Particle.news
Download on the App Store

GigaWiper Backdoor Merges Spy Capabilities With Multiple Irreversible Wipers

Microsoft's report reveals a Go backdoor hiding as a OneDrive task that switches from spying to irreversible wiping on command.

Overview

  • Microsoft published a detailed technical analysis Thursday that includes four file hashes, two command‑and‑control IP addresses (185.182.193[.]21 and 212.8.248[.]104), and prioritized mitigations for defenders.
  • GigaWiper is a modular Golang backdoor that reuses code from at least three older malware families to offer operators multiple destructive options, including raw disk wiping, multi‑pass Windows‑drive erasure, and fake ransomware that discards keys.
  • The implant also provides long‑term remote access for espionage, with features such as one‑shot and continuous screen capture, a VNC‑style remote desktop that accepts keyboard and mouse input, and process, service, and registry management.
  • The malware preserves stealth and persistence by creating a scheduled task named 'OneDrive Update' and using legitimate enterprise services (RabbitMQ for commands, Redis for results, MinIO for uploads) for C2 and exfiltration, which complicates network detection.
  • There is no software patch for post‑compromise wipers, so Microsoft urges prevention and rapid response measures — enable tamper protection, run EDR in block mode, keep offline clean backups, and block the known C2 addresses — and Binary Defense has independently corroborated the samples as 'BLUERABBIT' while Microsoft declines formal country attribution.