The evolution of wiper malware has taken a dangerous turn. Rather than deploying single-purpose, "smash-and-grab" destructive executables, threat actors are beginning to consolidate their destructive capabilities into robust, modular backdoor platforms. The latest and most alarming example of this trend is GigaWiper.
Recently detailed by Microsoft Threat Intelligence, GigaWiper is a sophisticated, Golang-based backdoor that has been active in compromised environments since late 2025. What makes this malware unique is its architecture: it is essentially an amalgamation of at least three previously distinct malware families—including Crucio and FlockWiper—stitched together into a single, highly flexible implant.
Here is a deep dive into the anatomy of GigaWiper, its destructive capabilities, and the Indicators of Compromise (IOCs) you need to secure your environment.
The Anatomy of GigaWiper
At its core, GigaWiper is an unstripped Portable Executable (PE) written in Go. Threat actors deploy it to maintain stealthy persistence, exfiltrate data, and ultimately, destroy the target environment on demand.
Command and Control (C2) Mechanism
Unlike traditional HTTP/HTTPS beacons, GigaWiper uses a highly robust and unusual two-way C2 setup:
- RabbitMQ over AMQP: Used for receiving commands from the C2 server. The malware binds to a fanout exchange, meaning attackers can broadcast commands simultaneously across all infected clients, or target specific endpoints via routing keys.
- Redis Server: Used to upload command statuses, output logs, and system data back to the attacker.
Persistence
The backdoor ensures persistence by tracking its execution count in the Registry (HKCU\SOFTWARE\OneDrive\Environment). On its first run, it creates a scheduled task named OneDrive Update that executes every minute and upon system startup, heavily obfuscating its presence within routine Windows tasks.
A Swiss Army Knife of Destruction
GigaWiper features a modular structure consisting of 20 numeric command codes. While it can perform routine backdoor tasks—like screen recording (Command 10), capturing screenshots (Command 9), and managing processes/services (Commands 16 and 17)—its true danger lies in its destructive payloads.
The backdoor integrates three distinct wiping tools into its arsenal:
- The Standalone Physical Wiper (Command 1): Overwrites raw physical disk content. It queries WMI to locate the Windows installation drive, strips partition metadata from all non-Windows drives (using
DeviceIoControl), and overwrites drives in chunks with random bytes (or zeros) before forcing an immediate, zero-delay reboot. - Fake Ransomware / Crucio Clone (Command 3): This command initiates a file encryption routine heavily based on the previously known Crucio ransomware. It encrypts files using randomly generated AES-CBC keys and renames them with a
.candyextension. However, the keys are never saved or exfiltrated. The goal is purely destructive; there is no way for the victim (or the attacker) to decrypt the data. It drops an image namedimage_danger.jpgand sets it as the wallpaper. - Secure Multi-Pass Wiper / FlockWiper Clone (Command 12): This module targets the
C:\drive specifically, performing secure, multi-pass wiping. This capability is a direct Go-based reimplementation of the older, C-based FlockWiper malware. - Instant BSOD (Command 2): Disables Windows recovery, alters permissions on critical boot and kernel files, deletes them, and immediately triggers a Blue Screen of Death, rendering the machine unbootable.
Furthermore, researchers noted the frequent appearance of the string "GRAT" in GigaWiper's function names—a string that also appeared in PDB paths for legacy FlockWiper binaries, cementing the connection between these tools and hinting at a broader, unified malware framework.
Defensive Recommendations
Defending against GigaWiper requires a defense-in-depth approach, especially because its destructive commands can be executed in seconds once access is achieved.
- Enable Tamper Protection: Ensure that EDR and Antivirus exclusions cannot be modified by attackers looking to blind security tools before execution.
- Monitor for Abnormal Protocols: Alert on unauthorized or unusual RabbitMQ (AMQP) or Redis traffic communicating with external IP addresses, especially if initiated by unusual processes.
- Harden Scheduled Tasks: Monitor for unauthorized scheduled tasks masquerading as legitimate software, particularly those mimicking
OneDrive Updatebut lacking proper digital signatures.
MITRE ATT&CK Matrix Mapping
Below is a mapping of the Tactics, Techniques, and Procedures (TTPs) observed across the GigaWiper implant and its embedded component families.
| Tactic | Technique ID | Technique Name | Threat Actor Implementation |
|---|---|---|---|
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task | Creates a scheduled task named OneDrive Update that runs every minute and on startup. |
| Persistence | T1112 | Modify Registry | Tracks execution count in HKCU\SOFTWARE\OneDrive\Environment. |
| Defense Evasion | T1562.001 | Impair Defenses | Disables Windows recovery and modifies permissions on boot/kernel files before deletion. |
| Defense Evasion | T1070.001 | Indicator Removal: Clear Windows Event Logs | Command 19 clears System, Setup, Application, and Security event logs. |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery | Command 15 enumerates installed antivirus products via PowerShell. |
| Collection | T1113 | Screen Capture | Commands 9 and 10 capture screenshots and record the screen while the user is active. |
| Command and Control | T1071 | Application Layer Protocol | Uses RabbitMQ (AMQP) for tasking and Redis for results/status reporting. |
| Command and Control | T1219 | Remote Access Software | Command 20 opens a VNC-like remote control channel for keyboard/mouse control and screen streaming. |
| Exfiltration | T1567 | Exfiltration Over Web Service | Command 4 uploads files to remote storage via the MinIO Client (mc). |
| Impact | T1486 | Data Encrypted for Impact | Command 3 ("Crucio" clone) AES-CBC encrypts files with random, unsaved keys (.candy extension). |
| Impact | T1485 | Data Destruction | Command 1 overwrites raw physical disk content and strips partition metadata. |
| Impact | T1561.001 | Disk Wipe: Disk Structure Wipe | Removes partition references via DeviceIoControl / IOCTL_DISK_CREATE_DISK. |
| Impact | T1561.002 | Disk Wipe: Disk Content Wipe | Command 12 performs secure multi-pass wiping of the Windows drive (FlockWiper reimplementation). |
| Impact | T1490 | Inhibit System Recovery | Command 2 deletes boot and kernel files (bootmgr, ntoskrnl.exe) to render the system unbootable. |
Indicators of Compromise (IOCs)
Update your SIEM, EDR, and threat intelligence platforms with the following known IOCs associated with GigaWiper and its associated legacy components.
C2 Infrastructure (IP Addresses):
185.182.193[.]21(GigaWiper C2)212.8.248[.]104(GigaWiper C2)
File Hashes (SHA-256):
633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001(GigaWiper backdoor)ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913(GigaWiper backdoor)f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd(GigaWiper backdoor)9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683(GigaWiper backdoor)3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd(GigaWiper standalone wiper)440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3(Crucio component)12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721(FlockWiper component)db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674(FlockWiper component)
By integrating legacy standalone malware into a single Golang implant, the threat actors behind GigaWiper have proven that the wiper threat landscape is moving toward higher operational efficiency. To stay ahead of these threats, organizations must focus heavily on blocking initial access and relying on rapid behavioral detections.
Credits: Original research and code-level analysis provided by Microsoft Threat Intelligence. For the full technical breakdown, read their original post: GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware.