously listed in a December 2023 CISA advisory on CyberAv3ngers [PDF], a group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) tied to 2023 intrusions into U.S., Israeli, U.K., and Irish water and energy infrastructure.
Microsoft says Microsoft Defender includes detections for GigaWiper and recommends:
- Enabling tamper protection and cloud-delivered antivirus protection,
- Running endpoint detection and response in block mode,
- Restricting connections to known C2 infrastructure.
Last year, a suspected Iran-nexus password spray attack targeted Microsoft 365 users in the UAE and Israel and Iranian-backed APT42 deployed phishing campaigns in Israel.





