Press TechRound interviews Secure.com CEO on the future of AI security
Read

Microsoft Uncovers GigaWiper, a Backdoor That Waits, Watches, Then Destroys

Microsoft uncovers GigaWiper, a Golang backdoor that hides for months, then wipes disks, fakes ransomware, and destroys Windows systems.

Dateline: July 10, 2026

GigaWiper: The Backdoor That Spies First and Wipes Later

Most malware picks a job. Steal data, or destroy it. GigaWiper does both, and the attacker decides when to switch.

Microsoft Threat Intelligence published its teardown of the malware on July 9, 2026, after tracing destructive wiping activity that began in October 2025. What they found was not a wiper. It was a backdoor with three wipers bolted inside it, waiting for a number.

What Happened?

Microsoft researchers pulled apart a Golang implant they now track as GigaWiper. It runs on Windows and takes orders as numbered commands, 1 through 20.

Three of those commands end the machine.

  • Command 1 skips files entirely and overwrites the physical disk, stripping the partition table before forcing a reboot. 
  • Command 12 targets the Windows drive with multi-pass overwrites, zeros, then 0xFF, then random bytes. 
  • Command 3 is the strange one. It encrypts files, renames them with a .candy extension, and swaps the desktop wallpaper for a warning image. 
  • There is no ransom note. The encryption key is generated at random and never saved. Nobody can decrypt those files, including the attacker.

That is destruction wearing a ransomware costume, the same trick NotPetya used in 2017.

The rest of the command set is a surveillance kit. Screenshots of every monitor. Continuous screen recording when a user is active. A hidden VNC session with keyboard and mouse control. PowerShell execution, process and service management, an interactive registry browser, and event log wiping.

Microsoft traced GigaWiper’s code back to at least three older malware families. Command 3 is built on Crucio ransomware, which CISA documented in a December 2023 advisory tied to IRGC affiliated actors. Command 12 is FlockWiper, originally written in C and rewritten in Go. A recurring string, GRAT, appears in FlockWiper’s debug paths and GigaWiper’s function names, hinting at a fourth component nobody has recovered yet.

Persistence is a scheduled task called OneDrive Update that runs every minute. Its remote access channel hides behind a firewall rule named after a real Windows component.

The Impact

A traditional wiper deploys, runs, and destroys. Investigators find it after the damage.

GigaWiper sits still. It watches a finance team work, records their screens, reads their registry, and then wipes the disk whenever the operator decides the intelligence value has run out. The same implant that took screenshots on Monday can be a full disk wiper on Friday. No second payload needed.

There is no patch to chase here. Malware is not a vulnerability. GigaWiper is what runs after an attacker is already inside, which means the entire defense lives in detection speed and recovery readiness.

The fake ransomware angle makes the response worse. A wrecked machine looks like a recoverable ransomware case for the first several hours. Teams waste time hunting for a decryptor that was never written.

Binary Defense reported the same four backdoor hashes under the name BLUERABBIT and, citing Google Threat Intelligence Group, linked the activity to a likely Iran nexus group targeting Israeli organizations. Microsoft names no country.

How to Avoid This

  • Turn on tamper protection so nobody can quietly switch off endpoint protection before pulling the trigger.
  • Run endpoint detection and response in block mode, and keep cloud delivered protection on.
  • Watch for scheduled tasks that run every minute. OneDrive Update is a name that looks fine until you check whether OneDrive is even installed.
  • Alert on raw disk writes, partition table changes, and any use of wevtutil.exe to clear Security logs.
  • Keep backups offline and test the restore. If your backups are reachable from a wiped machine, they are not backups.
  • Block the known C2 addresses at your egress.
Indicators of Compromise

GigaWiper IOCs

Published by Microsoft Threat Intelligence, July 9, 2026

Command and Control
IP185.182.193[.]21RabbitMQ port 5544, Redis port 7542
IP212.8.248[.]104Associated C2
SHA-256, GigaWiper Backdoor
633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001
ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913
f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd
9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683
SHA-256, Related Components
Standalone wiper3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd
Crucio440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3
FlockWiper12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721
FlockWiperdb41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674
Host Artifacts
  • Scheduled task named OneDrive Update, runs every minute
  • Registry key HKCU\SOFTWARE\OneDrive\Environment
  • Files renamed with .candy extension
  • Dropped image at ./image_danger.jpg
  • Screen recordings written to C:\ProgramData\output
  • Firewall rule impersonating Microsoft.Windows.CloudExperienceHost
Source: Microsoft Threat Intelligence. Defanged notation used for IP addresses.

The Clock Starts the Day They Get In, Not the Day They Wipe

GigaWiper gives attackers months of quiet before the destruction. That gap is where a security team either finds them or loses everything.

Secure.com’s Digital Security Teammates close the gap:

  • The SOC Teammate correlates screen recording, registry access, and event log clearing into one case instead of twenty ignored alerts
  • Continuous detection tuning catches persistence like a one minute OneDrive Update task before it becomes routine noise
  • Automated case management cuts MTTD and MTTR so quiet access does not turn into a full disk overwrite
  • The Infrastructure Security Teammate flags egress to unknown C2 endpoints and unusual RabbitMQ or Redis traffic
  • Attack path mapping shows which machines an implant could reach next, including your backup infrastructure