New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware

4 hours ago 7

Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from.

Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake "ransomware" that scrambles files with a key it never saves.

Because this is malware and not a single flaw, there is no patch to chase; GigaWiper is what an attacker runs after they are already inside, which makes early detection and clean, offline backups the real defense.

The same malicious files show up in a second report under another name: BLUERABBIT, a backdoor Binary Defense flagged last month.

Cybersecurity

Microsoft lists four hashes for the GigaWiper backdoor; Binary Defense lists the same four for BLUERABBIT, and both command servers match. Binary Defense, citing Google's Threat Intelligence Group, ties the malware to a likely Iran-nexus group aimed at Israeli organizations. Microsoft names no country.

Three ways to destroy a machine

GigaWiper is written in Go (also called Golang) and runs on Windows. It takes orders as numbered commands, and three of them destroy the machine, each in a different way:

  • A raw disk wiper that overwrites the physical drive and wipes the partition table (the map of how the disk is laid out) before rebooting. There is no file-by-file deletion to reverse; it destroys the disk contents directly.
  • Fake ransomware built on older code called Crucio. It encrypts files, adds a .candy extension, and changes the desktop wallpaper to an alarming warning image. There is no ransom note and no saved key, so there is nothing to pay and nothing to decrypt. This is destruction wearing a ransomware costume.
  • The last targets the Windows drive, overwriting it several times with different data patterns. Microsoft says it is a Go rewrite of a wiper it tracks as FlockWiper.

None of these leaves a way back: encrypted files cannot be unlocked because the key is gone, and wiped drives can only be rebuilt from clean backups. The goal is a dead machine, not a payout.

It spies, too

Destruction is only half of it. The same backdoor can quietly watch and control an infected PC. It takes screenshots of every monitor, records the screen while someone is working, and can open a hidden VNC session that streams the display and lets the attacker type and move the mouse.

It also collects system details, manages running programs and services, edits the registry, and can wipe Windows event logs to cover its tracks. Microsoft found more commands sitting dormant in the samples it examined, including stubs for a keylogger and additional wipers.

To stay out of sight, GigaWiper pretends to be OneDrive. It creates a scheduled task named OneDrive Update that runs every minute and tracks itself in a registry key under HKCU\SOFTWARE\OneDrive\Environment. When it opens its remote-control channel, it hides behind a firewall rule named after a real Windows component, Microsoft.Windows.CloudExperienceHost.

For its command traffic, it skips ordinary web requests and rides on real business services instead: RabbitMQ for tasking, Redis for results, and MinIO for exfiltration. Because those are legitimate tools rather than a custom malware channel, the traffic looks ordinary on networks that already run them.

Where GigaWiper came from

Microsoft traces GigaWiper's fake-ransomware code back to Crucio and its multi-pass wiper back to FlockWiper, and assesses that the same developer built all three. It names no country. But Crucio is not anonymous. Its code was listed as suspected ransomware in a December 2023 CISA advisory on CyberAv3ngers, a group linked to Iran's Islamic Revolutionary Guard Corps.

That is the same crew, THN reported, that broke into water and energy sites across the US, Israel, the UK, and Ireland in 2023, logging into internet-exposed industrial controllers. In one case, they took control of a booster station at a Pennsylvania water authority. The Crucio sample Microsoft cites carries the same fingerprint listed in that advisory.

Microsoft also found a recurring tag, "GRAT", in both FlockWiper's debug paths and GigaWiper's own function names, tying the two tools together and hinting at a further component that has not surfaced yet. The timing differs by source: Microsoft dates the destructive activity to October 2025, while Binary Defense first saw the same files as BLUERABBIT in March 2026.

Part of a bigger wave

Iran-linked wiper activity against Israel has drawn repeated warnings through 2025 and 2026. Palo Alto Networks' Unit 42 has tracked a parallel surge, much of it from a separate group, Handala Hack, and in March 2026 Israel's National Cyber Directorate warned of Iranian wiper attacks on local organizations.

The tactic GigaWiper uses is old: NotPetya in 2017 also posed as ransomware while quietly destroying data. The disguise buys the attacker time: a wrecked machine first looks like a ransomware case someone might recover from, not the total loss it is.

Microsoft frames GigaWiper as operators folding separate tools into one flexible platform. For defenders, the consequence is concrete: when a single implant can watch, steal, or destroy, the tool no longer reveals the goal. You used to read intent from the malware you found; here, the operator decides after they are already inside.

Cybersecurity

One platform, two vendor names, and dormant command stubs still in the code point to a tool still being built out.

What defenders should do

Spotting it fast comes down to a few specific signals:

  • A OneDrive Update scheduled task that repeats every minute.
  • RabbitMQ or Redis traffic from ordinary desktops rather than servers.
  • Processes using takeown and icacls to take ownership of Windows boot files like bootmgr and ntoskrnl.exe outside maintenance windows.

On the product side, Microsoft recommends turning on tamper protection so attackers cannot switch off your antivirus, blocking the two known command servers (185.182.193[.]21 and 212.8.248[.]104), running endpoint detection in block mode, and enabling cloud-delivered protection and automatic remediation. The full list of file hashes, server addresses, and detection names is in Microsoft's report.

The Hacker News has reached out to Microsoft and to Binary Defense for confirmation that GigaWiper and BLUERABBIT are the same malware, and for details on victim scope and attribution, and will update this story with any response.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Read Entire Article