GigaWiper Malware Attacks Windows Systems With Data Wipers and Fake Ransomware Behavior


Microsoft has identified GigaWiper, a destructive Windows backdoor that combines remote-control features with multiple data-wiping capabilities, including disk destruction, unrecoverable file encryption, and system sabotage.

The malware was first tied to destructive wiping activity in compromised environments in October 2025. According to Microsoft Threat Intelligence, GigaWiper is written in Golang and works as a modular implant that can receive commands before triggering destructive actions.

The threat matters because it does not behave like traditional ransomware. One component imitates ransomware by encrypting files and changing extensions, but it does not save the key or leave a ransom note, which makes recovery through decryption impossible.

What is GigaWiper?

GigaWiper is a destructive backdoor for Windows systems. It gives attackers a way to maintain access, collect information, execute commands, manage services and Registry keys, capture screens, record activity, and later wipe or corrupt data.

Microsoft says the tool combines pieces of at least three malware families. The standalone disk wiper is embedded inside the backdoor, while two additional destructive commands are linked to Crucio and FlockWiper code.

Google Threat Intelligence Group and Binary Defense track the same malware as BLUERABBIT. Microsoft tracks it as GigaWiper.

CapabilityHow it worksImpact
Physical disk wipingFinds physical drives, removes partition references, overwrites raw disk content, and forces a rebootCan make systems and stored data unusable
Fake ransomware encryptionEncrypts files with random key material that is not saved and renames files with .candyLeaves no usable decryption path
Multi-pass Windows drive wipingWipes the Windows installation drive with multiple overwrite passesIncreases the chance of permanent data loss
System sabotageDeletes recovery, boot, and kernel files and can trigger a blue screen conditionCan prevent normal boot and recovery
Backdoor controlUses RabbitMQ for commands and Redis for output and status updatesAllows broadcast or targeted attacker instructions

How the disk wiper damages Windows systems

GigaWiper’s standalone wiper operates at the physical disk level. Rather than deleting documents one by one, it attacks the drive structures that Windows needs to locate data and boot correctly.

The wiper enumerates physical disks through Windows Management Instrumentation, identifies the drive that contains the Windows installation, and removes partition references from other disks. It then overwrites raw disk content in large chunks.

After wiping, the malware forces an immediate restart. That combination can leave a victim with unbootable systems, missing partitions, and damaged data stores.

The fake ransomware routine offers no recovery

One GigaWiper command uses code linked to Crucio ransomware. It reads files, encrypts them with AES-CBC, deletes the originals, and renames the encrypted files with the .candy extension.

The routine looks like ransomware at first glance, but it does not operate like a normal extortion tool. Microsoft found that the key and initialization vector are randomly generated and not saved anywhere.

That means the attacker has no apparent ability to decrypt the data. The malware also does not drop a ransom note, although it can set a warning image as the wallpaper.

GigaWiper also borrows from FlockWiper

The second major wiping command, called WipeCMain, is linked to FlockWiper. Microsoft says the logic is essentially identical to a standalone FlockWiper sample, although GigaWiper reimplements it in Golang and updates parts of the behavior.

This command focuses on the Windows installation drive, usually the C drive. It performs multiple overwrite passes using different byte patterns, including zeros, 0xFF values, and random bytes.

The Microsoft analysis also notes references to “GRAT” in FlockWiper program database paths and GigaWiper function names, suggesting a possible related framework or unrecovered component.

Backdoor commands give attackers many options

GigaWiper includes 20 numeric command codes. Some are destructive, while others support surveillance, remote control, system discovery, process management, service management, Registry management, and event log clearing.

The backdoor can take screenshots from active displays and record the screen when the system is unlocked and the user is not idle. It can also start a VNC-like remote-control server that streams the screen and allows keyboard and mouse control.

It can clear Windows event logs, including System, Setup, Application, ForwardedEvents, and Security logs. That behavior can slow incident response by removing traces of attacker activity.

  • Command 1 triggers the embedded physical disk wiper.
  • Command 2 deletes recovery, boot, and kernel files and can prevent booting.
  • Command 3 launches the ransomware-like file encryption routine.
  • Command 7 runs shell commands and supports queue-management actions.
  • Command 8 manages RabbitMQ routing for targeted commands.
  • Command 9 captures screenshots.
  • Command 10 records the screen.
  • Command 12 launches the multi-pass Windows drive wiper.
  • Command 15 collects system information.
  • Command 19 clears Windows event logs.
  • Command 20 enables VNC-like remote control.

RabbitMQ and Redis support attacker control

GigaWiper uses RabbitMQ over AMQP to receive commands from its command-and-control server. It uses Redis to send back command status and output.

One analyzed sample used 185.182.193[.]21 on port 5544 for RabbitMQ and the same IP on port 7542 for Redis. The malware decrypts a hard-coded configuration that includes connection details and credentials.

The backdoor can receive broadcast tasks through a fanout exchange named All. It can also bind to a topic exchange named Topic for targeted commands, giving operators a way to control many infected devices at once or focus on specific systems.

Persistence hides behind OneDrive names

GigaWiper uses familiar Microsoft-themed names to reduce suspicion. It creates the Registry key HKCU\SOFTWARE\OneDrive\Environment to track execution count.

It also creates a scheduled task named OneDrive Update. The task runs at startup and then runs again every minute, helping the implant stay active after reboot or process termination.

Wiper functions (Source – Microsoft)

That naming can blend into enterprise environments where OneDrive is already common. Defenders should still investigate new or unusual scheduled tasks using Microsoft product names, especially when the executable path does not match a legitimate Microsoft location.

Indicators of compromise

Microsoft published hashes and command-and-control indicators for GigaWiper and related components. Security teams should use these indicators with behavior-based hunting because wiper operators can change infrastructure and file hashes quickly.

TypeIndicatorDescription
SHA-256633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001GigaWiper backdoor
SHA-256ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913GigaWiper backdoor
SHA-256f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfdGigaWiper backdoor
SHA-2569706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683GigaWiper backdoor
SHA-2563c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cdGigaWiper standalone wiper
SHA-256440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3Crucio
SHA-25612c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721FlockWiper
SHA-256db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674FlockWiper
IP address185.182.193[.]21GigaWiper command-and-control server
IP address212.8.248[.]104GigaWiper command-and-control server

How defenders should hunt for GigaWiper

Security teams should treat possible GigaWiper activity as an urgent business continuity event. The malware can shift from surveillance to destruction quickly once operators issue commands.

Useful hunting signals include suspicious scheduled task creation, OneDrive-themed Registry keys in unexpected contexts, RabbitMQ or Redis connections to unknown external servers, screen recording output, and sudden use of disk-management or event-log clearing commands.

References to ‘GRAT’ in function names (Source – Microsoft)

Teams should also look for ransomware-like file encryption followed by .candy extensions, missing recovery files, unexpected firewall rule changes, and VNC-like remote-control behavior.

  1. Search for the scheduled task name OneDrive Update on endpoints and servers.
  2. Review HKCU\SOFTWARE\OneDrive\Environment for suspicious execution tracking.
  3. Block or investigate outbound traffic to known GigaWiper C2 IP addresses.
  4. Hunt for RabbitMQ and Redis communication from endpoints that should not use them.
  5. Investigate wevtutil activity that clears Windows event logs.
  6. Review unexpected deletion of boot, kernel, and recovery files.
  7. Look for .candy file extensions and wallpaper changes tied to suspicious binaries.
  8. Check for new firewall rules impersonating legitimate Windows components.

Mitigation steps for Windows environments

Microsoft recommends enabling tenant-wide tamper protection to stop attackers from disabling security settings or adding antivirus exclusions during an intrusion.

Organizations should also use EDR in block mode so Defender for Endpoint can block malicious artifacts found through behavioral detection, including cases where Microsoft Defender Antivirus runs in passive mode.

Microsoft also recommends running automated investigations in full automated mode so endpoint response actions can begin quickly after alerts are raised.

Backup and recovery planning is critical

GigaWiper shows why offline, immutable, or otherwise protected backups are essential. A wiper can destroy both the operating system and local data, and fake ransomware encryption may leave no decryption option.

Organizations should test recovery plans under conditions where systems cannot boot, logs are missing, and network services are unavailable. Recovery procedures should include bare-metal restore, replacement hardware, clean credential recovery, and validation that backups were not modified before the wipe.

Security teams should also separate backup infrastructure from normal domain access where possible. If attackers can use stolen administrator credentials to reach backups, recovery may fail during the most damaging stage of an incident.

Why GigaWiper raises the risk level

GigaWiper gives attackers a menu of options. They can observe a system, execute commands, collect data, record screens, manipulate services and Registry entries, and then trigger destructive commands when they decide the timing is right.

This design blurs the line between espionage malware and destructive malware. It allows quiet access first, then rapid impact later.

Defenders should pair detection with resilience. The tamper protection guidance, EDR in block mode guidance, and automated investigation guidance all support faster prevention and response, but organizations also need tested backups and practiced recovery playbooks.

FAQ

What is GigaWiper malware?

GigaWiper is a destructive Windows backdoor tracked by Microsoft. It combines remote-control capabilities with disk wiping, unrecoverable ransomware-like file encryption, event log clearing, system sabotage, and other commands.

Is GigaWiper ransomware?

GigaWiper includes ransomware-like behavior, but Microsoft describes it as a destructive backdoor and wiper. Its file encryption routine does not save the key or leave a ransom note, so victims do not have a normal decryption path.

What does the .candy extension mean?

The .candy extension is used by GigaWiper’s fake ransomware component after it encrypts files. Because the encryption key and IV are not saved, those files should be treated as unrecoverable unless clean backups exist.

How does GigaWiper maintain persistence?

GigaWiper creates the Registry key HKCU\SOFTWARE\OneDrive\Environment and a scheduled task named OneDrive Update. The task runs at startup and then every minute, helping the backdoor remain active.

How can organizations defend against GigaWiper?

Organizations should isolate suspected hosts, block known C2 infrastructure, enable tamper protection, use EDR in block mode, allow automated investigation and remediation, monitor scheduled tasks and Registry changes, and maintain protected offline backups.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages