All incidents

Microsoft discovers GigaWiper Go backdoor with espionage and wiping capabilities

malwareopenJul 9, 2026 — Jul 10, 2026
Microsoft discovers GigaWiper Go backdoor with espionage and wiping capabilities

MICROSOFT has identified a new Go‑based backdoor called GigaWiper that blends espionage functions with destructive wiping capabilities Microsoft blog.

The malware is written in Go and combines code from three earlier families, giving it a repertoire of about twenty distinct commands SecurityAffairs. It can wipe disks at the physical layer, encrypt files with unrecoverable keys and trigger system crashes to erase evidence. Command and control is handled through RabbitMQ and Redis, allowing the operator to switch between surveillance and destruction without redeploying the implant.

First seen in October 2025, GigaWiper has been observed taking screenshots, harvesting documents and opening reverse shells SecurityWeek. The implant contains no known CVE identifiers and relies on a modular design that lets attackers pick functions on the fly. This flexibility lets the same binary serve as a spy tool or a wiper depending on the attacker’s goals.

In July 2026 the Microsoft Threat Intelligence team spotted the backdoor active in the wild, where it was used both to gather intelligence and to destroy data on compromised machines. Although no threat actor has been publicly named, the combination of espionage and wiping matches the tactics seen in recent state‑sponsored wiper operations.

Defenders should hunt for unusual Go binaries that make outbound connections to RabbitMQ or Redis ports, especially from systems that do not normally use those services. Blocking the IP addresses and domains listed in the Microsoft advisory can stop the beaconing, while enabling detailed audit logs for raw disk access helps spot wiping attempts. Limiting administrator privileges and enforcing application control reduce the chance that the malware can gain the rights it needs for low‑level disk operations.

Maintaining offline, immutable backups and testing restore procedures regularly is essential to recover from a wiper event. Network segmentation that separates critical servers from user workstations limits the lateral movement of the implant. Sharing indicators of compromise with ISACs and other trusted groups helps the broader community block the threat faster.

Intelligence briefing updated Jul 10, 2026

Root sourcewww.microsoft.com
Timeline Coverage

Swipe to explore timeline