Full Report
Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from. Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake "ransomware" that scrambles files with a key it never saves
Analysis Summary
# Tool/Technique: GigaWiper (aka BLUERABBIT)
## Overview
GigaWiper is a destructive Windows-based backdoor written in Go (Golang). It is uniquely characterized as a "bolted-together" toolkit that consolidates three distinct legacy destructive modules into a single interface. It functions as a post-compromise tool used for cyber espionage, data exfiltration, and ultimate system destruction through disk wiping or fake ransomware.
## Technical Details
- **Type:** Malware family (Backdoor / Multi-Wiper)
- **Platform:** Windows
- **Capabilities:** Disk wiping, file encryption (fake ransomware), screen recording, VNC remote control, file exfiltration, and persistence.
- **First Seen:** June 2026 (Reported by Binary Defense and Microsoft)
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0005 - Defense Evasion]**
- [T1070.001 - Indicator Removal: Clear Windows Event Logs]
- [T1036 - Masquerading] (Posing as OneDrive)
- [T1562.004 - Impair Defenses: Disable or Modify System Firewall]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- **[TA0011 - Command and Control]**
- [T1105 - Ingress Tool Transfer]
- **[TA0040 - Impact]**
- [T1561.002 - Disk Structure Wipe]
- [T1486 - Data Encrypted for Impact] (Fake Ransomware)
## Functionality
### Core Capabilities
* **Modular Destruction:** Offers three operator-selectable destructive commands:
* **Raw Disk Wiper:** Overwrites physical drives and partition tables, followed by a reboot.
* **Fake Ransomware:** Based on **Crucio** code; encrypts files with a `.candy` extension and changes wallpaper but does not save decryption keys.
* **System Drive Wiper:** A Go-based rewrite of **FlockWiper** that overwrites the Windows partition with multiple data patterns.
* **Espionage Suite:** Includes live screen recording, multi-monitor screenshots, and hidden VNC sessions.
### Advanced Features
* **Legitimate Service Abused:** Uses legitimate business infrastructure for C2 to blend with normal traffic:
* **RabbitMQ:** Tasking/Commanding.
* **Redis:** Returning results/data.
* **MinIO:** Data exfiltration.
* **Persistence & Stealth:**
* Creates a scheduled task "OneDrive Update" running every minute.
* Creates a firewall rule named "Microsoft.Windows.CloudExperienceHost" to hide its remote control channel.
## Indicators of Compromise
* **File Hashes:** (Note: Article mentions 4 hashes provided by Microsoft/Binary Defense, though specific strings are truncated in the source text).
* **File Names:** Often masquerades as `OneDrive.exe` or related components.
* **Registry Keys:**
* `HKCU\SOFTWARE\OneDrive\Environment` (Used for tracking)
* **Network Indicators:**
* Traffic involving RabbitMQ, Redis, and MinIO protocols/ports to external IPs.
* **Behavioral Indicators:**
* Unexpected modification of Raw Disk sectors.
* Creation of a scheduled task named "OneDrive Update".
* Sudden appearance of a firewall rule named "Microsoft.Windows.CloudExperienceHost".
## Associated Threat Actors
* **CyberAv3ngers:** Linked to Iran's Islamic Revolutionary Guard Corps (IRGC).
* **Iran-nexus groups:** Binary Defense and Google Threat Intelligence link the activity to a group targeting Israeli organizations.
## Detection Methods
* **Signature-based:** Monitoring for the specific Go-compiled binaries associated with GigaWiper and legacy Crucio/FlockWiper code.
* **Behavioral:**
* Detecting unauthorized writes to `\\.\PhysicalDrive`.
* Alerting on high-volume file renaming/encryption to `.candy`.
* Monitoring for the use of Redis/MinIO/RabbitMQ to unknown external endpoints.
## Mitigation Strategies
* **Offline Backups:** Maintain clean, offline, and immutable backups as the malware leaves no path for recovery once the wiper/fake ransomware is triggered.
* **Early Detection:** Implement EDR/XDR to catch the backdoor during the espionage phase before the "Wipe" command is issued.
* **Network Segmentation:** Restrict outbound traffic on non-standard ports and monitor for the unauthorized use of data-transfer tools like MinIO.
## Related Tools/Techniques
* **Crucio:** Legacy ransomware used as the base for GigaWiper’s encryption module.
* **FlockWiper:** A destructive wiper previously seen in regional conflicts, rewritten in Go for this toolkit.
* **BLUERABBIT:** The alternative name assigned to this backdoor by Binary Defense.