GigaWiper: A Modular Backdoor and Wiper Threatening Critical Infrastructure
A sophisticated new Windows backdoor, dubbed **GigaWiper** by **Microsoft** and **BLUERABBIT** by **Binary Defense**, has emerged as a significant threat. This Go-based malware combines multiple destructive capabilities, including disk wiping and fake ransomware, with extensive surveillance features. Its modular design and use of legitimate services for command and control make detection challenging for IT security professionals.

**Microsoft** recently dissected **GigaWiper**, a destructive Windows backdoor notable for its unique construction. Instead of a single tool, it integrates three older destructive programs, offering operators a choice of commands to inflict damage.
These options include wiping entire disks, overwriting the Windows drive, or deploying a deceptive "ransomware" module that encrypts files without saving a decryption key.
As **GigaWiper** is a form of malware, rather than a vulnerability, patching is not a defense. Effective protection relies on early detection and robust, offline backups, as the malware is deployed *after* an attacker has already breached a system.
### The Dual Identity of a Destructive Tool
Curiously, the same malicious files are referenced in a separate report under the name **BLUERABBIT**, a backdoor flagged by **Binary Defense** last month. Both **Microsoft** and **Binary Defense** list the same four hashes for the malware, and their command servers match.
**Binary Defense**, citing **Google's Threat Intelligence Group**, links the malware to an Iran-nexus group targeting Israeli organizations. **Microsoft** has not publicly attributed the attacks to a specific nation-state.
### Three Paths to System Annihilation
**GigaWiper**, written in Go (also known as **Golang**), operates on Windows and executes commands via numbered inputs. Three of these commands are designed for system destruction:
* **Raw Disk Wiper**: This module directly overwrites the physical drive and erases the partition table, making data recovery impossible. It bypasses file-by-file deletion, ensuring complete destruction.
* **Fake Ransomware (Crucio)**: Built upon older **Crucio** code, this module encrypts files, appends a `.candy` extension, and alters the desktop wallpaper with an alarming warning. Crucially, it provides no ransom note and no saved key, rendering decryption impossible. Its purpose is purely destructive, disguised as ransomware.
* **Windows Drive Overwrite (FlockWiper)**: This command targets the Windows drive, overwriting it multiple times with various data patterns. **Microsoft** identifies it as a Go rewrite of a wiper it tracks as **FlockWiper**.
None of these destructive methods offer a path to recovery. Encrypted files are permanently locked, and wiped drives can only be restored from clean, offline backups. The ultimate goal is system incapacitation, not financial gain.
### Beyond Destruction: Stealthy Surveillance Capabilities
Destruction is only one facet of **GigaWiper**. The backdoor also possesses extensive surveillance and control functionalities, allowing it to silently monitor infected PCs. Its capabilities include:
* Taking screenshots of all connected monitors.
* Recording screen activity.
* Opening a hidden **VNC** session for remote control, enabling attackers to interact with the display, keyboard, and mouse.
* Collecting system details.
* Managing running programs and services.
* Editing the registry.
* Wiping Windows event logs to conceal its presence.
**Microsoft** also discovered dormant commands in analyzed samples, including stubs for a keylogger and additional wiper modules, indicating ongoing development.
To maintain stealth, **GigaWiper** impersonates **OneDrive**. It creates a scheduled task named `OneDrive Update` that runs every minute and tracks its activity in a registry key under `HKCU\SOFTWARE\OneDrive\Environment`. Its remote-control channel is hidden behind a firewall rule named after a legitimate Windows component: `Microsoft.Windows.CloudExperienceHost`.
For command and control (C2) traffic, the malware bypasses standard web requests, leveraging legitimate business services such as **RabbitMQ** for tasking, **Redis** for results, and **MinIO** for data exfiltration. This tactic makes its network traffic appear legitimate on networks already utilizing these services, complicating detection.
### Tracing GigaWiper's Origins
**Microsoft** links **GigaWiper's** fake-ransomware code to **Crucio** and its multi-pass wiper to **FlockWiper**, suggesting a common developer for all three. While **Microsoft** refrains from naming a country, **Crucio's** code was previously identified in a December 2023 **CISA** advisory regarding **CyberAv3ngers**, a group associated with Iran's **Islamic Revolutionary Guard Corps (IRGC)**.
This is the same group reported to have breached water and energy sites across the US, Israel, the UK, and Ireland in 2023, exploiting internet-exposed industrial controllers. The **Crucio** sample cited by **Microsoft** bears the same fingerprint as those mentioned in the **CISA** advisory.
**Microsoft** also identified a recurring tag, "GRAT," in both **FlockWiper's** debug paths and **GigaWiper's** function names, further connecting the tools and hinting at an as-yet-undiscovered component. The timeline varies, with **Microsoft** dating destructive activity to October 2025, while **Binary Defense** first observed **BLUERABBIT** in March 2026.
### Part of a Broader Wave of Attacks
Iran-linked wiper activity targeting Israel has been a persistent concern throughout 2025 and 2026. **Palo Alto Networks' Unit 42** has tracked a parallel surge, largely attributed to a separate group, **Handala Hack**. In March 2026, Israel's **National Cyber Directorate** issued warnings about Iranian wiper attacks against local organizations.
**GigaWiper** employs a tactic reminiscent of **NotPetya** (2017), which also posed as ransomware while covertly destroying data. This disguise buys attackers time, as victims may initially perceive a wrecked machine as a recoverable ransomware incident rather than a total data loss.
**Microsoft** characterizes **GigaWiper** as a platform where operators integrate disparate tools into a flexible, multi-purpose implant. For defenders, this means the malware itself no longer definitively reveals the attacker's intent; the operator's decision is made *after* infiltration. The existence of one platform, two vendor names, and dormant command stubs suggests a tool still under active development.
### Recommendations for Defenders
Rapid detection of **GigaWiper** relies on identifying specific indicators:
* A `OneDrive Update` scheduled task configured to repeat every minute.
* **RabbitMQ** or **Redis** traffic originating from ordinary desktop machines rather than servers.
* Processes using `takeown` and `icacls` to modify ownership of Windows boot files like `bootmgr` and `ntoskrnl.exe` outside of legitimate maintenance windows.
From a product perspective, **Microsoft** advises enabling tamper protection to prevent attackers from disabling antivirus software, blocking the known command servers (185.182.193[.]21 and 212.8.248[.]104), running endpoint detection in block mode, and activating cloud-delivered protection and automatic remediation. A comprehensive list of file hashes, server addresses, and detection names is available in **Microsoft's** official report.