Overview
- Microsoft published a detailed technical analysis and indicators for GigaWiper on July 9, 2026, including file hashes and two command‑server IPs defenders can block.
- The implant is a Go‑based backdoor that offers three built‑in destructive commands: a raw disk wiper that erases partition tables, a multi‑pass overwriter of the Windows drive, and a fake ransomware that encrypts files with keys that are not saved.
- GigaWiper also provides remote‑access espionage features such as screenshots, screen recording, hidden VNC control, process and registry management, and event‑log clearing, allowing long dwell time before destruction.
- The malware hides persistence as a scheduled task named OneDrive Update that runs every minute and uses legitimate services (RabbitMQ, Redis, MinIO) for command and exfiltration traffic, making network detection harder.
- Other vendors have labeled the samples BLUERABBIT and raised a likely Iran‑nexus and Israel targeting, while Microsoft has not publicly attributed the campaign and observers note differing sighting dates that complicate response planning.