Microsoft’s threat intelligence team published a code-level breakdown on July 9, 2026, of a sophisticated Windows backdoor called GigaWiper — a modular implant assembled from at least three older malware families that can watch a network silently, steal data, and then, on a single operator command, permanently destroy every disk on a compromised machine. What makes GigaWiper structurally different from conventional wipers is a design choice with immediate consequences for defenders: it is not a purpose-built destruction tool. It is a full-featured backdoor that also happens to contain three independent modes of irreversible destruction — any one of which can be selected after the attacker is already watching from inside the network.
That architecture collapses the standard “detect-investigate-contain” incident response timeline. Because the same implant that captures screenshots and streams the screen over VNC can, at operator discretion, initiate permanent disk erasure without deploying a new payload, an organization that discovers GigaWiper running in apparent surveillance mode has already arrived at a business-continuity emergency — not a malware investigation. Microsoft Security Blog
Microsoft first identified GigaWiper activity in October 2025, while investigating compromised environments that had been wiped with destructive tooling. Binary Defense — citing the Google Threat Intelligence Group — separately documented the same malware as BLUERABBIT in a report published in mid-to-late March 2026, attributing it to a likely Iran-nexus group targeting organizations in Israel. Microsoft’s July 9 report names no country; Binary Defense and Google’s Threat Intelligence Group identify the same four file hashes, the same two command-and-control addresses, and the same infrastructure, and connect the operator to an Iran-nexus cluster that previously deployed BLUEWIPE and SEWERGOO in June 2025.
Three Distinct Weapons Inside One Implant
GigaWiper supports 20 numbered command codes. Three of them destroy machines. Each works through a different mechanism, and operators can select any combination after establishing access.
Command 1 — Raw disk wiper: This command uses Windows Management Instrumentation (WMI) to enumerate every physical disk attached to the target system. It identifies which disk contains the Windows installation, removes partition metadata from the remaining drives, then overwrites raw disk content across all drives in large chunks — mostly zeroed buffers with a randomized first byte, a detail Microsoft noted may be designed to evade defensive tools that look for full-disk zero-fill patterns. The command then forces a system reboot. There is no file-by-file deletion to trace or partially recover; the disk structure itself is erased.
Command 3 — Fake ransomware (derived from Crucio): This command encrypts files and appends a .candy extension to each one. It changes the desktop wallpaper to an alarming ransom-demand image. Everything about the result looks like a conventional ransomware attack. It is not. The encryption keys are generated randomly and are never saved or transmitted anywhere. No ransom note is dropped. Decryption is structurally impossible. The display exists to mislead incident responders into treating an irrecoverable machine as a negotiation case.
Microsoft traced this module directly to Crucio ransomware via a shared function called BigBangExtortMain — present by name in both Crucio and GigaWiper Command 3. Crucio was documented in a December 2023 CISA advisory AA23-335A as a tool deployed by CyberAv3ngers, a group formally attributed to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). The U.S. Treasury sanctioned six IRGC-CEC officials in February 2024 for directing CyberAv3ngers operations; the State Department has offered a $10 million bounty for information on the group.
Command 12 — Multi-pass Windows drive wiper (derived from FlockWiper): A third destructive command targets the Windows installation drive specifically, applying multiple overwrite passes with alternating byte patterns — zeroed data, 0xFF, then random bytes — implementing a secure-erase approach equivalent to established data-sanitization standards. Microsoft assessed this module to be a Go-language reimplementation of FlockWiper, a C-based wiper first uploaded to VirusTotal in June 2025, on the basis of near-identical logic, shared strings, and function naming.
If Defenders See GigaWiper Watching, They Should Treat It as Already Destroying
The surveillance capabilities bundled into GigaWiper’s non-destructive commands include: screenshot capture (saved as timestamped PNG files), screen recording triggered when the user is active and the system is unlocked, remote desktop access via a VNC-like capability, full PowerShell execution, process and Windows service management, registry editing, file upload to remote storage via MinIO, and Windows Event Log clearing to erase evidence of activity.
Microsoft also found a dormant command stub — Command 11 — whose logging message reads Exec cmd keylog, indicating a keylogger functionality that has been planned in the architecture but not yet populated in examined samples. Additional wiper stubs suggest further destructive modes are in development under the same framework.
The practical consequence of this design is significant for any organization that discovers GigaWiper on a host: the tool’s presence in any operational mode — surveillance or otherwise — represents the same threat level as finding an active wiper, because the operator’s next command may be destruction, and no new payload delivery is required. Standard incident-response triage that attempts to preserve the system for forensic investigation before isolating it is incompatible with this threat model.
Legitimate Enterprise Tools as Camouflage for Command-and-Control
GigaWiper routes all command-and-control traffic through three widely deployed enterprise platforms: RabbitMQ receives operator instructions via the AMQP protocol documentation; Redis returns command status and output; MinIO handles data exfiltration using an S3-compatible object storage interface. Microsoft observed active infrastructure at 185.182.193[.]21, using port 554455445544 for RabbitMQ and port 754275427542 for Redis, with a second command-and-control server at 212.8.248[.]104.
The attack surface this creates for network defenders is specific: RabbitMQ, Redis, and MinIO are deployed in production by thousands of enterprises for legitimate microservices and messaging workloads. Traffic on their standard ports does not trigger signature-based network detection on most enterprise security stacks. The signal GigaWiper’s communication produces on networks that already run these services is functionally indistinguishable from ordinary business operations.
GigaWiper uses two channel types within RabbitMQ: a fanout exchange named “All” that broadcasts commands simultaneously to every infected host, and a topic exchange named “Topic” that delivers targeted instructions to individual machines. This architecture lets a single operator coordinate a simultaneous destructive action across an entire compromised fleet, or apply precision commands to specific targets, from one infrastructure point.
OneDrive Impersonation Hides in Plain Sight
GigaWiper’s persistence mechanism is designed to exploit the implicit trust that enterprise environments extend to Microsoft services. On first execution, GigaWiper checks the registry key HKCUSOFTWAREOneDriveEnvironment; if it does not exist, the malware creates it and executes a PowerShell command that registers a scheduled task named “OneDrive Update.” The task fires five seconds after registration, repeats every 60 seconds, and restarts up to three times on failure at the highest privilege available to the compromised user. Simply killing the GigaWiper process does not remove the infection — the scheduled task must be found and deleted to break persistence.
When GigaWiper opens its VNC remote-desktop channel, it creates a Windows Firewall rule named Microsoft.Windows.CloudExperienceHost — the name of a legitimate Windows component — to authorize the connection without creating an obviously anomalous firewall entry. Temporary staging directories are generated using a GUID-like naming scheme that substitutes characters beyond hexadecimal range (G–Z), a subtle deviation from legitimate Windows GUIDs that behavioral detection tools can flag.
The NotPetya Playbook, Rebuilt in Go
GigaWiper’s fake-ransomware module follows a well-documented deception template. In 2017, NotPetya — attributed to Russia’s GRU Unit 74455 — disguised irreversible disk destruction as a ransomware payment demand, causing an estimated $10 billion in global damage before the deception was understood. Victims and initial responders saw a ransomware screen; the machine was already destroyed. GigaWiper deploys an identical misdirection: Command 3 produces all the visible indicators of ransomware — encrypted files, alarming desktop display — with none of the recovery infrastructure. The hours an organization spends seeking a decryption key or preparing a ransom payment are hours it is not isolating systems or activating backup restoration.
The sophistication of GigaWiper’s deception is compounded by the geopolitical context. Iran-nexus wiper activity targeting Israeli organizations has escalated sharply since Operation Epic Fury — the coordinated U.S.-Israel military strikes on Iran beginning February 28, 2026 — accelerated Iranian cyber operations as a retaliatory vector. Palo Alto Networks’ Unit 42 tracked a parallel surge in Iranian wiper activity primarily from a separate group, Handala Hack, which wiped Stryker Corporation in March 2026, remotely erasing more than 200,000 devices across 79 countries using Microsoft’s own Intune “factory reset” feature. Check Point Research documented a new Iran-nexus group, “Cavern Manticore,” targeting Israeli government and IT organizations as recently as July 6, 2026.
One Developer, Three Malware Families, One Unexplained Thread
Microsoft’s attribution to a shared developer across GigaWiper, Crucio, and FlockWiper rests on three evidence types: shared function names (including BigBangExtortMain), nearly identical code logic and execution flow between corresponding modules, and a recurring string — “GRAT” — that appears in FlockWiper’s program database (PDB) debug paths and throughout GigaWiper’s own function names.
Microsoft notes that FlockWiper’s compiled binaries do not include any “GRAT” functionality themselves, which means the string’s presence in PDB paths points toward a wider framework or component — one that may not yet have been recovered by any researcher. The same developer who built Crucio (documented by CISA as a CyberAv3ngers/IRGC-CEC tool) built FlockWiper, then incorporated both into GigaWiper as modular commands. The “GRAT” framework those debug paths reference remains unaccounted for.
Microsoft’s report stops short of attributing GigaWiper to any specific nation or government. Binary Defense and the Google Threat Intelligence Group assessed it as part of the same Iran-nexus cluster that deployed BLUEWIPE and SEWERGOO in June 2025. The timing gap between the two research organizations — Microsoft observing initial destructive activity in October 2025 while Binary Defense first encountered BLUERABBIT files in March 2026 — suggests the implant had an operational period of at least five months before it attracted broad researcher attention.
How to Detect and Defend Against GigaWiper
Microsoft has released YARA rules, command code mappings, and Microsoft Defender detection signatures alongside its technical analysis. The Microsoft Security Blog includes detections for GigaWiper and related components. Defenders should confirm that tamper protection and cloud-delivered antivirus are enabled, and that endpoint detection and response is running in block mode.
Four specific detection priorities based on the technical findings:
Monitor scheduled tasks and registry for OneDrive impersonation. Any “OneDrive Update” scheduled task registered by a non-Microsoft process, or any entry created in HKCUSOFTWAREOneDriveEnvironment by an unexpected process, is a high-priority indicator. Separately, flag firewall rules using the name Microsoft.Windows.CloudExperienceHost for rules not created by Windows itself.
Audit RabbitMQ, Redis, and MinIO traffic on enterprise networks where those services are deployed. GigaWiper’s use of legitimate enterprise platforms as C2 channels means the traffic will not trigger signature-based detection. The required detection posture is behavioral: flag unexpected processes establishing connections to RabbitMQ, Redis, or MinIO infrastructure, and any new instances of those services installed without change-management authorization.
Treat absent ransom infrastructure as a wiper indicator. When a machine presents apparent ransomware indicators — encrypted files, changed desktop, file extension modifications — and no ransom note is present and no recoverable key can be identified through standard incident channels, treat the machine as wiped and activate backup restoration procedures immediately. Do not spend hours on decryption paths that do not exist.
Verify offline and immutable backup posture before an incident occurs. GigaWiper’s physical disk wiping erases at the partition and raw-content level; there is no forensic recovery path from the operating system layer. Restoration requires clean offline backups with tested recovery procedures. Organizations that have not tested backup restoration against a total disk-loss scenario should treat that gap as an active risk in the current threat environment.
Frequently Asked Questions
What is GigaWiper malware, and how does it work?
GigaWiper is a Windows backdoor written in the Go programming language, first identified by Microsoft in October 2025. It is not a single-purpose tool — it is a modular implant assembled from code borrowed from at least three separate malware families (Crucio ransomware, FlockWiper, and an original disk-wiping component). Operators connect to it via RabbitMQ command channels and issue numbered commands. At least three of those commands destroy the target machine through different mechanisms: one wipes all physical disks at the raw-content level, one encrypts files with non-retained keys to simulate ransomware, and one applies a multi-pass secure-erase process to the Windows drive. The remaining commands support surveillance, data collection, and remote desktop control — making GigaWiper a full-spectrum intrusion tool that can silently observe before switching to destruction.
Is GigaWiper the same thing as ransomware? Can victims recover their files?
No — and this is the most operationally critical distinction. GigaWiper’s Command 3 is designed to appear indistinguishable from ransomware: it encrypts files, changes file extensions to .candy, and replaces the desktop with an alarming payment demand. But the encryption keys are generated randomly, never saved, and never transmitted. There is nothing to pay, no decryption key to obtain, and no recovery path through the malware itself. The ransomware costume is a deliberate deception to delay defenders from recognizing that the machine is already permanently destroyed. Any organization that discovers this combination of indicators — encrypted files, no ransom note, no recoverable key — should immediately activate backup restoration procedures rather than pursuing a decryption path.
Who is behind GigaWiper attacks, and who is being targeted?
Microsoft’s report does not attribute GigaWiper to a specific nation or government. Binary Defense, citing the Google Threat Intelligence Group, assessed GigaWiper (which Binary Defense tracks as BLUERABBIT) as the work of a likely Iran-nexus threat actor, and connected it to the same activity cluster that previously deployed BLUEWIPE and SEWERGOO in June 2025. The Crucio ransomware code embedded in GigaWiper was previously documented by CISA as a tool used by CyberAv3ngers, a group the U.S. government has formally attributed to Iran’s IRGC-CEC and designated as a foreign terrorist organization. Confirmed targets have been Israeli organizations; the campaign overlaps with a documented escalation in Iranian cyber operations following the U.S.-Israel military strikes on Iran in February and March 2026.
How can organizations protect themselves against GigaWiper right now?
Microsoft has published YARA rules and indicators of compromise. The immediate priorities are: audit all scheduled tasks for any “OneDrive Update” task created by a non-Microsoft process; audit Windows Firewall rules for any Microsoft.Windows.CloudExperienceHost rule of unknown origin; flag processes establishing unexpected connections to RabbitMQ, Redis, or MinIO services; ensure Microsoft Defender has tamper protection and cloud-delivered protection enabled with endpoint detection and response in block mode; and verify that offline or immutable backups exist, are current, and have been tested for restoration against a complete disk-loss scenario. The full technical breakdown, including command code mappings and file hashes, is available in the Microsoft Security Blog’s July 9, 2026 analysis.
