Microsoft Details 'GigaWiper,' a Destructive Multi-Tool Windows Backdoor Linked to Iranian APT

Microsoft Uncovers 'GigaWiper,' a Destructive Backdoor with Wiping and Fake Ransomware Modules

CRITICAL
July 10, 2026
6m read
MalwareThreat ActorCyberattack

Related Entities

Organizations

Other

GigaWiperBinary Defense

Full Report

Executive Summary

Microsoft has published a detailed analysis of a new, highly destructive Windows backdoor named GigaWiper. The malware is designed for pure sabotage, incorporating three distinct destructive modules into a single tool. Operators can choose to wipe entire disks, overwrite the operating system drive, or deploy a pseudo-ransomware component that irreversibly scrambles files. This 'fake ransomware' does not store or exfiltrate the encryption key, making data recovery impossible and confirming the intent is destruction, not financial gain. Security firms Binary Defense and Google's Threat Analysis Group have linked GigaWiper to an Iranian-backed advanced persistent threat (APT) group, underscoring the ongoing use of wiper malware as a tool of geopolitical conflict.


Threat Overview

GigaWiper is a versatile backdoor designed for maximum damage. Its modular nature provides attackers with flexibility in how they achieve their destructive objectives. The malware is delivered to already-compromised systems, acting as a final-stage payload in a broader attack chain. The initial access and lateral movement techniques used to deploy GigaWiper were not detailed in the reports.

The three primary functions of GigaWiper are:

  1. Full Disk Wipe: This module systematically overwrites data across all connected drives, rendering the data unrecoverable and the system unbootable.
  2. Windows Drive Overwrite: A more targeted function that focuses on overwriting the critical files of the Windows operating system, effectively bricking the OS while potentially leaving data on other partitions intact.
  3. Fake Ransomware: This module mimics the behavior of ransomware by encrypting files. However, it is designed as a destructive tool. The encryption key used to scramble the files is generated locally and immediately discarded, ensuring that there is no way to decrypt the files. This tactic serves to deceive incident responders, who may initially treat the event as a standard ransomware attack, wasting valuable time trying to find a non-existent payment or decryption solution.

The link to an Iranian state-sponsored actor suggests GigaWiper is being used in targeted attacks against specific organizations for political or strategic purposes, rather than widespread, financially motivated campaigns.


Technical Analysis

GigaWiper is the payload that executes the Impact phase of an attack. Its internal functions map directly to several MITRE ATT&CK techniques for impact:

  • The full disk wipe and Windows drive overwrite capabilities are a clear implementation of T1561 - Disk Wipe. Specifically, it uses both T1561.001 - Disk Content Wipe and T1561.002 - Disk Structure Wipe.
  • The 'fake ransomware' module is a combination of two techniques. It uses T1486 - Data Encrypted for Impact to scramble the files, but because the key is discarded, the true intent is T1485 - Data Destruction. This dual nature is a form of masquerading, intended to mislead defenders.

The use of a fake ransomware module is a sophisticated psychological tactic. It can delay correct incident response, as teams may waste time and resources pursuing a financial extortion scenario when they are actually dealing with a destructive state-sponsored attack.


Impact Assessment

The impact of a GigaWiper attack is catastrophic and permanent data loss. Unlike ransomware, there is no option for recovery through payment. Organizations hit by GigaWiper will face severe business disruption, requiring a full rebuild of affected systems from bare metal. The primary goal is to disrupt operations, destroy information, and inflict economic damage on the target. The association with a nation-state actor implies that victims are likely in sectors of strategic interest, such as government, critical infrastructure, or defense. The psychological impact of the fake ransomware module adds to the chaos and confusion during an incident, potentially prolonging the recovery process.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams can hunt for wiper activity with the following observables:

Type
Process Name
Value
wiper.exe (hypothetical)
Description
Monitor for the execution of unsigned or suspicious executables that perform high-volume disk I/O operations.
Type
API Endpoint
Value
DeviceIoControl with IOCTL_DISK_ERASE_DATA
Description
Monitoring for processes calling low-level disk APIs associated with data erasure.
Type
File Name
Value
*.locked (hypothetical)
Description
The fake ransomware may append a specific extension. Monitor for mass file renaming events across the filesystem.
Type
Event ID
Value
4688
Description
Look for suspicious processes being spawned by legitimate services, which could be the trigger for the wiper payload.

Detection & Response

  1. Behavioral Analysis: Detection of wipers relies heavily on behavioral analytics. Monitor for processes that perform unusually high rates of file I/O (reads and writes) or file renaming operations across a large number of files in a short period. This is a core component of D3FEND's File Analysis (D3-FA).
  2. Honeypots and Canaries: Place decoy files (canaries) on file shares and critical servers. Configure alerts to trigger immediately if these files are modified or encrypted. This can provide a high-fidelity, early warning of a wiper or ransomware attack in progress.
  3. Endpoint Detection and Response (EDR): An EDR solution can detect the malicious process behavior, such as attempts to delete volume shadow copies (vssadmin) before wiping, or the rapid file modification activity itself. This aligns with D3FEND's Process Analysis (D3-PA).

Mitigation

  1. Backup and Recovery: This is the single most critical mitigation for destructive attacks. Maintain multiple, isolated, and immutable backups of critical data and system images. Regularly test the recovery process to ensure it is viable. This is a form of D3FEND's File Restoration (hypothetical).
  2. Network Segmentation: Implement robust network segmentation to contain a potential wiper attack. A compromise in one network segment should not be able to spread to critical backup infrastructure or other business units. This aligns with M1030 - Network Segmentation.
  3. Privilege Reduction: Enforce the principle of least privilege. A wiper can only destroy what the compromised account has access to. Limiting user and service account permissions can significantly reduce the blast radius of an attack.
  4. Application Control: Use application control solutions to prevent the execution of unauthorized and unsigned executables, which can block the GigaWiper payload from running in the first place. This is a form of M1038 - Execution Prevention.

Timeline of Events

1
July 10, 2026
This article was published

MITRE ATT&CK Mitigations

Proper network segmentation can contain the impact of a wiper, preventing it from spreading from a workstation to critical servers or backup systems.

Enforcing least privilege ensures that if a user account is compromised, the wiper's destructive capability is limited to that user's access level.

Use application control to block the execution of the GigaWiper payload, which is likely to be an unsigned or untrusted executable.

D3FEND Defensive Countermeasures

The most effective way to gain early warning of a destructive attack like GigaWiper is to deploy decoy objects, also known as canary files. Place enticingly named files (e.g., passwords.xlsx, prod_db_credentials.txt) in various locations on servers and file shares. These files should never be touched during normal operations. Use a File Integrity Monitoring (FIM) solution to generate an immediate, critical-severity alert the moment any of these decoy files are accessed, modified, or encrypted. This provides a high-fidelity signal that a ransomware or wiper attack is in its initial stages, allowing for automated response actions (like isolating the host) before widespread damage occurs.

To survive a destructive attack, backup infrastructure must be rigorously isolated. Implement a tiered backup architecture where primary backups are stored on a separate, hardened network segment. Critical data should be replicated to an immutable storage location (e.g., cloud object storage with object lock/immutability enabled) or to physically air-gapped media. The credentials used to access the backup systems must be completely separate from the production domain credentials. This ensures that even if the primary network is compromised and wiped by GigaWiper, the organization has a viable, untouched copy of its data for recovery.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

GigaWiperWiper MalwareMicrosoftIranAPTData DestructionSabotage

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.