Cyber Security

New GigaWiper for Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware

Microsoft has classified what it calls a dangerous Windows backdoor GigaWiper. What stands out is how it’s built: it’s not one tool but three old destructive programs tied into one another, given as commands for the operator to choose from.

Each is a different way to break the machine: wipe the entire disk, overwrite the Windows drive, or use fake “ransomware” that scrambles files with a key it never saves.

Because this is malware and not a single bug, no patch can be fired; GigaWiper is what an attacker runs after they’re in, making early and clean detection, offline backup the real defense.

The same malicious files appear in the second report under a different name: BLUERABBITbackdoor Binary Defense was flagged last month.

Microsoft lists four GigaWiper backdoor hashes; Binary Defense lists four identical BLUERABBIT, and both command servers are identical. Binary Defense, citing Google’s Threat Intelligence Group, links the malware to a possible Iran-nexus group targeting Israeli organizations. Microsoft’s names do not exist in the country.

Three ways to destroy a machine

GigaWiper is written in Go (also called Golang) and runs on Windows. It takes orders as numbered commands, and three of them destroy the machine, each in a different way:

  • A raw disk eraser that overwrites the virtual drive and erases the partition table (a map of how the disk is laid out) before rebooting. No file-by-file deletions will be reversed; it directly destroys the contents of the disk.
  • Fake ransomware built on old code called Crucio. It encrypts files, adds a .candy extension, and changes the desktop wallpaper to a scary warning image. There is no ransom note and no key is saved, so there is nothing to pay and nothing to decrypt. This is the destruction of wearing a ransomware costume.
  • The latter targets the Windows drive, overwriting it several times with different data patterns. Microsoft says it’s a Go rewrite for wiper tracking FlockWiper.

None of this leaves a way back: encrypted files can’t be opened because the key is gone, and wiped drives can be rebuilt from clean backups. The goal is a dead machine, not a payment.

It also checks

Destruction is only part of it. The same backdoor can silently observe and control the infected PC. It takes screenshots of the entire monitor, records the screen while someone is working, and can open a hidden VNC session that broadcasts the display and lets the attacker type and move the mouse.

It also collects system information, manages running programs and services, organizes the registry, and can clear Windows event logs to cover its tracks. Microsoft found other silent commands in the samples it tested, including keylogger stubs and additional wipers.

To stay hidden, GigaWiper pretends to be OneDrive. It creates a scheduled task called OneDrive Update that runs every minute and tracks itself with a registry key under HKCUSOFTWAREOneDriveEnvironment. When it opens its remote control channel, it hides behind a firewall rule named after the actual Windows component, Microsoft.Windows.CloudExperienceHost.

With its command capacity, it skips standard web applications and rides on real business services instead: RabbitMQ for processing, Redis for results, and MiniO for output. Because those are legitimate tools instead of a malware channel, the traffic looks normal to networks that already use them.

Where GigaWiper comes from

Microsoft traces the GigaWiper fake ransomware code back to Crucio and its multi-pass wiper FlockWiper, and checks that the same developer built all three. It does not mean the country. But Crucio is unknown. Its code was listed as suspected ransomware in a December 2023 CISA advisory to CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps.

That’s the same group, THN reports, that broke into water and energy facilities across the US, Israel, UK, and Ireland in 2023, hacking into industrial regulators exposed online. In one case, they took control of a Pennsylvania water plant. The Crucio sample cited by Microsoft bears the same fingerprint listed in that advisory.

Microsoft also found a new tag, “GRAT”, in both FlockWiper’s debugging mode and GigaWiper’s task names, which brings the two tools together and shows another feature that hasn’t appeared yet. The timing varies by source: Microsoft puts the malicious activity in October 2025, while Binary Defense first detected files similar to BLUERABBIT in March 2026.

Part of a big wave

The Iran-linked clearing operation against Israel received repeated warnings in 2025 and 2026. Palo Alto Networks’ Unit 42 tracked similar operations, many of them from a different group, Handala Hack, and in March 2026 Israel’s National Cyber ​​Directorate warned of Iranian wiper attacks on local organizations.

The trick used by GigaWiper is old: NotPetya in 2017 was also created as ransomware while silently destroying data. Disguise buys the attacker time: a compromised machine first looks like a ransomware case that someone might recover from, not the total loss that it is.

Microsoft frames GigaWiper as users who roll up different tools into one flexible environment. For defenders, the result is concrete: when a single installation can view, steal, or destroy, the tool no longer presents a goal. You used to read the intent in the malware you found; here, the operator decides after they are already inside.

One platform, two vendor names, and code shortcuts indicate a tool under construction.

What they have to do is the defenders

Identifying it quickly comes down to a few specific signals:

  • Scheduled OneDrive update task that repeats every minute.
  • RabbitMQ or Redis traffic from standard desktops rather than servers.
  • Processes that use takeown and icacls to take ownership of Windows boot files such as bootmgr and ntoskrnl.exe outside of maintenance windows.

On the product side, Microsoft recommends that you turn on tamper protection so that attackers cannot turn off your antivirus, blocking two known command servers (185.182.193)[.]21 and 212.8.248[.]104), uses endpoint detection in blocking mode, and enables cloud-delivered protection and automatic maintenance. A full list of file hashes, server addresses, and discovery names is in Microsoft’s report.

Hacker News has reached out to Microsoft and Binary Defense for confirmation that GigaWiper and BLUERABBIT are the same malware, as well as details on the scope of the victim and features, and will update this story with any response.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button