Microsoft has published a detailed analysis of a new, highly destructive Windows backdoor named GigaWiper. The malware is designed for pure sabotage, incorporating three distinct destructive modules into a single tool. Operators can choose to wipe entire disks, overwrite the operating system drive, or deploy a pseudo-ransomware component that irreversibly scrambles files. This 'fake ransomware' does not store or exfiltrate the encryption key, making data recovery impossible and confirming the intent is destruction, not financial gain. Security firms Binary Defense and Google's Threat Analysis Group have linked GigaWiper to an Iranian-backed advanced persistent threat (APT) group, underscoring the ongoing use of wiper malware as a tool of geopolitical conflict.
GigaWiper is a versatile backdoor designed for maximum damage. Its modular nature provides attackers with flexibility in how they achieve their destructive objectives. The malware is delivered to already-compromised systems, acting as a final-stage payload in a broader attack chain. The initial access and lateral movement techniques used to deploy GigaWiper were not detailed in the reports.
The three primary functions of GigaWiper are:
The link to an Iranian state-sponsored actor suggests GigaWiper is being used in targeted attacks against specific organizations for political or strategic purposes, rather than widespread, financially motivated campaigns.
GigaWiper is the payload that executes the Impact phase of an attack. Its internal functions map directly to several MITRE ATT&CK techniques for impact:
T1561 - Disk Wipe. Specifically, it uses both T1561.001 - Disk Content Wipe and T1561.002 - Disk Structure Wipe.T1486 - Data Encrypted for Impact to scramble the files, but because the key is discarded, the true intent is T1485 - Data Destruction. This dual nature is a form of masquerading, intended to mislead defenders.The use of a fake ransomware module is a sophisticated psychological tactic. It can delay correct incident response, as teams may waste time and resources pursuing a financial extortion scenario when they are actually dealing with a destructive state-sponsored attack.
The impact of a GigaWiper attack is catastrophic and permanent data loss. Unlike ransomware, there is no option for recovery through payment. Organizations hit by GigaWiper will face severe business disruption, requiring a full rebuild of affected systems from bare metal. The primary goal is to disrupt operations, destroy information, and inflict economic damage on the target. The association with a nation-state actor implies that victims are likely in sectors of strategic interest, such as government, critical infrastructure, or defense. The psychological impact of the fake ransomware module adds to the chaos and confusion during an incident, potentially prolonging the recovery process.
No specific file hashes, IP addresses, or domains were provided in the source articles.
Security teams can hunt for wiper activity with the following observables:
wiper.exe (hypothetical)DeviceIoControl with IOCTL_DISK_ERASE_DATA*.locked (hypothetical)4688vssadmin) before wiping, or the rapid file modification activity itself. This aligns with D3FEND's Process Analysis (D3-PA).M1030 - Network Segmentation.M1038 - Execution Prevention.Proper network segmentation can contain the impact of a wiper, preventing it from spreading from a workstation to critical servers or backup systems.
Enforcing least privilege ensures that if a user account is compromised, the wiper's destructive capability is limited to that user's access level.
Use application control to block the execution of the GigaWiper payload, which is likely to be an unsigned or untrusted executable.
The most effective way to gain early warning of a destructive attack like GigaWiper is to deploy decoy objects, also known as canary files. Place enticingly named files (e.g., passwords.xlsx, prod_db_credentials.txt) in various locations on servers and file shares. These files should never be touched during normal operations. Use a File Integrity Monitoring (FIM) solution to generate an immediate, critical-severity alert the moment any of these decoy files are accessed, modified, or encrypted. This provides a high-fidelity signal that a ransomware or wiper attack is in its initial stages, allowing for automated response actions (like isolating the host) before widespread damage occurs.
To survive a destructive attack, backup infrastructure must be rigorously isolated. Implement a tiered backup architecture where primary backups are stored on a separate, hardened network segment. Critical data should be replicated to an immutable storage location (e.g., cloud object storage with object lock/immutability enabled) or to physically air-gapped media. The credentials used to access the backup systems must be completely separate from the production domain credentials. This ensures that even if the primary network is compromised and wiped by GigaWiper, the organization has a viable, untouched copy of its data for recovery.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.