Mastodon Mastodon Mastodon Mastodon

How the GigaWiper Backdoor Enables Espionage and Data Wiping

Photo of author

CyberSecureFox Editorial Team

Published:

Microsoft has published a detailed analysis of the destructive backdoor GigaWiper — a Windows malware written in Go that merges three previously independent data-wiping tools into a single modular platform. The backdoor does not exploit a specific vulnerability; it is deployed after the attacker has already gained access to the system. The operator chooses the method of destruction via numbered commands: full disk wipe, multi-pass overwrite of the system partition, or pseudo-encryption of files without storing the key. Since there is no patch — this is not a vulnerability but a post-exploitation tool — the only real defenses are early detection and clean offline backups.

Destruction architecture: three modules — one outcome

GigaWiper provides the operator with three interchangeable destructive modules, each of which makes data recovery impossible without backups:

  • Physical disk wiper — overwrites disk contents at the raw-access level, destroys the partition table, and triggers a reboot. The file system is not removed file by file — the disk structure as a whole is destroyed.
  • Crucio-based pseudo-ransomware — encrypts files, appends the .candy extension, and changes the desktop wallpaper to a warning image. According to Microsoft, the encryption key is not stored: there is neither a ransom note nor any option for decryption. This is destruction disguised as ransomware.
  • System partition wiper — multi-pass overwrite of the Windows partition with various data patterns. Microsoft identifies it as a Go-rewritten version of the tool tracked under the name FlockWiper.

The tactic of disguising destruction as ransomware is not new — NotPetya used the same trick back in 2017. The disguise buys the attacker time: the incident initially appears to be an encryption case with a potential recovery path, rather than irreversible destruction.

Espionage and remote control

Destruction is only part of the functionality. According to Microsoft, the same backdoor also provides full-fledged monitoring of the compromised system:

  • Screenshots from all monitors and real-time screen recording
  • Hidden VNC session with mouse and keyboard control
  • Collection of system information, process and service management
  • Registry editing and clearing of Windows event logs

In the examined samples, Microsoft found inactive stub commands, including a keylogger module and additional wipers, indicating ongoing development of the platform.

Masquerading and communications

GigaWiper uses multi-layered obfuscation. To maintain persistence, it creates a scheduled task named OneDrive Update with a one-minute run interval. Its configuration is stored in the registry key HKCU\SOFTWARE\OneDrive\Environment. When opening a remote-control channel, the backdoor creates a firewall rule named after a legitimate Windows component — Microsoft.Windows.CloudExperienceHost.

The command-and-control infrastructure is particularly noteworthy. Instead of typical HTTP requests to dedicated servers, GigaWiper leverages legitimate business tools: RabbitMQ to receive tasks, Redis to transmit results, and MinIO for data exfiltration. In organizations where these services are already in use, such traffic looks routine.

Attribution and links to known campaigns

Microsoft does not name a specific country in its report. However, the company traces the pseudo-ransomware code back to the Crucio tool, and the multi-pass wiper back to FlockWiper, assessing that all three components were created by the same developer. Both tools contain a recurring “GRAT” tag — in FlockWiper debug paths and in GigaWiper function names.

Crucio appears in a December 2023 CISA advisory dedicated to the CyberAv3ngers group, which the agency associates with Iran’s Islamic Revolutionary Guard Corps (IRGC). It was this group that in 2023 attacked water and energy facilities in the US, Israel, the UK, and Ireland, gaining access to industrial controllers over the internet. The Crucio sample referenced by Microsoft carries the same identifier as the one listed in the CISA advisory.

The company Binary Defense has described the same malware under the name BLUERABBIT. According to the source material, both reports include the same four file hashes and matching command-and-control server addresses. Binary Defense, citing Google Threat Intelligence Group, tentatively associates the malware with an Iran-based group targeting Israeli organizations. It should be emphasized: direct attribution of GigaWiper to a specific state actor is not confirmed by Microsoft, and the link via Crucio’s codebase is circumstantial evidence rather than operational attribution.

Discrepancies in the timeline between sources also deserve attention: Microsoft dates the destructive activity to October 2025, while Binary Defense first observed the same files in March 2026. These data points do not necessarily contradict each other but may indicate different phases of the campaign.

The context extends beyond a single tool. Unit 42 at Palo Alto Networks reports a surge in Iran-linked wiper activity against Israeli targets throughout 2025–2026, including by a separate group known as Handala Hack.

Indicators of compromise

Known command-and-control server addresses:

  • 185.182.193[.]21
  • 212.8.248[.]104

The full list of file hashes and detection names is available in the Microsoft report.

Detection and protection recommendations

Key signals for detection:

  • A scheduled task named OneDrive Update with a one-minute execution interval
  • RabbitMQ or Redis traffic originating from workstations rather than servers
  • Use of the takeown and icacls commands to seize permissions on boot files (bootmgr, ntoskrnl.exe) outside of scheduled maintenance windows

Protective measures recommended by Microsoft:

  • Enable tamper protection to prevent unauthorized disabling of antivirus
  • Block the listed command-and-control server addresses at the network perimeter
  • Set endpoint detection and response tools to blocking mode
  • Enable cloud protection and automatic remediation
  • Ensure the availability and regular testing of offline backups — for all three destructive modules, this is the only recovery path

GigaWiper demonstrates a fundamental shift in the architecture of destructive tooling: a single implant with a modular feature set — from espionage to irreversible destruction — deprives defenders of the ability to infer the attacker’s intent from the type of malware detected. The decision to destroy is made by the operator only after compromise. Priority actions are to check infrastructure for the listed indicators, verify the viability of offline backups, and set up monitoring for anomalous RabbitMQ and Redis traffic originating from workstations.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.