GigaWiper looks like ransomware right up until the moment it isn’t. Microsoft published a code-level analysis of the Windows backdoor on July 9, 2026, and the malware’s fake encryption screen is only one of several ways an operator can destroy a machine already under control. Screenshots, remote access, and file theft can happen first. The wipe comes whenever the operator decides to trigger it.
Microsoft found a backdoor with three destructive modes
Microsoft Threat Intelligence says it began observing compromised environments getting wiped with destructive tooling in October 2025. Investigators found two sample types: standalone wiper binaries and larger binaries with full backdoor functionality, each an unstripped Windows executable file written in Go.
The backdoor exposes 20 numeric command codes, though some appear incomplete or dormant in the samples Microsoft examined. Three of the commands destroy a machine, each in a different way.
The first is a raw disk wiper. It enumerates physical disks through Windows Management Instrumentation, identifies the drive holding the Windows installation, strips partition references from the others, overwrites raw disk content, and forces an immediate reboot. Recovery from the affected disks would generally require clean backups and may be impractical after raw overwrite and partition-table destruction.
The second runs fake ransomware built on code from an older strain called Crucio. Command 3 generates a random encryption key and initialization vector, encrypts files with AES-CBC, deletes the originals, renames what’s left with a .candy extension, and changes the desktop wallpaper. It never saves the key. No ransom note follows, and no payment restores anything. A separate command, number 5, can encrypt or decrypt files using supplied or stored keys. Writers and readers alike should keep it distinct from command 3’s one-way encryption, since the two serve opposite purposes.
The third command reimplements FlockWiper, a wiper originally written in C, in Golang. It targets the Windows drive directly and runs repeated overwrite passes using multiple data patterns. A fourth command disables Windows recovery, alters ownership and permissions on boot and kernel files, deletes them, and forces a blue-screen condition. The device cannot boot normally afterward.
The implant can watch before it wipes
Destruction accounts for only part of what GigaWiper does. The same backdoor captures screenshots from every active monitor, records the screen while a user works, and opens a hidden VNC-style session, which streams the display and hands the operator mouse and keyboard control.
It also collects system and network details, manages running processes and services, edits the registry, uploads files through MinIO client tooling, and deletes Windows event logs to slow forensic reconstruction. The Hacker News reported additional dormant stubs in Microsoft’s analysis, including a keylogger and further wiper functionality inactive in the samples reviewed.
A security team spotting a screenshot routine or a live remote session tends to read espionage. With GigaWiper, the read can flip the moment an operator sends a different numbered command. Nothing about the malware’s early behavior signals which ending is coming.
OneDrive persistence hides in plain sight
GigaWiper keeps itself running by posing as Microsoft’s cloud storage client. It writes a registry key at HKCU\SOFTWARE\OneDrive\Environment and schedules a task named OneDrive Update, which Microsoft says fires at startup and roughly every minute afterward. When the backdoor opens its remote-control channel, it hides behind a firewall rule named after a real Windows component, Microsoft.Windows.CloudExperienceHost, according to The Hacker News. None of it means OneDrive itself was compromised. The malware borrows familiar names to blend into normal Windows activity, and a security analyst glancing at a task list has little reason to flag a process appearing to belong to a service millions of employees already run.
RabbitMQ and Redis turn enterprise plumbing into C2
GigaWiper skips the noisy web requests most malware relies on and rides on real business messaging tools instead. Microsoft confirmed two channels: RabbitMQ over AMQP to receive commands, and Redis to send status and output back to the operator. One analyzed sample used a single external server, 185.182.193[.]21, on two ports for the two services, with broadcast commands routed through a RabbitMQ fanout exchange named “All” and targeted commands through a topic exchange named “Topic.”
None of the abused products carry a vulnerability. RabbitMQ, Redis, and MinIO are legitimate, widely deployed technologies, and their presence on a network says nothing about compromise by itself. The detection question for a security operations team becomes contextual: why is a desktop endpoint making outbound AMQP connections, why is a workstation reaching an external Redis server, and why does an unexpected process need MinIO at all?
GigaWiper is assembled, not invented from scratch
Microsoft’s central finding is architectural. GigaWiper combines a standalone raw-disk wiper, Crucio-derived fake ransomware, and a Golang rewrite of FlockWiper into one operator-controlled platform, rather than shipping as a single-purpose tool. Microsoft also found a recurring internal tag, “GRAT,” across FlockWiper’s debug paths and GigaWiper’s function names, a link The Hacker News flagged as evidence of a shared codebase, and possibly a further component still undisclosed.
Crucio itself isn’t an anonymous strain. The Hacker News traced its code to a December 2023 CISA advisory on CyberAv3ngers, a group affiliated with Iran’s Islamic Revolutionary Guard Corps, which broke into internet-exposed industrial controllers across water and energy sites in the US, Israel, the UK, and Ireland. The Crucio sample Microsoft cites in the GigaWiper report carries the same fingerprint listed in the advisory, though Microsoft’s report makes no country-level claim.
The pattern points to industrialization rather than invention. Three separate destructive capabilities take time and testing to build from the ground up. A single backdoor with a command menu takes far less time to assemble from three existing tools, and it gives an operator options a single-purpose wiper never offers.
BLUERABBIT and the attribution question
Microsoft confirms directly: Google Threat Intelligence Group and Binary Defense track GigaWiper as BLUERABBIT, resolving what earlier reporting could only infer from matching hashes and infrastructure. Binary Defense’s report says it first observed the malware in mid-to-late March 2026, five months after Microsoft’s October 2025 observation window began, and suspected the activity of targeting entities in Israel.
Binary Defense, citing Google Threat Intelligence Group, links BLUERABBIT to a likely Iran-nexus activity cluster previously associated with two other malware families, BLUEWIPE and SEWERGOO. Microsoft’s GigaWiper report makes no country-level attribution. The link between GigaWiper and BLUERABBIT is now vendor-confirmed, but the attribution chain still runs through Binary Defense and Google Threat Intelligence Group rather than Microsoft. Public sources do not prove direct Iranian government control or name a specific Iranian threat group behind the activity.
Neither Microsoft nor Binary Defense has disclosed the number of victims, the names of affected organizations, the initial-access vector, or the full scope of the campaign.
The malware fits a wider pattern. Palo Alto Networks’ Unit 42 has tracked a parallel wave of Iran-linked wiper activity against Israel through 2025 and 2026, much of it tied to a separate group called Handala Hack.
Defenders must stop the backdoor before the wipe
Microsoft recommends defense in depth. Enable cloud-delivered protection, keep endpoint detection signatures current, and turn on tamper protection so an attacker with local access can’t disable antivirus tooling. Limit local administrator rights, require phishing-resistant multi-factor authentication for privileged accounts, and rotate credentials after any suspected compromise.
Watch scheduled tasks for a job named OneDrive Update created outside normal software deployment, especially a task running every minute or launching hidden PowerShell. Watch the network for outbound AMQP or Redis traffic from ordinary desktops rather than servers, and for MinIO client execution on systems not normally running it. Watch endpoints for raw disk access, partition-table changes, and use of takeown or icacls against boot files like bootmgr or ntoskrnl.exe outside a maintenance window.
Backups matter more than any single detection rule. Offline or immutable backups, separate credentials for backup administration, and tested bare-metal restoration determine whether a wiped machine costs an afternoon or a quarter. A backup connected to the same compromised administrative plane may not survive a destructive operation at all.
The tactic is old, and the packaging is what changed
The idea of disguising destruction as ransomware isn’t new. NotPetya used the same trick in 2017, posing as a payment-driven attack while quietly destroying data across thousands of machines. What’s changed with GigaWiper is the packaging: a wiper no longer has to arrive as a final, standalone payload. It can sit inside a multifunction backdoor built to spy first and destroy later, whenever the operator decides.
The shift matters more than any individual command in Microsoft’s list. Security teams used to infer intent from the malware they found on a machine. GigaWiper removes the shortcut, and the removal is the real story, well ahead of the disguise being ransomware. Early containment and recoverable infrastructure now count for more than guessing what an attacker wants.
The post GigaWiper: The Windows Backdoor Built to Spy, Fake Ransomware and Erase Disks appeared first on .
