GigaWiper: When One Backdoor Stitches Three Malware Families Into a Destruction-on-Demand Machine

Overview
On July 9, 2026, Microsoft Threat Intelligence published a code-level analysis of GigaWiper — a Go (Golang)-based backdoor capable of sabotaging systems at the physical disk level. What makes GigaWiper remarkable is not a single technique, but its architecture: this is not a pure wiper, but a "stitched-together" product built from at least three separate malware families — a physical disk wiper, an encryption module derived from the Crucio ransomware, and a multi-pass secure wiper that reimplements the logic of FlockWiper — all folded into a single implant as on-demand backdoor commands.
The core risk of this model is its dual flexibility: an attacker can quietly maintain control and conduct surveillance for months, then — with a single command — instantly shift into destruction mode: wiping disks, encrypting data beyond recovery, triggering a Blue Screen of Death (BSOD), and erasing evidence. Microsoft emphasizes this represents a notable shift in wiper malware, which has traditionally been designed purely to destroy rather than combining espionage and extortion.
The destructive activity was first observed by Microsoft in October 2025 and has continued for over eight months. GigaWiper is also tracked by Google Threat Intelligence Group (GTIG) and Binary Defense under the designation BLUERABBIT; Binary Defense first observed the corresponding files in March 2026.
About the Threat Actor
Identity and Attribution
Microsoft did not make a formal nation-state attribution in its analysis. Instead, it linked GigaWiper to the same developer behind Crucio and FlockWiper, based on code-level evidence (detailed below). However, the thread connecting it to Crucio opens up a noteworthy attribution avenue.
| Attribute | Detail |
|---|---|
| Tool name | GigaWiper (Microsoft) / BLUERABBIT (GTIG, Binary Defense) |
| Development language | Go (Golang) — samples are unstripped PE files |
| Time of observation | Destructive activity: October 2025 (Microsoft); BLUERABBIT files: March 2026 (Binary Defense) |
| Component malware families | Standalone physical disk wiper + Crucio (ransomware) + FlockWiper (secure wiper) |
| Attribution basis | Same developer as Crucio and FlockWiper [based on Microsoft code analysis] |
| Motivation | Destruction combined with espionage and fake-ransomware disguise |
The Thread to Crucio and CyberAv3ngers
GigaWiper's encryption module (Command 3) shares a function named BigBangExtortMain with the Crucio ransomware. Crucio was documented by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in advisory AA23-335A in December 2023.
Technical Analysis
Microsoft observed two sample types of GigaWiper in compromised environments, both unstripped Golang PE files:
Standalone wiper binary
Full-featured backdoor — in which the entire standalone wiper's code is embedded as one command.
Component 1: Standalone Physical Disk Wiper
Rather than deleting individual files, this wiper operates at the physical disk level. Its behavioral chain:
Enumerates disks via WMI: Uses a Windows Management Instrumentation query to obtain device identifiers and metadata for each drive.
Identifies the Windows drive: Calls
main.FindWindowsDriveto find the drive containing the Windows installation (e.g.,\\.\PHYSICALDRIVE0).Destroys other drives' partition tables: For each non-Windows drive, calls
main.unallocateDrive— usingDeviceIoControlwithIOCTL_DISK_CREATE_DISKto reinitialize partition metadata and wipe partition-table entries. On success, it printsPartitions removed successfully.to the console.Overwrites data: Calls
main.writeRandToDriveto overwrite each drive in chunks of0xA00000. Notable technical detail: the first byte of each buffer is randomized viacrypto/rand.Read, while the rest is zero-filled. If random generation fails, the byte value1is used instead. This overwrite pattern may be intended to evade detections that look for conspicuous full-disk zeroing behavior.Immediate reboot: Invokes Windows shutdown functionality with restart and zero-delay options.
Within the backdoor, this same functionality is implemented as rabbit_tools_tool_wipe_main.WipeMain — identical in both code flow and function names to the standalone version.
Component 2: Backdoor — Persistence and C2
Persistence:
Creates and uses the registry key
HKCU\SOFTWARE\OneDrive\Environmentto count executions.On first run, creates a masqueraded Scheduled Task named
OneDrive Update, configured to run nearly every minute plus once at system startup.
Command-and-Control (C2) — dual channel:
RabbitMQ over AMQP: receives commands from the C2 server.
Redis: updates command status and execution output.
Configuration is hard-coded and decrypted using AES with a fixed key. One observed sample used
185.182.193[.]21:5544as the RabbitMQ C2 server and185.182.193[.]21:7542as the Redis server.The backdoor declares a fanout exchange named "All" (any command published here is broadcast to all bound queues across infected clients) and a topic exchange named "Topic" (for targeted, non-broadcast commands).
Component 3: Command Set (Commands 1–20)
This is where GigaWiper's "multiple personalities" become clearest. The backdoor supports up to 20 command codes:
| Command | Function | Notes |
|---|---|---|
| 1 | Calls WipeMain — physical disk wiper |
Identical to the standalone wiper |
| 2 | Triggers BSOD and prevents boot | Disables Windows Recovery, takes ownership, and deletes critical boot/kernel files |
| 3 | Calls RanMain + BigBangExtortMain — ransomware-like encryption |
Random key and IV, never saved → no possible decryption. Renames files to .candy, sets a warning wallpaper. Origin: Crucio |
| 4 | Uploads files to remote storage via MinIO Client (mc.exe) |
Parameters: IP/Port, alias, user/pass, bucket, source path |
| 5 | Bulk file encryption/decryption utility (AES-256-CBC) | Enc/dec modes; if no key is provided, generates a random one and stores it in key.txt |
| 6 | Runs a PE from a map (not seen populated) | Log Exec cmd wipe-file suggests wiper functionality |
| 7 | PowerShell shell + "special commands" | Appends `;" |
| 8 | RabbitMQ route manager | Bind/unbind routing keys to receive targeted commands |
| 9 | Screenshots each active monitor | Saves PNG as .\<timestamp>\<index>.png |
| 10 | Screen recording when the user is not idle and the machine is unlocked | Saves to C:\ProgramData\output (always-run) |
| 11 | Runs a PE from a map (not seen populated) | Log Exec cmd keylog suggests keylogger |
| 12 | Calls WipeCMain — multi-pass secure wiper for the Windows drive |
Overwrites multiple passes with alternating byte patterns (0x00, 0xFF, random). Origin: FlockWiper |
| 13 | Runs a PE from a map, executed as admin | Log Exec cmd wipe32 suggests another wiper |
| 14 | (Not implemented) | — |
| 15 | System information collection (GRATClientInfo) |
IP, Machine GUID, CPU, OS, network config, firmware, user, antivirus product info |
| 16 | Process manager | create/resume/suspend/list/kill/processInfo |
| 17 | Service manager | create/delete/restart/query/start/list/stop |
| 18 | Registry manager (interactive session) | show/navigate/back/createKey/deleteKey/setValue... |
| 19 | Clears Windows event logs | Deletes System/Setup/Application/ForwardedEvents/Security via wevtutil.exe; on failure, directly deletes Security.evtx |
| 20 | VNC-like remote control | Streams the screen, controls mouse/keyboard over TCP; creates a firewall rule masquerading as a legitimate Windows rule name (Microsoft.Windows.CloudExperienceHost) |
How GigaWiper Was Assembled
The key finding in Microsoft's analysis: three destructive commands (1, 3, 12) each originate from a separate malware family previously used by this same threat actor, stitched into commands within a single implant.
Evidence Linking to Crucio (Command 3)
The function
BigBangExtortMainshares an identical name with a function in the Crucio ransomware (documented in CISA advisory AA23-335A, December 2023).Command 3 is heavily based on Crucio's code in terms of execution flow and function naming.
→ Microsoft assesses that the same threat actor developed both malware families.
Evidence Linking to FlockWiper (Command 12)
WipeCMainis essentially identical to the wiper Microsoft tracks as FlockWiper. FlockWiper was written in C, whereas GigaWiper reimplements that logic in Go with added multi-pass overwriting.FlockWiper was first uploaded to VirusTotal in June 2025, months before GigaWiper appeared.
The "GRAT" string: FlockWiper samples contain PDB paths referencing the
GRATstring (e.g.,A:\GRAT\CWipeNew\Release\CWipeNew.pdb). This same string appears throughout GigaWiper's function names. Notably, FlockWiper binaries contain no "GRAT" functionality themselves — suggesting the existence of a larger framework or component that has not yet been recovered.
Campaign Risk Summary
| Risk Dimension | Level | Rationale |
|---|---|---|
| Destructiveness | Critical | Three independent data-wiping mechanisms + irreversible encryption; wipes both partition tables and the Windows drive |
| Recoverability | Very Low | Random encryption keys never stored; multi-pass overwriting to secure-erase standards |
| Flexibility | Very High | A single implant does both quiet surveillance and on-demand destruction — switching modes with one command |
| Stealth | High | Randomized first-byte overwrite to evade detection; event log clearing; masqueraded Scheduled Task ("OneDrive Update") and firewall rules |
| Persistence | High | Scheduled Task runs every minute + at startup; dual RabbitMQ/Redis C2 |
| Blast Radius | High | The "All" fanout exchange allows a destructive command to be broadcast to every infected machine simultaneously |
IOCs & Artifacts
Host-based Indicators
Masqueraded Scheduled Task: named
OneDrive Update, configured to run every minute + at startup.Registry key:
HKCU\SOFTWARE\OneDrive\Environment(execution counter).Encrypted files:
.candyextension; wallpaper changed to./image_danger.jpg.Output folder:
C:\ProgramData\output(screen recordings from Command 10).Masqueraded firewall rule: named after
Microsoft.Windows.CloudExperienceHost.Distinctive console strings:
Partitions removed successfully.,Pass 1/2/3 Time took:, and the anomalous stringkharbvnmhkjbkjb(printed when clearing event logs).
Network Indicators (C2)
| Indicator | Type | Description |
|---|---|---|
185.182.193[.]21 |
IP | GigaWiper C2 (RabbitMQ :5544, Redis :7542) |
212.8.248[.]104 |
IP | GigaWiper C2 |
Malicious Files (SHA-256)
| Hash | Type |
|---|---|
633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 |
GigaWiper backdoor |
ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913 |
GigaWiper backdoor |
f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd |
GigaWiper backdoor |
9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683 |
GigaWiper backdoor |
3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd |
GigaWiper standalone wiper |
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 |
Crucio |
12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721 |
FlockWiper |
db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674 |
FlockWiper |
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | Description in Campaign |
|---|---|---|---|
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | OneDrive Update task runs every minute and at startup |
| Persistence | T1547 | Boot or Logon Autostart Execution | Combined with the HKCU\...\OneDrive\Environment registry key |
| Command and Control | T1071 | Application Layer Protocol | C2 over RabbitMQ (AMQP) and Redis |
| Collection | T1113 | Screen Capture | Command 9 (screenshot) and Command 10 (screen recording) |
| Collection | T1082 | System Information Discovery | Command 15 collects system and AV information |
| Defense Evasion | T1070.001 | Indicator Removal: Clear Windows Event Logs | Command 19 clears System/Setup/Application/Security logs |
| Defense Evasion | T1036 | Masquerading | Masquerades Scheduled Task and firewall rules under legitimate names |
| Impact | T1561.001 | Disk Wipe: Disk Content Wipe | Command 1 overwrites raw disk content |
| Impact | T1561.002 | Disk Wipe: Disk Structure Wipe | Wipes partition tables via IOCTL_DISK_CREATE_DISK |
| Impact | T1486 | Data Encrypted for Impact | Command 3 performs irreversible ransomware-like encryption |
| Impact | T1529 | System Shutdown/Reboot | Forces reboot immediately after wiping |
| Impact | T1499 | Endpoint Denial of Service | Command 2 triggers BSOD, blocks boot |
Expert Assessment
GigaWiper's architecture reflects a worrying trend in the world of destructive malware: the "industrialization" and consolidation of tooling. Rather than developing and deploying separate wipers, ransomware, and surveillance tools individually, the threat actor folds them all into a single modular implant. This delivers two operational advantages: a smaller deployment footprint and expanded destructive capabilities — the attacker only needs to deliver one payload yet holds an entire arsenal.
The boundary between espionage, ransomware, and destruction is blurring. GigaWiper lets an attacker quietly capture screenshots, record video, and collect system information for months — activity indistinguishable from an espionage campaign — then, when needed, trigger a wipe command. Especially dangerous is Command 3, which masquerades as ransomware but is actually a wiper: it renames files to .candy and sets a warning wallpaper, creating the illusion of an extortion event where a ransom could "buy back" the data — when in reality the decryption key never existed. This is a psychological ploy that leads victims to waste precious time negotiating instead of restoring from backups.
For defenders, the implication is clear: you cannot rely solely on "classifying" malware to prioritize response. Any backdoor persisting in the network should be treated as a potential data-destruction risk, because the line between "a surveillance implant" and "a wiper" is now just a single C2 command away. The "All" fanout exchange further allows the attacker to broadcast a destructive command simultaneously to every infected machine — turning a localized incident into an organization-wide disaster within seconds.
For organizations in Vietnam, especially those operating critical infrastructure (energy, water, telecommunications), the indirect thread to groups targeting industrial infrastructure is a wake-up call: with wipers, prevention and recoverability matter far more than post-incident response — because once the wipe command runs, there is nothing left to respond to.
Recommendations
Immediate (0–24h)
Hunt for IOCs now: Block the two C2 IPs (
185.182.193[.]21,212.8.248[.]104) at the firewall/proxy; scan all endpoints against the SHA-256 list above.Review for the spoofed Scheduled Task: Look for a task named
OneDrive Updatepointing to an anomalous binary (not in the genuine OneDrive install directory); check the registry keyHKCU\SOFTWARE\OneDrive\Environment.Inspect anomalous RabbitMQ/Redis traffic: Alert on any outbound AMQP/Redis connections from endpoints with no business need for them.
Short-term (1–7 days)
Enable tenant-wide Tamper Protection to prevent attackers from stopping security services or adding AV exclusions; with Intune/MDE, enable
DisableLocalAdminMerge.Enable cloud-delivered protection and EDR in block mode to block malicious artifacts even when third-party AV misses them.
Build detection rules in EDR/SIEM:
Processes calling
DeviceIoControlwithIOCTL_DISK_CREATE_DISKor performing raw writes to\\.\PHYSICALDRIVE*from untrusted processes.Mass event-log clearing via
wevtutil.exe cl(System, Setup, Application, Security, ForwardedEvents).Appearance of
.candyfiles or theimage_danger.jpgimage set as wallpaper.
Creation of a new firewall rule named
Microsoft.Windows.CloudExperienceHostfrom an unfamiliar process.
Long-term
Harden anti-wiper backup strategy: Maintain offline, immutable, network-segmented backups, and test restoration regularly — this is the last line of defense once a wiper has executed.
Apply Attack Surface Reduction: Block execution of files that don't meet prevalence/age/trusted-list criteria; restrict execution from temporary directories.
Monitor non-traditional C2 behavior: Treat RabbitMQ, Redis, and MinIO Client (
mc.exe) as tools warranting close monitoring in environments without a legitimate need for them.
References
GigaWiper Combines Multiple Malware for System-Level Sabotage — SecurityWeek
New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware — The Hacker News
CISA Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors (Dec 2023)
Note: This article was compiled based on the original Microsoft Threat Intelligence report and other reliable sources. Attribution details (particularly the link to CyberAv3ngers/IRGC-CEC via Crucio) represent an indirect, code-level connection — not a direct Microsoft attribution of GigaWiper — and should be cross-verified before use in any official report.





