Skip to main content

Command Palette

Search for a command to run...

GigaWiper: When One Backdoor Stitches Three Malware Families Into a Destruction-on-Demand Machine

Updated
13 min readView as Markdown
GigaWiper: When One Backdoor Stitches Three Malware Families Into a Destruction-on-Demand Machine

Overview

On July 9, 2026, Microsoft Threat Intelligence published a code-level analysis of GigaWiper — a Go (Golang)-based backdoor capable of sabotaging systems at the physical disk level. What makes GigaWiper remarkable is not a single technique, but its architecture: this is not a pure wiper, but a "stitched-together" product built from at least three separate malware families — a physical disk wiper, an encryption module derived from the Crucio ransomware, and a multi-pass secure wiper that reimplements the logic of FlockWiper — all folded into a single implant as on-demand backdoor commands.

The core risk of this model is its dual flexibility: an attacker can quietly maintain control and conduct surveillance for months, then — with a single command — instantly shift into destruction mode: wiping disks, encrypting data beyond recovery, triggering a Blue Screen of Death (BSOD), and erasing evidence. Microsoft emphasizes this represents a notable shift in wiper malware, which has traditionally been designed purely to destroy rather than combining espionage and extortion.

The destructive activity was first observed by Microsoft in October 2025 and has continued for over eight months. GigaWiper is also tracked by Google Threat Intelligence Group (GTIG) and Binary Defense under the designation BLUERABBIT; Binary Defense first observed the corresponding files in March 2026.


About the Threat Actor

Identity and Attribution

Microsoft did not make a formal nation-state attribution in its analysis. Instead, it linked GigaWiper to the same developer behind Crucio and FlockWiper, based on code-level evidence (detailed below). However, the thread connecting it to Crucio opens up a noteworthy attribution avenue.

Attribute Detail
Tool name GigaWiper (Microsoft) / BLUERABBIT (GTIG, Binary Defense)
Development language Go (Golang) — samples are unstripped PE files
Time of observation Destructive activity: October 2025 (Microsoft); BLUERABBIT files: March 2026 (Binary Defense)
Component malware families Standalone physical disk wiper + Crucio (ransomware) + FlockWiper (secure wiper)
Attribution basis Same developer as Crucio and FlockWiper [based on Microsoft code analysis]
Motivation Destruction combined with espionage and fake-ransomware disguise

The Thread to Crucio and CyberAv3ngers

GigaWiper's encryption module (Command 3) shares a function named BigBangExtortMain with the Crucio ransomware. Crucio was documented by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in advisory AA23-335A in December 2023.


Technical Analysis

Microsoft observed two sample types of GigaWiper in compromised environments, both unstripped Golang PE files:

  1. Standalone wiper binary

  2. Full-featured backdoor — in which the entire standalone wiper's code is embedded as one command.

Component 1: Standalone Physical Disk Wiper

Rather than deleting individual files, this wiper operates at the physical disk level. Its behavioral chain:

  1. Enumerates disks via WMI: Uses a Windows Management Instrumentation query to obtain device identifiers and metadata for each drive.

  2. Identifies the Windows drive: Calls main.FindWindowsDrive to find the drive containing the Windows installation (e.g., \\.\PHYSICALDRIVE0).

  3. Destroys other drives' partition tables: For each non-Windows drive, calls main.unallocateDrive — using DeviceIoControl with IOCTL_DISK_CREATE_DISK to reinitialize partition metadata and wipe partition-table entries. On success, it prints Partitions removed successfully. to the console.

  4. Overwrites data: Calls main.writeRandToDrive to overwrite each drive in chunks of 0xA00000. Notable technical detail: the first byte of each buffer is randomized via crypto/rand.Read, while the rest is zero-filled. If random generation fails, the byte value 1 is used instead. This overwrite pattern may be intended to evade detections that look for conspicuous full-disk zeroing behavior.

  5. Immediate reboot: Invokes Windows shutdown functionality with restart and zero-delay options.

Within the backdoor, this same functionality is implemented as rabbit_tools_tool_wipe_main.WipeMain — identical in both code flow and function names to the standalone version.

Component 2: Backdoor — Persistence and C2

Persistence:

  • Creates and uses the registry key HKCU\SOFTWARE\OneDrive\Environment to count executions.

  • On first run, creates a masqueraded Scheduled Task named OneDrive Update, configured to run nearly every minute plus once at system startup.

Command-and-Control (C2) — dual channel:

  • RabbitMQ over AMQP: receives commands from the C2 server.

  • Redis: updates command status and execution output.

  • Configuration is hard-coded and decrypted using AES with a fixed key. One observed sample used 185.182.193[.]21:5544 as the RabbitMQ C2 server and 185.182.193[.]21:7542 as the Redis server.

  • The backdoor declares a fanout exchange named "All" (any command published here is broadcast to all bound queues across infected clients) and a topic exchange named "Topic" (for targeted, non-broadcast commands).

Component 3: Command Set (Commands 1–20)

This is where GigaWiper's "multiple personalities" become clearest. The backdoor supports up to 20 command codes:

Command Function Notes
1 Calls WipeMain — physical disk wiper Identical to the standalone wiper
2 Triggers BSOD and prevents boot Disables Windows Recovery, takes ownership, and deletes critical boot/kernel files
3 Calls RanMain + BigBangExtortMainransomware-like encryption Random key and IV, never saved → no possible decryption. Renames files to .candy, sets a warning wallpaper. Origin: Crucio
4 Uploads files to remote storage via MinIO Client (mc.exe) Parameters: IP/Port, alias, user/pass, bucket, source path
5 Bulk file encryption/decryption utility (AES-256-CBC) Enc/dec modes; if no key is provided, generates a random one and stores it in key.txt
6 Runs a PE from a map (not seen populated) Log Exec cmd wipe-file suggests wiper functionality
7 PowerShell shell + "special commands" Appends `;"
8 RabbitMQ route manager Bind/unbind routing keys to receive targeted commands
9 Screenshots each active monitor Saves PNG as .\<timestamp>\<index>.png
10 Screen recording when the user is not idle and the machine is unlocked Saves to C:\ProgramData\output (always-run)
11 Runs a PE from a map (not seen populated) Log Exec cmd keylog suggests keylogger
12 Calls WipeCMainmulti-pass secure wiper for the Windows drive Overwrites multiple passes with alternating byte patterns (0x00, 0xFF, random). Origin: FlockWiper
13 Runs a PE from a map, executed as admin Log Exec cmd wipe32 suggests another wiper
14 (Not implemented)
15 System information collection (GRATClientInfo) IP, Machine GUID, CPU, OS, network config, firmware, user, antivirus product info
16 Process manager create/resume/suspend/list/kill/processInfo
17 Service manager create/delete/restart/query/start/list/stop
18 Registry manager (interactive session) show/navigate/back/createKey/deleteKey/setValue...
19 Clears Windows event logs Deletes System/Setup/Application/ForwardedEvents/Security via wevtutil.exe; on failure, directly deletes Security.evtx
20 VNC-like remote control Streams the screen, controls mouse/keyboard over TCP; creates a firewall rule masquerading as a legitimate Windows rule name (Microsoft.Windows.CloudExperienceHost)

How GigaWiper Was Assembled

The key finding in Microsoft's analysis: three destructive commands (1, 3, 12) each originate from a separate malware family previously used by this same threat actor, stitched into commands within a single implant.

Evidence Linking to Crucio (Command 3)

  • The function BigBangExtortMain shares an identical name with a function in the Crucio ransomware (documented in CISA advisory AA23-335A, December 2023).

  • Command 3 is heavily based on Crucio's code in terms of execution flow and function naming.

  • → Microsoft assesses that the same threat actor developed both malware families.

Evidence Linking to FlockWiper (Command 12)

  • WipeCMain is essentially identical to the wiper Microsoft tracks as FlockWiper. FlockWiper was written in C, whereas GigaWiper reimplements that logic in Go with added multi-pass overwriting.

  • FlockWiper was first uploaded to VirusTotal in June 2025, months before GigaWiper appeared.

  • The "GRAT" string: FlockWiper samples contain PDB paths referencing the GRAT string (e.g., A:\GRAT\CWipeNew\Release\CWipeNew.pdb). This same string appears throughout GigaWiper's function names. Notably, FlockWiper binaries contain no "GRAT" functionality themselves — suggesting the existence of a larger framework or component that has not yet been recovered.


Campaign Risk Summary

Risk Dimension Level Rationale
Destructiveness Critical Three independent data-wiping mechanisms + irreversible encryption; wipes both partition tables and the Windows drive
Recoverability Very Low Random encryption keys never stored; multi-pass overwriting to secure-erase standards
Flexibility Very High A single implant does both quiet surveillance and on-demand destruction — switching modes with one command
Stealth High Randomized first-byte overwrite to evade detection; event log clearing; masqueraded Scheduled Task ("OneDrive Update") and firewall rules
Persistence High Scheduled Task runs every minute + at startup; dual RabbitMQ/Redis C2
Blast Radius High The "All" fanout exchange allows a destructive command to be broadcast to every infected machine simultaneously

IOCs & Artifacts

Host-based Indicators

  • Masqueraded Scheduled Task: named OneDrive Update, configured to run every minute + at startup.

  • Registry key: HKCU\SOFTWARE\OneDrive\Environment (execution counter).

  • Encrypted files: .candy extension; wallpaper changed to ./image_danger.jpg.

  • Output folder: C:\ProgramData\output (screen recordings from Command 10).

  • Masqueraded firewall rule: named after Microsoft.Windows.CloudExperienceHost.

  • Distinctive console strings: Partitions removed successfully., Pass 1/2/3 Time took:, and the anomalous string kharbvnmhkjbkjb (printed when clearing event logs).

Network Indicators (C2)

Indicator Type Description
185.182.193[.]21 IP GigaWiper C2 (RabbitMQ :5544, Redis :7542)
212.8.248[.]104 IP GigaWiper C2

Malicious Files (SHA-256)

Hash Type
633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 GigaWiper backdoor
ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913 GigaWiper backdoor
f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd GigaWiper backdoor
9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683 GigaWiper backdoor
3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd GigaWiper standalone wiper
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 Crucio
12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721 FlockWiper
db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674 FlockWiper

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Description in Campaign
Persistence T1053.005 Scheduled Task/Job: Scheduled Task OneDrive Update task runs every minute and at startup
Persistence T1547 Boot or Logon Autostart Execution Combined with the HKCU\...\OneDrive\Environment registry key
Command and Control T1071 Application Layer Protocol C2 over RabbitMQ (AMQP) and Redis
Collection T1113 Screen Capture Command 9 (screenshot) and Command 10 (screen recording)
Collection T1082 System Information Discovery Command 15 collects system and AV information
Defense Evasion T1070.001 Indicator Removal: Clear Windows Event Logs Command 19 clears System/Setup/Application/Security logs
Defense Evasion T1036 Masquerading Masquerades Scheduled Task and firewall rules under legitimate names
Impact T1561.001 Disk Wipe: Disk Content Wipe Command 1 overwrites raw disk content
Impact T1561.002 Disk Wipe: Disk Structure Wipe Wipes partition tables via IOCTL_DISK_CREATE_DISK
Impact T1486 Data Encrypted for Impact Command 3 performs irreversible ransomware-like encryption
Impact T1529 System Shutdown/Reboot Forces reboot immediately after wiping
Impact T1499 Endpoint Denial of Service Command 2 triggers BSOD, blocks boot

Expert Assessment

GigaWiper's architecture reflects a worrying trend in the world of destructive malware: the "industrialization" and consolidation of tooling. Rather than developing and deploying separate wipers, ransomware, and surveillance tools individually, the threat actor folds them all into a single modular implant. This delivers two operational advantages: a smaller deployment footprint and expanded destructive capabilities — the attacker only needs to deliver one payload yet holds an entire arsenal.

The boundary between espionage, ransomware, and destruction is blurring. GigaWiper lets an attacker quietly capture screenshots, record video, and collect system information for months — activity indistinguishable from an espionage campaign — then, when needed, trigger a wipe command. Especially dangerous is Command 3, which masquerades as ransomware but is actually a wiper: it renames files to .candy and sets a warning wallpaper, creating the illusion of an extortion event where a ransom could "buy back" the data — when in reality the decryption key never existed. This is a psychological ploy that leads victims to waste precious time negotiating instead of restoring from backups.

For defenders, the implication is clear: you cannot rely solely on "classifying" malware to prioritize response. Any backdoor persisting in the network should be treated as a potential data-destruction risk, because the line between "a surveillance implant" and "a wiper" is now just a single C2 command away. The "All" fanout exchange further allows the attacker to broadcast a destructive command simultaneously to every infected machine — turning a localized incident into an organization-wide disaster within seconds.

For organizations in Vietnam, especially those operating critical infrastructure (energy, water, telecommunications), the indirect thread to groups targeting industrial infrastructure is a wake-up call: with wipers, prevention and recoverability matter far more than post-incident response — because once the wipe command runs, there is nothing left to respond to.


Recommendations

Immediate (0–24h)

  1. Hunt for IOCs now: Block the two C2 IPs (185.182.193[.]21, 212.8.248[.]104) at the firewall/proxy; scan all endpoints against the SHA-256 list above.

  2. Review for the spoofed Scheduled Task: Look for a task named OneDrive Update pointing to an anomalous binary (not in the genuine OneDrive install directory); check the registry key HKCU\SOFTWARE\OneDrive\Environment.

  3. Inspect anomalous RabbitMQ/Redis traffic: Alert on any outbound AMQP/Redis connections from endpoints with no business need for them.

Short-term (1–7 days)

  1. Enable tenant-wide Tamper Protection to prevent attackers from stopping security services or adding AV exclusions; with Intune/MDE, enable DisableLocalAdminMerge.

  2. Enable cloud-delivered protection and EDR in block mode to block malicious artifacts even when third-party AV misses them.

  3. Build detection rules in EDR/SIEM:

    • Processes calling DeviceIoControl with IOCTL_DISK_CREATE_DISK or performing raw writes to \\.\PHYSICALDRIVE* from untrusted processes.

    • Mass event-log clearing via wevtutil.exe cl (System, Setup, Application, Security, ForwardedEvents).

    • Appearance of .candy files or the image_danger.jpg image set as wallpaper.

    • Creation of a new firewall rule named Microsoft.Windows.CloudExperienceHost from an unfamiliar process.

Long-term

  1. Harden anti-wiper backup strategy: Maintain offline, immutable, network-segmented backups, and test restoration regularly — this is the last line of defense once a wiper has executed.

  2. Apply Attack Surface Reduction: Block execution of files that don't meet prevalence/age/trusted-list criteria; restrict execution from temporary directories.

  3. Monitor non-traditional C2 behavior: Treat RabbitMQ, Redis, and MinIO Client (mc.exe) as tools warranting close monitoring in environments without a legitimate need for them.


References


Note: This article was compiled based on the original Microsoft Threat Intelligence report and other reliable sources. Attribution details (particularly the link to CyberAv3ngers/IRGC-CEC via Crucio) represent an indirect, code-level connection — not a direct Microsoft attribution of GigaWiper — and should be cross-verified before use in any official report.

More from this blog

F

FPT IS Security

880 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.