2026-07-11 · view entry permalink →
GigaWiper: a Golang backdoor that folds a disk wiper, fake-ransomware encryptor and secure-wipe module into one modular implant
Microsoft Threat Intelligence first identified GigaWiper in October 2025 and has now published a code-level analysis of it: a Golang backdoor notable less for any single capability than for its construction — at least three previously separate destructive families folded into one implant as on-demand commands, so an operator can pick the mode of destruction at task time (Microsoft Threat Intelligence, 2026-07-09). The raw-disk wiper command enumerates physical drives over WMI, identifies and spares the Windows installation drive, strips partition metadata from the other drives via DeviceIoControl/IOCTL_DISK_CREATE_DISK, overwrites disk content in 0xA00000-byte chunks (randomising only the first byte of each buffer to dodge naïve all-zero-wipe detections), then forces an immediate reboot. A second command reuses Crucio ransomware code to AES-encrypt files with per-run keys that are never saved and drops no ransom note — destruction wearing an extortion costume — while a third reimplements the C-based FlockWiper in Go for multi-pass secure wiping of the Windows drive. Microsoft ties the families together by code overlap and assesses that the same developer built GigaWiper and Crucio; it withholds actor attribution beyond that lineage. Google's Threat Intelligence Group and Binary Defense track the same activity as BLUERABBIT (Microsoft Threat Intelligence, 2026-07-09; Infosecurity Magazine, 2026-07-10).
Operationally the implant is quieter than its payload. It persists as a scheduled task named OneDrive Update (configured to run roughly every minute and once at startup) and tracks its own execution count in a HKCU\SOFTWARE\OneDrive\Environment registry value, masquerading as Microsoft's sync client. For command-and-control it skips ordinary HTTP: tasking arrives over RabbitMQ/AMQP — a fanout exchange named All for broadcast to every infected client plus a topic exchange for targeted commands — status and output are polled back through a Redis server, and MinIO object storage carries exfiltration, alongside keylogging and screen-capture modules.
It's not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction
The key and initialization vector (IV) that the malware uses to encrypt files are random and are not saved anywhere