GigaWiper: A Modular Windows Backdoor with Destructive Capabilities
On July 9, 2026, Microsoft’s threat intelligence team released a detailed analysis of GigaWiper, a sophisticated Windows backdoor that blends surveillance and irreversible destruction into a single implant. Unlike traditional wipers, GigaWiper is a full-featured espionage tool that can silently monitor networks before executing one of three distinct disk-erasure commands all without deploying additional payloads.
Key Features and Attack Mechanics
GigaWiper, written in Go, integrates components from at least three older malware families:
- Command 1 (Raw Disk Wiper): Uses Windows Management Instrumentation (WMI) to overwrite all physical disks, erasing partition metadata and raw content with randomized patterns to evade detection.
- Command 3 (Fake Ransomware): Mimics ransomware by encrypting files with a .candy extension and displaying a ransom note but the keys are discarded, making recovery impossible. This module is derived from Crucio ransomware, previously linked to Iran’s CyberAv3ngers (IRGC-CEC).
- Command 12 (Multi-Pass Wiper): A Go-based reimplementation of FlockWiper, targeting the Windows drive with alternating overwrite patterns to prevent forensic recovery.
The malware also includes surveillance capabilities, such as screenshot capture, VNC-based remote desktop access, PowerShell execution, and file exfiltration via MinIO. A dormant keylogger module (Command 11) suggests further development.
Command-and-Control (C2) Infrastructure
GigaWiper abuses legitimate enterprise tools for C2 communication:
- RabbitMQ (AMQP protocol) for operator commands.
- Redis for status updates.
- MinIO (S3-compatible storage) for data exfiltration.
Active C2 servers were identified at:
- 185.182.193[.]21 (RabbitMQ on port 554455445544, Redis on 754275427542)
- 212.8.248[.]104
Persistence and Evasion Techniques
- OneDrive Impersonation: Creates a scheduled task named "OneDrive Update" and a registry key (HKCU\SOFTWARE\OneDrive\Environment) to maintain persistence.
- Firewall Rule Spoofing: Adds a rule named Microsoft.Windows.CloudExperienceHost to bypass detection.
- Behavioral Camouflage: Uses GUID-like directory names with non-hex characters to evade behavioral detection.
Attribution and Geopolitical Context
While Microsoft did not attribute GigaWiper to a specific actor, Binary Defense and Google’s Threat Intelligence Group linked it to an Iran-nexus cluster responsible for BLUEWIPE and SEWERGOO in June 2025. The malware’s Crucio-derived module further ties it to CyberAv3ngers, a group sanctioned by the U.S. Treasury in 2024.
GigaWiper’s emergence aligns with a surge in Iranian wiper attacks following Operation Epic Fury (U.S.-Israel strikes on Iran in early 2026). Other Iran-linked groups, such as Handala Hack and Cavern Manticore, have conducted similar destructive campaigns, including the Stryker Corporation wipe in March 2026.
Detection and Defense Priorities
Microsoft has released YARA rules and Defender signatures for GigaWiper. Key detection methods include:
- Monitoring for unexpected "OneDrive Update" scheduled tasks or Microsoft.Windows.CloudExperienceHost firewall rules.
- Auditing RabbitMQ, Redis, and MinIO traffic for unauthorized connections.
- Treating ransomware-like activity without ransom notes as a potential wiper attack.
- Ensuring offline, immutable backups are in place, as GigaWiper’s disk-wiping methods leave no recovery path.
First observed in October 2025, GigaWiper remained undetected for months before researchers connected it to earlier Iran-linked activity. Its modular design and abuse of legitimate tools make it a particularly challenging threat for defenders.
Stryker cybersecurity rating report: https://www.rankiteo.com/company/stryker
"id": "STR1783982145",
"linkid": "stryker",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': ['Windows Management Instrumentation (WMI)',
'scheduled tasks',
'registry keys',
'firewall rule spoofing'],
'data_breach': {'data_encryption': ['fake ransomware (Crucio-derived)'],
'data_exfiltration': True,
'type_of_data_compromised': ['screenshots',
'files',
'keylogging data']},
'date_detected': '2025-10-01',
'date_publicly_disclosed': '2026-07-09',
'description': 'Microsoft’s threat intelligence team released a detailed '
'analysis of GigaWiper, a sophisticated Windows backdoor that '
'blends surveillance and irreversible destruction into a '
'single implant. GigaWiper is a full-featured espionage tool '
'that can silently monitor networks before executing '
'disk-erasure commands without deploying additional payloads. '
'It integrates components from older malware families and '
'abuses legitimate enterprise tools for C2 communication.',
'impact': {'data_compromised': True,
'operational_impact': ['irreversible data destruction',
'system erasure'],
'systems_affected': ['Windows systems']},
'investigation_status': 'ongoing',
'lessons_learned': 'GigaWiper’s modular design and abuse of legitimate tools '
'make it a challenging threat for defenders. Its ability '
'to blend espionage and destruction highlights the need '
'for robust detection and immutable backups.',
'motivation': ['espionage', 'destruction', 'geopolitical retaliation'],
'post_incident_analysis': {'corrective_actions': ['enhanced detection rules',
'behavioral monitoring',
'immutable backups'],
'root_causes': ['modular malware design',
'abuse of legitimate tools '
'(RabbitMQ, Redis, MinIO)',
'geopolitical tensions']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['GigaWiper (fake ransomware module)',
'Crucio ransomware']},
'recommendations': ["Monitor for unexpected 'OneDrive Update' scheduled tasks "
"or 'Microsoft.Windows.CloudExperienceHost' firewall "
'rules.',
'Audit RabbitMQ, Redis, and MinIO traffic for '
'unauthorized connections.',
'Treat ransomware-like activity without ransom notes as a '
'potential wiper attack.',
'Ensure offline, immutable backups are in place.'],
'references': [{'date_accessed': '2026-07-09',
'source': 'Microsoft Threat Intelligence'},
{'source': 'Binary Defense'},
{'source': 'Google’s Threat Intelligence Group'}],
'response': {'containment_measures': ['YARA rules', 'Defender signatures'],
'enhanced_monitoring': ['unexpected firewall rules',
'GUID-like directory names'],
'remediation_measures': ['monitoring for unexpected scheduled '
'tasks',
'auditing RabbitMQ/Redis/MinIO traffic',
'offline immutable backups'],
'third_party_assistance': ['Microsoft Threat Intelligence',
'Binary Defense',
'Google’s Threat Intelligence Group']},
'threat_actor': ['Iran-nexus cluster',
'CyberAv3ngers (IRGC-CEC)',
'Handala Hack',
'Cavern Manticore'],
'title': 'GigaWiper: A Modular Windows Backdoor with Destructive Capabilities',
'type': ['backdoor', 'wiper', 'ransomware']}