ctipilot.ch

FlockWiper

tool · tool:flockwiper

C-based disk wiper reimplemented in Golang, with additional multi-pass secure wiping, as one of GigaWiper's destructive commands (Microsoft, 2026-07-09).

Coverage timeline
1
first 2026-07-11 → last 2026-07-11
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
active-threats
Co-occurring entities
2
see Related entities below
ATT&CK techniques
10
pinned v19.1 · see below

ATT&CK techniques

10 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Execution TA0002

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

Persistence TA0003

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

T1112Modify Registry×1

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

Privilege Escalation TA0004

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

Defense Impairment TA0112

T1112Modify Registry×1

Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

Credential Access TA0006

T1056.001Input Capture: Keylogging×1

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

Collection TA0009

T1056.001Input Capture: Keylogging×1

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

T1113Screen Capture×1

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

Command and Control TA0011

T1071Application Layer Protocol×1

Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

Exfiltration TA0010

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage×1

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

Impact TA0040

T1485Data Destruction×1

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

T1486Data Encrypted for Impact×1

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

T1561.001Disk Wipe: Disk Content Wipe×1

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

T1561.002Disk Wipe: Disk Structure Wipe×1

Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Evidence: 2026-07-11/gigawiper-golang-destructive-backdoor-modular-wiper · ATT&CK page ↗

Story timeline

  1. 2026-07-11GigaWiper: a Golang backdoor that folds a disk wiper, fake-ransomware encryptor and secure-wipe module into one modular implant
    active-threatsMicrosoft dissects GigaWiper — destruction dressed as extortion, driven over RabbitMQ/Redis/MinIO with an 'OneDrive Update' persistence tell

Where this entity is cited

  • active-threats1

Source distribution

  • infosecurity-magazine.com1 (50%)
  • microsoft.com1 (50%)

Related entities

Entries about FlockWiper (1)

2026-07-11 · view entry permalink →

NOTABLENATOB2

GigaWiper: a Golang backdoor that folds a disk wiper, fake-ransomware encryptor and secure-wipe module into one modular implant

Microsoft Threat Intelligence first identified GigaWiper in October 2025 and has now published a code-level analysis of it: a Golang backdoor notable less for any single capability than for its construction — at least three previously separate destructive families folded into one implant as on-demand commands, so an operator can pick the mode of destruction at task time (Microsoft Threat Intelligence, 2026-07-09). The raw-disk wiper command enumerates physical drives over WMI, identifies and spares the Windows installation drive, strips partition metadata from the other drives via DeviceIoControl/IOCTL_DISK_CREATE_DISK, overwrites disk content in 0xA00000-byte chunks (randomising only the first byte of each buffer to dodge naïve all-zero-wipe detections), then forces an immediate reboot. A second command reuses Crucio ransomware code to AES-encrypt files with per-run keys that are never saved and drops no ransom note — destruction wearing an extortion costume — while a third reimplements the C-based FlockWiper in Go for multi-pass secure wiping of the Windows drive. Microsoft ties the families together by code overlap and assesses that the same developer built GigaWiper and Crucio; it withholds actor attribution beyond that lineage. Google's Threat Intelligence Group and Binary Defense track the same activity as BLUERABBIT (Microsoft Threat Intelligence, 2026-07-09; Infosecurity Magazine, 2026-07-10).

Operationally the implant is quieter than its payload. It persists as a scheduled task named OneDrive Update (configured to run roughly every minute and once at startup) and tracks its own execution count in a HKCU\SOFTWARE\OneDrive\Environment registry value, masquerading as Microsoft's sync client. For command-and-control it skips ordinary HTTP: tasking arrives over RabbitMQ/AMQP — a fanout exchange named All for broadcast to every infected client plus a topic exchange for targeted commands — status and output are polled back through a Redis server, and MinIO object storage carries exfiltration, alongside keylogging and screen-capture modules.

It's not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction

The key and initialization vector (IV) that the malware uses to encrypt files are random and are not saved anywhere

Microsoft Threat Intelligence 2026-07-09
threat11 Jul 04:30Zmulti-sourceOpen finding ↗