Microsoft has dismantled a destructive Windows backdoor it identifies as GigaWiper, a modular threat that combines multiple attack capabilities into a single payload. The malware stands out for its architecture: it packages three older destructive programs as interchangeable commands that an operator can selectively deploy against a compromised system.
Each module offers a distinct method of damage. One wipes the entire disk, another overwrites just the Windows system drive, and a third runs fake ransomware that scrambles files using a cryptographic key it never saves. This design ensures that even if victims pay a ransom, data recovery is impossible.
The backdoor's bundling of distinct destructive functions suggests an evolution in threat actor tradecraft, moving beyond single-purpose wipers toward multipurpose tools that adapt to an attacker's objectives. Microsoft has not disclosed the initial infection vector or specific campaigns linked to GigaWiper.
According to the company's analysis, the modular approach lowers the barrier for less skilled operators while increasing the potential damage from a single foothold. The three components were previously documented as separate threats but have now been integrated into one cohesive backdoor.
Mitigation guidance remains limited as Microsoft continues its investigation. Organizations are advised to maintain up-to-date endpoint detection and response systems, enforce application whitelisting, and segment networks to limit lateral movement. No patch or specific removal tool has been released beyond standard antivirus updates.