// 2 ZERO-DAY · 1 EXPLOIT IN THE LAST 24H
GigaWiper is a modular Go backdoor that unifies wiper, fake ransomware, and spyware capabilities. Linked to BLUERABBIT, the platform challenges incident response built on identifying malware families, because the operator chooses the destructive mode only after gaining access.

GigaWiper is a Windows backdoor written in Go that unifies three operator-selectable destructive capabilities in a single modular platform: physical disk wiping, fake ransomware, and multi-pass Windows drive wiping. Publicly disclosed on July 9, 2026 by The Hacker News based on Microsoft and Binary Defense analyses, the malware represents a qualitative evolution in post-compromise wipers: the destructive intent is no longer readable from the code but is decided remotely after infiltration.

Key Takeaways
  • GigaWiper combines raw disk wiper, Crucio-based fake ransomware, and multi-pass Windows wiper in numbered commands, plus integrated spyware
  • Shares 4 identical hashes and 2 C2 servers (185.182.193[.]21 and 212.8.248[.]104) with the BLUERABBIT malware reported by Binary Defense
  • Command channel leverages legitimate enterprise services: RabbitMQ for tasking, Redis for results, MinIO for exfiltration
  • Microsoft dates destructive activity to October 2025; Binary Defense observed samples as BLUERABBIT in March 2026

The Platform That Masks Intent Behind Numbered Commands

GigaWiper's modular structure consists of operator-selectable commands via C2. The first is a raw disk wiper that overwrites the physical disk and partition table. The second is a fake ransomware based on Crucio: it encrypts files with the .candy extension, changes the wallpaper, but saves no decryption key and leaves no ransom note. The third is a multi-pass wiper of the Windows drive, a Go rewrite of FlockWiper.

On top of these comes a spyware package: multi-monitor screenshots, screen recording, hidden VNC session, detailed system enumeration, process and service management, registry modification, and Windows event log clearing. The source does not specify the nature of exfiltrated data or the scope of campaigns.

Masquerading and Persistence from a Legitimate Application

GigaWiper poses as a OneDrive update. It creates a scheduled task named "OneDrive Update" that runs every minute, registering in HKCU\SOFTWARE\OneDrive\Environment. It also adds a firewall rule labeled "Microsoft.Windows.CloudExperienceHost" to blend into system traffic.

Communication with the command server does not use obvious proprietary protocols but rides on legitimate infrastructure: RabbitMQ for operational tasking, Redis for result collection, MinIO for data exfiltration. This architectural choice aims to hide in standard enterprise traffic, reducing visibility for monitoring systems based on protocol anomalies.

Microsoft and Binary Defense analyzed samples sharing 4 identical hashes and matching command servers. Microsoft named the malware GigaWiper; Binary Defense had previously cataloged it as BLUERABBIT. The Hacker News contacted both vendors for direct confirmation of the convergence, receiving no response by publication time.

Binary Defense, citing Google Threat Intelligence Group, links BLUERABBIT to a likely Iran-linked group targeting Israeli entities. Microsoft names no country in its analysis. An indirect link emerges from the code: Microsoft finds a recurring "GRAT" tag in the Crucio fake ransomware, also present in the FlockWiper multi-pass wiper. Crucio is mentioned in a December 2023 CISA advisory on CyberAv3ngers, a group linked to Iran's IRGC. The exact meaning of the "GRAT" tag is undocumented.

"GigaWiper is what an attacker runs after they are already inside, which makes early detection and clean, offline backups the real defense"

An Architecture That Challenges Traditional Incident Response

The distinguishing feature of GigaWiper is not any single destructive capability, but their unification in a post-compromise platform. In a classic model, the type of malware found in the environment tells the analyst the attacker's intent: ransomware suggests extortion, wiper indicates sabotage. Here the operator chooses the mode after already gaining access.

As the source observes: "You used to read intent from the malware you found; here, the operator decides after they are already inside". This shifts the defensive problem from payload identification to detection of initial access and network segmentation. The dossier does not document the initial access vector used before GigaWiper deployment.

The Hacker News also notes the presence of "stubs" for commands not yet activated in the code, including a not-fully-implemented keylogger. The source interprets this as indication the tool is "still being built out". Future capability expansion remains unverified.

Why It Matters

The brief does not document specific remedial measures indicated by the vendors. The source does not specify patches, security configurations, or response workflows recommended by Microsoft or Binary Defense.

The dossier also does not clarify: the number and identity of actual victims; the initial access vector preceding GigaWiper deployment; direct vendor confirmation of the GigaWiper-BLUERABBIT convergence; the precise relationship with IRGC or other state actors; the nature of the component associated with the "GRAT" tag and the evolution of dormant capabilities.

The absence of official operational recommendations in the brief limits the actionable section. The focus remains on detecting the modular architecture and its implications for incident response.

Timeline and Source Convergence

Microsoft dates GigaWiper's destructive activity to October 2025. Binary Defense observed the samples as BLUERABBIT in March 2026. If confirmed, this temporal gap could indicate a gestation or testing period before activation of destructive functions, or distinct campaigns with the same code base.

The two known C2 servers — 185.182.193[.]21 and 212.8.248[.]104 — are documented by the primary source as convergence points between the two malware designations. The persistence of the "OneDrive Update" scheduled task at one-minute intervals represents a verifiable behavioral indicator, though replicable by other legitimate or malicious tools.

Editorial Read

GigaWiper's modularity is not an incremental improvement in wipers, but a reconfiguration of the problem. When the same compromised access can produce sabotage, fake extortion, or espionage, incident classification by malware family loses predictive value. The defensive cost inevitably shifts upstream: detect the anomaly at the moment of initial access, presume compromise as likely, and build resilience on offline backups and functional segmentation.

The most significant data point may be the least technical: that two security vendors analyzed the same sample with different names, and confirmation of the convergence is still pending. This delay in sharing indicators among industry players is itself a friction point in the alert system.

Sources

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. thehackernews.com
  2. helpnetsecurity.com
  3. nvd.nist.gov
  4. microsoft.com