GigaWiper: a Golang backdoor that folds a disk wiper, fake-ransomware encryptor and secure-wipe module into one modular implant
Microsoft Threat Intelligence first identified GigaWiper in October 2025 and has now published a code-level analysis of it: a Golang backdoor notable less for any single capability than for its construction — at least three previously separate destructive families folded into one implant as on-demand commands, so an operator can pick the mode of destruction at task time (Microsoft Threat Intelligence, 2026-07-09). The raw-disk wiper command enumerates physical drives over WMI, identifies and spares the Windows installation drive, strips partition metadata from the other drives via DeviceIoControl/IOCTL_DISK_CREATE_DISK, overwrites disk content in 0xA00000-byte chunks (randomising only the first byte of each buffer to dodge naïve all-zero-wipe detections), then forces an immediate reboot. A second command reuses Crucio ransomware code to AES-encrypt files with per-run keys that are never saved and drops no ransom note — destruction wearing an extortion costume — while a third reimplements the C-based FlockWiper in Go for multi-pass secure wiping of the Windows drive. Microsoft ties the families together by code overlap and assesses that the same developer built GigaWiper and Crucio; it withholds actor attribution beyond that lineage. Google's Threat Intelligence Group and Binary Defense track the same activity as BLUERABBIT (Microsoft Threat Intelligence, 2026-07-09; Infosecurity Magazine, 2026-07-10).
Operationally the implant is quieter than its payload. It persists as a scheduled task named OneDrive Update (configured to run roughly every minute and once at startup) and tracks its own execution count in a HKCU\SOFTWARE\OneDrive\Environment registry value, masquerading as Microsoft's sync client. For command-and-control it skips ordinary HTTP: tasking arrives over RabbitMQ/AMQP — a fanout exchange named All for broadcast to every infected client plus a topic exchange for targeted commands — status and output are polled back through a Redis server, and MinIO object storage carries exfiltration, alongside keylogging and screen-capture modules.
It's not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction
The key and initialization vector (IV) that the malware uses to encrypt files are random and are not saved anywhere
Defender actions
- Hunt for a scheduled task literally named 'OneDrive Update' running every minute plus at logon, and for a HKCU\\SOFTWARE\\OneDrive\\Environment registry value — neither is created by legitimate OneDrive; confirm the real OneDrive task name/path in your estate as the baseline.
- In egress/firewall telemetry, surface hosts making outbound RabbitMQ/AMQP, Redis and MinIO/S3-style object-storage connections with no legitimate business reason to speak any of the three, especially all three to the same endpoint.
- Treat GigaWiper as destruction, not ransomware: because encryption keys are never retained there is no decryption path — prioritise offline, tested backups and recovery drills for internet-exposed Windows critical-infrastructure hosts.
ATT&CK mapping
10 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Execution TA0002
T1053.005Scheduled Task/Job: Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.
Persistence TA0003
T1053.005Scheduled Task/Job: Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.
T1112Modify Registry
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
Privilege Escalation TA0004
T1053.005Scheduled Task/Job: Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.
Defense Impairment TA0112
T1112Modify Registry
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
Credential Access TA0006
T1056.001Input Capture: Keylogging
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.
Collection TA0009
T1056.001Input Capture: Keylogging
Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.
T1113Screen Capture
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.
Command and Control TA0011
T1071Application Layer Protocol
Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Exfiltration TA0010
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.
Impact TA0040
T1485Data Destruction
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.
T1486Data Encrypted for Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
T1561.001Disk Wipe: Disk Content Wipe
Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.
T1561.002Disk Wipe: Disk Structure Wipe
Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.