Particle.news
Download on the App Store

GigaWiper Backdoor Packs Spy Tools and Multiple Disk‑Wiping Routines

Microsoft's technical report ties the tool to older malware families, urging defenders to prioritize rapid detection to avoid irreversible data loss.

Overview

  • Microsoft published a detailed technical analysis and indicators for GigaWiper on July 9, 2026, including file hashes and two command‑server IPs defenders can block.
  • The implant is a Go‑based backdoor that offers three built‑in destructive commands: a raw disk wiper that erases partition tables, a multi‑pass overwriter of the Windows drive, and a fake ransomware that encrypts files with keys that are not saved.
  • GigaWiper also provides remote‑access espionage features such as screenshots, screen recording, hidden VNC control, process and registry management, and event‑log clearing, allowing long dwell time before destruction.
  • The malware hides persistence as a scheduled task named OneDrive Update that runs every minute and uses legitimate services (RabbitMQ, Redis, MinIO) for command and exfiltration traffic, making network detection harder.
  • Other vendors have labeled the samples BLUERABBIT and raised a likely Iran‑nexus and Israel targeting, while Microsoft has not publicly attributed the campaign and observers note differing sighting dates that complicate response planning.