Overview
Microsoft has dissected a destructive Windows backdoor dubbed GigaWiper, also tracked as BLUERABBIT by Binary Defense. Unlike typical malware, GigaWiper is a multi‑tool platform combining disk wiping, fake ransomware, and spyware capabilities. This makes it a flexible implant that attackers can use to either destroy systems or quietly surveil them.
Three Paths to Destruction
GigaWiper is written in Go (Golang) and executes destructive commands on Windows machines. Operators can choose from three devastating modes:
- Raw Disk Wiper — overwrites the physical drive and partition table, leaving no recovery option.
- Fake Ransomware — encrypts files with a
.candyextension using Crucio code, but never saves the key. Victims see alarming wallpaper changes but cannot decrypt files. - Windows Drive Overwriter — a Go rewrite of FlockWiper, repeatedly overwriting the system drive with different data patterns.
The goal is irreversible destruction, not financial gain.
Espionage Capabilities
Beyond destruction, GigaWiper doubles as spyware:
- Screen capture — takes screenshots and records user activity.
- Hidden VNC sessions — allows attackers to remotely control the desktop.
- System manipulation — manages processes, edits registry keys, and wipes event logs.
- Dormant stubs suggest future additions like keyloggers and extra wipers.
This dual nature means defenders cannot infer attacker intent from the malware alone — operators decide whether to spy or destroy after gaining access.
Stealth Techniques
GigaWiper hides in plain sight by impersonating legitimate services:
- OneDrive disguise — creates a scheduled task named OneDrive Update and registry entries under
HKCU\SOFTWARE\OneDrive\Environment. - Firewall camouflage — masks its remote channel as Microsoft.Windows.CloudExperienceHost.
- Legitimate traffic channels — uses RabbitMQ, Redis, and MinIO for command, results, and exfiltration, blending into normal enterprise traffic.
Attribution and Lineage
- Microsoft links GigaWiper’s fake ransomware to Crucio, previously tied to CyberAv3ngers, a group linked to Iran’s IRGC.
- Its multi‑pass wiper code traces back to FlockWiper, with recurring debug tags (“GRAT”) tying the tools together.
- Binary Defense first flagged the same samples as BLUERABBIT in March 2026, while Microsoft dates destructive activity to October 2025.
- Analysts assess the malware is part of a larger Iranian wiper campaign targeting Israeli organizations, echoing tactics seen in Handala Hack and earlier NotPetya‑style fake ransomware attacks.
Defensive Recommendations
Microsoft advises defenders to watch for specific signals:
- Suspicious OneDrive Update tasks repeating every minute.
- RabbitMQ or Redis traffic from desktops instead of servers.
- Unauthorized file ownership changes targeting boot files like
bootmgrandntoskrnl.exe.
Mitigation steps:
- Enable tamper protection to prevent antivirus shutdown.
- Block known command servers (185.182.193[.]21, 212.8.248[.]104).
- Run endpoint detection in block mode and enable cloud‑delivered protection.
- Maintain offline backups to recover from destructive attacks.
Expert in the Cloud Insight
GigaWiper represents a new breed of hybrid malware — one implant that can spy, steal, or destroy depending on operator intent. This flexibility makes attribution harder and defense more urgent.
For organizations, the lesson is clear: early detection, strict monitoring of legitimate services, and resilient backup strategies are the only way to withstand such destructive campaigns.
Leave a Reply