# GigaWiper: When One Backdoor Stitches Three Malware Families Into a Destruction-on-Demand Machine

## Overview

On July 9, 2026, **Microsoft Threat Intelligence** published a code-level analysis of **GigaWiper** — a **Go (Golang)**\-based backdoor capable of sabotaging systems at the physical disk level. What makes GigaWiper remarkable is not a single technique, but its architecture: this is not a pure wiper, but a "stitched-together" product built from **at least three separate malware families** — a physical disk wiper, an encryption module derived from the **Crucio** ransomware, and a multi-pass secure wiper that reimplements the logic of **FlockWiper** — all folded into a single implant as *on-demand backdoor commands*.

The core risk of this model is its **dual flexibility**: an attacker can quietly maintain control and conduct surveillance for months, then — with a single command — instantly shift into destruction mode: wiping disks, encrypting data beyond recovery, triggering a Blue Screen of Death (BSOD), and erasing evidence. Microsoft emphasizes this represents **a notable shift in wiper malware**, which has traditionally been designed purely to destroy rather than combining espionage and extortion.

The destructive activity was first observed by Microsoft in **October 2025** and has continued for over eight months. GigaWiper is also tracked by **Google Threat Intelligence Group (GTIG)** and **Binary Defense** under the designation **BLUERABBIT**; Binary Defense first observed the corresponding files in March 2026.

* * *

## About the Threat Actor

### Identity and Attribution

Microsoft **did not make a formal nation-state attribution** in its analysis. Instead, it linked GigaWiper to the **same developer behind Crucio and FlockWiper**, based on code-level evidence (detailed below). However, the thread connecting it to Crucio opens up a noteworthy attribution avenue.

| **Attribute** | **Detail** |
| --- | --- |
| **Tool name** | GigaWiper (Microsoft) / BLUERABBIT (GTIG, Binary Defense) |
| **Development language** | Go (Golang) — samples are unstripped PE files |
| **Time of observation** | Destructive activity: October 2025 (Microsoft); BLUERABBIT files: March 2026 (Binary Defense) |
| **Component malware families** | Standalone physical disk wiper + Crucio (ransomware) + FlockWiper (secure wiper) |
| **Attribution basis** | Same developer as Crucio and FlockWiper `[based on Microsoft code analysis]` |
| **Motivation** | Destruction combined with espionage and fake-ransomware disguise |

### The Thread to Crucio and CyberAv3ngers

GigaWiper's encryption module (Command 3) shares a function named `BigBangExtortMain` with the **Crucio** ransomware. Crucio was documented by the **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** in advisory **AA23-335A** in December 2023.

* * *

## Technical Analysis

Microsoft observed **two sample types** of GigaWiper in compromised environments, both unstripped Golang PE files:

1.  **Standalone wiper binary**
    
2.  **Full-featured backdoor** — in which the entire standalone wiper's code is embedded as **one command**.
    

### Component 1: Standalone Physical Disk Wiper

Rather than deleting individual files, this wiper operates **at the physical disk level**. Its behavioral chain:

1.  **Enumerates disks via WMI:** Uses a Windows Management Instrumentation query to obtain device identifiers and metadata for each drive.
    
    ![](https://cdn.hashnode.com/uploads/covers/669e2578c18c3baa1b4fc070/8ca758aa-9122-4015-bcc5-aeeb6a5fc413.png align="center")
    
2.  **Identifies the Windows drive:** Calls `main.FindWindowsDrive` to find the drive containing the Windows installation (e.g., `\\.\PHYSICALDRIVE0`).
    
3.  **Destroys other drives' partition tables:** For each non-Windows drive, calls `main.unallocateDrive` — using `DeviceIoControl` with `IOCTL_DISK_CREATE_DISK` to reinitialize partition metadata and wipe partition-table entries. On success, it prints `Partitions removed successfully.` to the console.
    
4.  **Overwrites data:** Calls `main.writeRandToDrive` to overwrite each drive in chunks of `0xA00000`. **Notable technical detail:** the first byte of each buffer is randomized via `crypto/rand.Read`, while the rest is zero-filled. If random generation fails, the byte value `1` is used instead. This overwrite pattern **may be intended to evade detections that look for conspicuous full-disk zeroing** behavior.
    
5.  **Immediate reboot:** Invokes Windows shutdown functionality with restart and zero-delay options.
    

Within the backdoor, this same functionality is implemented as `rabbit_tools_tool_wipe_main.WipeMain` — identical in both code flow and function names to the standalone version.

![](https://cdn.hashnode.com/uploads/covers/669e2578c18c3baa1b4fc070/dce8921e-f5ba-4777-9619-4b0abaadd285.png align="center")

### Component 2: Backdoor — Persistence and C2

**Persistence:**

![](https://cdn.hashnode.com/uploads/covers/669e2578c18c3baa1b4fc070/7ef784f8-51db-4961-a2c4-771fa081472e.png align="center")

*   Creates and uses the registry key `HKCU\SOFTWARE\OneDrive\Environment` to count executions.
    
*   On first run, creates a **masqueraded Scheduled Task named** `OneDrive Update`, configured to run nearly **every minute** plus once at system startup.
    

**Command-and-Control (C2) — dual channel:**

*   **RabbitMQ over AMQP:** receives commands from the C2 server.
    
*   **Redis:** updates command status and execution output.
    
*   Configuration is hard-coded and decrypted using **AES with a fixed key**. One observed sample used `185.182.193[.]21:5544` as the RabbitMQ C2 server and `185.182.193[.]21:7542` as the Redis server.
    
*   The backdoor declares a **fanout exchange named "All"** (any command published here is broadcast to all bound queues across infected clients) and a **topic exchange named "Topic"** (for targeted, non-broadcast commands).
    

### Component 3: Command Set (Commands 1–20)

This is where GigaWiper's "multiple personalities" become clearest. The backdoor supports up to 20 command codes:

| **Command** | **Function** | **Notes** |
| --- | --- | --- |
| **1** | Calls `WipeMain` — physical disk wiper | Identical to the standalone wiper |
| **2** | Triggers **BSOD** and prevents boot | Disables Windows Recovery, takes ownership, and deletes critical boot/kernel files |
| **3** | Calls `RanMain` + `BigBangExtortMain` — **ransomware-like encryption** | Random key and IV, **never saved** → no possible decryption. Renames files to `.candy`, sets a warning wallpaper. **Origin: Crucio** |
| **4** | Uploads files to remote storage via **MinIO Client (**`mc.exe`**)** | Parameters: IP/Port, alias, user/pass, bucket, source path |
| **5** | Bulk **file encryption/decryption** utility (AES-256-CBC) | Enc/dec modes; if no key is provided, generates a random one and stores it in `key.txt` |
| **6** | Runs a PE from a map (not seen populated) | Log `Exec cmd wipe-file` suggests wiper functionality |
| **7** | **PowerShell shell** + "special commands" | Appends \`;" |
| **8** | **RabbitMQ route manager** | Bind/unbind routing keys to receive targeted commands |
| **9** | Screenshots each active monitor | Saves PNG as `.\<timestamp>\<index>.png` |
| **10** | **Screen recording** when the user is not idle and the machine is unlocked | Saves to `C:\ProgramData\output` (always-run) |
| **11** | Runs a PE from a map (not seen populated) | Log `Exec cmd keylog` suggests keylogger |
| **12** | Calls `WipeCMain` — **multi-pass secure wiper** for the Windows drive | Overwrites multiple passes with alternating byte patterns (0x00, 0xFF, random). **Origin: FlockWiper** |
| **13** | Runs a PE from a map, executed as admin | Log `Exec cmd wipe32` suggests another wiper |
| **14** | (Not implemented) | — |
| **15** | **System information collection** (`GRATClientInfo`) | IP, Machine GUID, CPU, OS, network config, firmware, user, **antivirus product info** |
| **16** | **Process manager** | create/resume/suspend/list/kill/processInfo |
| **17** | **Service manager** | create/delete/restart/query/start/list/stop |
| **18** | **Registry manager** (interactive session) | show/navigate/back/createKey/deleteKey/setValue... |
| **19** | **Clears Windows event logs** | Deletes System/Setup/Application/ForwardedEvents/Security via `wevtutil.exe`; on failure, directly deletes `Security.evtx` |
| **20** | **VNC-like remote control** | Streams the screen, controls mouse/keyboard over TCP; creates a firewall rule **masquerading as a legitimate Windows rule name** (`Microsoft.Windows.CloudExperienceHost`) |

* * *

## How GigaWiper Was Assembled

The key finding in Microsoft's analysis: **three destructive commands (1, 3, 12) each originate from a separate malware family** previously used by this same threat actor, stitched into commands within a single implant.

### Evidence Linking to Crucio (Command 3)

*   The function `BigBangExtortMain` shares an **identical name** with a function in the Crucio ransomware (documented in CISA advisory AA23-335A, December 2023).
    
*   Command 3 is **heavily based on Crucio's code** in terms of execution flow and function naming.
    
*   → Microsoft assesses that **the same threat actor developed both malware families**.
    

### Evidence Linking to FlockWiper (Command 12)

*   `WipeCMain` is **essentially identical** to the wiper Microsoft tracks as FlockWiper. FlockWiper was written in **C**, whereas GigaWiper **reimplements that logic in Go** with added multi-pass overwriting.
    
*   FlockWiper was first uploaded to VirusTotal in **June 2025**, months before GigaWiper appeared.
    
*   **The "GRAT" string:** FlockWiper samples contain PDB paths referencing the `GRAT` string (e.g., `A:\GRAT\CWipeNew\Release\CWipeNew.pdb`). This same string appears throughout GigaWiper's function names. Notably, FlockWiper binaries contain **no** "GRAT" functionality themselves — suggesting the existence of **a larger framework or component that has not yet been recovered**.
    

* * *

## Campaign Risk Summary

| **Risk Dimension** | **Level** | **Rationale** |
| --- | --- | --- |
| **Destructiveness** | Critical | Three independent data-wiping mechanisms + irreversible encryption; wipes both partition tables and the Windows drive |
| **Recoverability** | Very Low | Random encryption keys **never stored**; multi-pass overwriting to secure-erase standards |
| **Flexibility** | Very High | A single implant does both quiet surveillance and on-demand destruction — switching modes with one command |
| **Stealth** | High | Randomized first-byte overwrite to evade detection; event log clearing; masqueraded Scheduled Task ("OneDrive Update") and firewall rules |
| **Persistence** | High | Scheduled Task runs every minute + at startup; dual RabbitMQ/Redis C2 |
| **Blast Radius** | High | The "All" fanout exchange allows a destructive command to be broadcast to **every** infected machine simultaneously |

* * *

## IOCs & Artifacts

### Host-based Indicators

*   **Masqueraded Scheduled Task:** named `OneDrive Update`, configured to run every minute + at startup.
    
*   **Registry key:** `HKCU\SOFTWARE\OneDrive\Environment` (execution counter).
    
*   **Encrypted files:** `.candy` extension; wallpaper changed to `./image_danger.jpg`.
    
*   **Output folder:** `C:\ProgramData\output` (screen recordings from Command 10).
    
*   **Masqueraded firewall rule:** named after `Microsoft.Windows.CloudExperienceHost`.
    
*   **Distinctive console strings:** `Partitions removed successfully.`, `Pass 1/2/3 Time took:`, and the anomalous string `kharbvnmhkjbkjb` (printed when clearing event logs).
    

### Network Indicators (C2)

| **Indicator** | **Type** | **Description** |
| --- | --- | --- |
| `185.182.193[.]21` | IP | GigaWiper C2 (RabbitMQ `:5544`, Redis `:7542`) |
| `212.8.248[.]104` | IP | GigaWiper C2 |

### Malicious Files (SHA-256)

| **Hash** | **Type** |
| --- | --- |
| `633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001` | GigaWiper backdoor |
| `ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913` | GigaWiper backdoor |
| `f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd` | GigaWiper backdoor |
| `9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683` | GigaWiper backdoor |
| `3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd` | GigaWiper standalone wiper |
| `440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3` | Crucio |
| `12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721` | FlockWiper |
| `db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674` | FlockWiper |

* * *

## MITRE ATT&CK Mapping

| **Tactic** | **Technique ID** | **Technique Name** | **Description in Campaign** |
| --- | --- | --- | --- |
| **Persistence** | T1053.005 | Scheduled Task/Job: Scheduled Task | `OneDrive Update` task runs every minute and at startup |
| **Persistence** | T1547 | Boot or Logon Autostart Execution | Combined with the `HKCU\...\OneDrive\Environment` registry key |
| **Command and Control** | T1071 | Application Layer Protocol | C2 over RabbitMQ (AMQP) and Redis |
| **Collection** | T1113 | Screen Capture | Command 9 (screenshot) and Command 10 (screen recording) |
| **Collection** | T1082 | System Information Discovery | Command 15 collects system and AV information |
| **Defense Evasion** | T1070.001 | Indicator Removal: Clear Windows Event Logs | Command 19 clears System/Setup/Application/Security logs |
| **Defense Evasion** | T1036 | Masquerading | Masquerades Scheduled Task and firewall rules under legitimate names |
| **Impact** | T1561.001 | Disk Wipe: Disk Content Wipe | Command 1 overwrites raw disk content |
| **Impact** | T1561.002 | Disk Wipe: Disk Structure Wipe | Wipes partition tables via `IOCTL_DISK_CREATE_DISK` |
| **Impact** | T1486 | Data Encrypted for Impact | Command 3 performs irreversible ransomware-like encryption |
| **Impact** | T1529 | System Shutdown/Reboot | Forces reboot immediately after wiping |
| **Impact** | T1499 | Endpoint Denial of Service | Command 2 triggers BSOD, blocks boot |

* * *

## Expert Assessment

GigaWiper's architecture reflects a worrying trend in the world of destructive malware: **the "industrialization" and consolidation of tooling**. Rather than developing and deploying separate wipers, ransomware, and surveillance tools individually, the threat actor folds them all into a single modular implant. This delivers two operational advantages: a **smaller deployment footprint** and **expanded destructive capabilities** — the attacker only needs to deliver one payload yet holds an entire arsenal.

**The boundary between espionage, ransomware, and destruction is blurring.** GigaWiper lets an attacker quietly capture screenshots, record video, and collect system information for months — activity indistinguishable from an espionage campaign — then, when needed, trigger a wipe command. Especially dangerous is **Command 3, which masquerades as ransomware but is actually a wiper**: it renames files to `.candy` and sets a warning wallpaper, creating the illusion of an extortion event where a ransom could "buy back" the data — when in reality the decryption key **never existed**. This is a psychological ploy that leads victims to waste precious time negotiating instead of restoring from backups.

**For defenders, the implication is clear: you cannot rely solely on "classifying" malware to prioritize response.** Any backdoor persisting in the network should be treated as a **potential data-destruction risk**, because the line between "a surveillance implant" and "a wiper" is now just a single C2 command away. The "All" fanout exchange further allows the attacker to **broadcast a destructive command simultaneously** to every infected machine — turning a localized incident into an organization-wide disaster within seconds.

For organizations in Vietnam, especially those operating critical infrastructure (energy, water, telecommunications), the indirect thread to groups targeting industrial infrastructure is a wake-up call: **with wipers, prevention and recoverability matter far more than post-incident response** — because once the wipe command runs, there is nothing left to respond to.

* * *

## Recommendations

### Immediate (0–24h)

1.  **Hunt for IOCs now:** Block the two C2 IPs (`185.182.193[.]21`, `212.8.248[.]104`) at the firewall/proxy; scan all endpoints against the SHA-256 list above.
    
2.  **Review for the spoofed Scheduled Task:** Look for a task named `OneDrive Update` pointing to an anomalous binary (not in the genuine OneDrive install directory); check the registry key `HKCU\SOFTWARE\OneDrive\Environment`.
    
3.  **Inspect anomalous RabbitMQ/Redis traffic:** Alert on any outbound AMQP/Redis connections from endpoints with no business need for them.
    

### Short-term (1–7 days)

1.  **Enable tenant-wide Tamper Protection** to prevent attackers from stopping security services or adding AV exclusions; with Intune/MDE, enable `DisableLocalAdminMerge`.
    
2.  **Enable cloud-delivered protection and EDR in block mode** to block malicious artifacts even when third-party AV misses them.
    
3.  **Build detection rules in EDR/SIEM:**
    
    *   Processes calling `DeviceIoControl` with `IOCTL_DISK_CREATE_DISK` or performing raw writes to `\\.\PHYSICALDRIVE*` from untrusted processes.
        
    *   Mass event-log clearing via `wevtutil.exe cl` (System, Setup, Application, Security, ForwardedEvents).
        
    *   Appearance of `.candy` files or the `image_danger.jpg` image set as wallpaper.
        
        ![](https://cdn.hashnode.com/uploads/covers/669e2578c18c3baa1b4fc070/f2b532fb-9a62-42d3-82e9-9e98bfa18ae9.png align="center")
        
    *   Creation of a new firewall rule named `Microsoft.Windows.CloudExperienceHost` from an unfamiliar process.
        

### Long-term

1.  **Harden anti-wiper backup strategy:** Maintain **offline, immutable**, network-segmented backups, and **test restoration regularly** — this is the last line of defense once a wiper has executed.
    
2.  **Apply Attack Surface Reduction:** Block execution of files that don't meet prevalence/age/trusted-list criteria; restrict execution from temporary directories.
    
3.  **Monitor non-traditional C2 behavior:** Treat RabbitMQ, Redis, and MinIO Client (`mc.exe`) as tools warranting close monitoring in environments without a legitimate need for them.
    

* * *

## References

*   [GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware — Microsoft Threat Intelligence (July 9, 2026)](https://www.microsoft.com/en-us/security/blog/2026/07/09/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware/)
    
*   [GigaWiper Combines Multiple Malware for System-Level Sabotage — SecurityWeek](https://www.securityweek.com/gigawiper-combines-multiple-malware-for-system-level-sabotage/)
    
*   [New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware — The Hacker News](https://thehackernews.com/2026/07/new-gigawiper-windows-backdoor-bundles.html)
    
*   [CISA Advisory AA23-335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors (Dec 2023)](https://www.cisa.gov/sites/default/files/2023-12/aa23-335a-irgc-affiliated-cyber-actors-exploit-plcs-in-multiple-sectors-1.pdf)
    

* * *

> *Note: This article was compiled based on the original Microsoft Threat Intelligence report and other reliable sources. Attribution details (particularly the link to CyberAv3ngers/IRGC-CEC via Crucio) represent an indirect, code-level connection — not a direct Microsoft attribution of GigaWiper — and should be cross-verified before use in any official report.*
