Threat Intelligence

Unpacking GigaWiper: The 'Frankenstein' Backdoor Assembled from Multiple Malware Families

TLT
Threat Landscape Team
2026-07-108 min read

The evolution of wiper malware has taken a dangerous turn. Rather than deploying single-purpose, "smash-and-grab" destructive executables, threat actors are beginning to consolidate their destructive capabilities into robust, modular backdoor platforms. The latest and most alarming example of this trend is GigaWiper.

Recently detailed by Microsoft Threat Intelligence, GigaWiper is a sophisticated, Golang-based backdoor that has been active in compromised environments since late 2025. What makes this malware unique is its architecture: it is essentially an amalgamation of at least three previously distinct malware families—including Crucio and FlockWiper—stitched together into a single, highly flexible implant.

Here is a deep dive into the anatomy of GigaWiper, its destructive capabilities, and the Indicators of Compromise (IOCs) you need to secure your environment.


The Anatomy of GigaWiper

At its core, GigaWiper is an unstripped Portable Executable (PE) written in Go. Threat actors deploy it to maintain stealthy persistence, exfiltrate data, and ultimately, destroy the target environment on demand.

Command and Control (C2) Mechanism

Unlike traditional HTTP/HTTPS beacons, GigaWiper uses a highly robust and unusual two-way C2 setup:

  • RabbitMQ over AMQP: Used for receiving commands from the C2 server. The malware binds to a fanout exchange, meaning attackers can broadcast commands simultaneously across all infected clients, or target specific endpoints via routing keys.
  • Redis Server: Used to upload command statuses, output logs, and system data back to the attacker.

Persistence

The backdoor ensures persistence by tracking its execution count in the Registry (HKCU\SOFTWARE\OneDrive\Environment). On its first run, it creates a scheduled task named OneDrive Update that executes every minute and upon system startup, heavily obfuscating its presence within routine Windows tasks.

A Swiss Army Knife of Destruction

GigaWiper features a modular structure consisting of 20 numeric command codes. While it can perform routine backdoor tasks—like screen recording (Command 10), capturing screenshots (Command 9), and managing processes/services (Commands 16 and 17)—its true danger lies in its destructive payloads.

The backdoor integrates three distinct wiping tools into its arsenal:

  1. The Standalone Physical Wiper (Command 1): Overwrites raw physical disk content. It queries WMI to locate the Windows installation drive, strips partition metadata from all non-Windows drives (using DeviceIoControl), and overwrites drives in chunks with random bytes (or zeros) before forcing an immediate, zero-delay reboot.
  2. Fake Ransomware / Crucio Clone (Command 3): This command initiates a file encryption routine heavily based on the previously known Crucio ransomware. It encrypts files using randomly generated AES-CBC keys and renames them with a .candy extension. However, the keys are never saved or exfiltrated. The goal is purely destructive; there is no way for the victim (or the attacker) to decrypt the data. It drops an image named image_danger.jpg and sets it as the wallpaper.
  3. Secure Multi-Pass Wiper / FlockWiper Clone (Command 12): This module targets the C:\ drive specifically, performing secure, multi-pass wiping. This capability is a direct Go-based reimplementation of the older, C-based FlockWiper malware.
  4. Instant BSOD (Command 2): Disables Windows recovery, alters permissions on critical boot and kernel files, deletes them, and immediately triggers a Blue Screen of Death, rendering the machine unbootable.

Furthermore, researchers noted the frequent appearance of the string "GRAT" in GigaWiper's function names—a string that also appeared in PDB paths for legacy FlockWiper binaries, cementing the connection between these tools and hinting at a broader, unified malware framework.

Defensive Recommendations

Defending against GigaWiper requires a defense-in-depth approach, especially because its destructive commands can be executed in seconds once access is achieved.

  • Enable Tamper Protection: Ensure that EDR and Antivirus exclusions cannot be modified by attackers looking to blind security tools before execution.
  • Monitor for Abnormal Protocols: Alert on unauthorized or unusual RabbitMQ (AMQP) or Redis traffic communicating with external IP addresses, especially if initiated by unusual processes.
  • Harden Scheduled Tasks: Monitor for unauthorized scheduled tasks masquerading as legitimate software, particularly those mimicking OneDrive Update but lacking proper digital signatures.

MITRE ATT&CK Matrix Mapping

Below is a mapping of the Tactics, Techniques, and Procedures (TTPs) observed across the GigaWiper implant and its embedded component families.

TacticTechnique IDTechnique NameThreat Actor Implementation
ExecutionT1053.005Scheduled Task/Job: Scheduled TaskCreates a scheduled task named OneDrive Update that runs every minute and on startup.
PersistenceT1112Modify RegistryTracks execution count in HKCU\SOFTWARE\OneDrive\Environment.
Defense EvasionT1562.001Impair DefensesDisables Windows recovery and modifies permissions on boot/kernel files before deletion.
Defense EvasionT1070.001Indicator Removal: Clear Windows Event LogsCommand 19 clears System, Setup, Application, and Security event logs.
DiscoveryT1518.001Software Discovery: Security Software DiscoveryCommand 15 enumerates installed antivirus products via PowerShell.
CollectionT1113Screen CaptureCommands 9 and 10 capture screenshots and record the screen while the user is active.
Command and ControlT1071Application Layer ProtocolUses RabbitMQ (AMQP) for tasking and Redis for results/status reporting.
Command and ControlT1219Remote Access SoftwareCommand 20 opens a VNC-like remote control channel for keyboard/mouse control and screen streaming.
ExfiltrationT1567Exfiltration Over Web ServiceCommand 4 uploads files to remote storage via the MinIO Client (mc).
ImpactT1486Data Encrypted for ImpactCommand 3 ("Crucio" clone) AES-CBC encrypts files with random, unsaved keys (.candy extension).
ImpactT1485Data DestructionCommand 1 overwrites raw physical disk content and strips partition metadata.
ImpactT1561.001Disk Wipe: Disk Structure WipeRemoves partition references via DeviceIoControl / IOCTL_DISK_CREATE_DISK.
ImpactT1561.002Disk Wipe: Disk Content WipeCommand 12 performs secure multi-pass wiping of the Windows drive (FlockWiper reimplementation).
ImpactT1490Inhibit System RecoveryCommand 2 deletes boot and kernel files (bootmgr, ntoskrnl.exe) to render the system unbootable.

Indicators of Compromise (IOCs)

Update your SIEM, EDR, and threat intelligence platforms with the following known IOCs associated with GigaWiper and its associated legacy components.

C2 Infrastructure (IP Addresses):

  • 185.182.193[.]21 (GigaWiper C2)
  • 212.8.248[.]104 (GigaWiper C2)

File Hashes (SHA-256):

  • 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 (GigaWiper backdoor)
  • ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913 (GigaWiper backdoor)
  • f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd (GigaWiper backdoor)
  • 9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683 (GigaWiper backdoor)
  • 3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd (GigaWiper standalone wiper)
  • 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3 (Crucio component)
  • 12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721 (FlockWiper component)
  • db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674 (FlockWiper component)

By integrating legacy standalone malware into a single Golang implant, the threat actors behind GigaWiper have proven that the wiper threat landscape is moving toward higher operational efficiency. To stay ahead of these threats, organizations must focus heavily on blocking initial access and relying on rapid behavioral detections.


Credits: Original research and code-level analysis provided by Microsoft Threat Intelligence. For the full technical breakdown, read their original post: GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware.

Ready to Transform Your Threat Intelligence?

See how Threat Landscape can reduce alert fatigue and improve your security operations