GigaWiper Backdoor Can Spy, Wipe Disks, and Fake Ransomware

Brendan Smith
Brendan Smith - Cybersecurity Analyst
7 Min Read
GigaWiper Windows backdoor splitting a hard drive to represent permanent disk wiping.
GigaWiper combines surveillance, remote control, fake ransomware, and disk wiping in one Windows backdoor.

Microsoft Threat Intelligence has detailed GigaWiper, a Windows backdoor that can monitor a compromised system and then destroy it on command. The malware can record screens, provide remote keyboard and mouse control, steal files, clear event logs, encrypt files with an unrecoverable key, or wipe entire physical disks. This is not a Windows vulnerability that home users can patch; it is a post-compromise tool, so finding one of its artifacts should trigger isolation and incident response.

What makes GigaWiper different

GigaWiper combines several older destructive tools inside one Go-based backdoor. Instead of deploying a separate spy tool, ransomware payload, and disk wiper, an operator can choose among those actions after gaining access. That makes the first visible symptom a poor guide to the attacker’s final goal.

Capability Practical impact
Surveillance and remote control Takes screenshots, records active screens, gathers system details, and can open a VNC-like session for keyboard and mouse control.
File theft Uses a MinIO client to move selected files to attacker-controlled storage.
Fake ransomware Encrypts files, adds the .candy extension, and changes the wallpaper. One destructive mode does not preserve the generated key, so payment cannot produce a decryptor.
Disk wiping Can erase partition metadata and overwrite physical drives, or repeatedly overwrite the Windows drive.

Microsoft first observed the destructive activity in compromised environments in October 2025. A separate Binary Defense analysis published in June 2026 described the same four backdoor hashes as BLUERABBIT and reported likely targeting of organizations in Israel. Microsoft does not assign a country or actor in its GigaWiper report, so the attribution should not be treated as settled.

Who needs to act

The public evidence points to targeted organizational intrusions, not a mass consumer campaign. Network defenders should hunt when an endpoint matches the known hashes or infrastructure, when a supposed OneDrive task launches an unknown executable every minute, or when desktop systems unexpectedly communicate with RabbitMQ, Redis, or MinIO services.

A normal OneDrive installation can create legitimate tasks and registry data. The name alone is not proof of infection. The decisive checks are the task’s executable path and signature, its creation time, the file hash, related network connections, and whether other indicators appear on the same host.

GigaWiper indicators worth checking

Indicator Why it matters
OneDrive Update scheduled task The observed backdoor configured it to run every minute and at startup. Verify the action path rather than deleting every similarly named task.
HKCU\SOFTWARE\OneDrive\Environment GigaWiper used this registry key to track execution. Correlate it with the task and executable.
185.182.193[.]21 and 212.8.248[.]104 Microsoft lists these addresses as GigaWiper command-and-control infrastructure.
.candy file extension Appears after the destructive fake-ransomware command; there may be no usable decryption key.
Unexpected takeown, icacls, or wevtutil activity The malware can take ownership of boot files and clear Windows event logs.
Defender detections for GigaWiper, Wiper, FlockWiper, or CutBrooch Microsoft lists these coverage names and related ransomware-behavior alerts.

Microsoft’s report contains the complete SHA-256 list. Hash matching is useful, but a clean hash search does not rule out a rebuilt sample or another destructive tool using the same behavior.

What to do if an endpoint matches

  1. Isolate the endpoint. Disconnect it from wired, wireless, VPN, and shared-storage access. Do not use it to change passwords.
  2. Preserve evidence before cleanup. Record the scheduled-task action, executable path, hashes, logged-on user, active connections, and alert timeline. For a business system, involve the incident-response owner before rebooting or deleting artifacts.
  3. Block known infrastructure and hunt laterally. Search firewall, proxy, EDR, RabbitMQ, Redis, and MinIO logs for the two published IP addresses and for unusual client activity from workstations.
  4. Protect recovery paths. Disconnect backup repositories from compromised credentials, verify immutable or offline copies, and test restoration on a clean network. Do not restore files into an environment where the backdoor may still be active.
  5. Rebuild when trust is lost. If GigaWiper execution or destructive commands are confirmed, reimage the endpoint from known-good media and rotate exposed credentials from a separate clean device. A normal cleanup cannot prove that stolen data or remote access never occurred.

For an unmanaged Windows PC where only a suspicious file or persistence item was found, follow a structured post-malware Windows audit. A full Gridinsoft Anti-Malware scan can help find related files and persistence, but it cannot recover wiped data or replace a forensic investigation. If Windows will not start, use the decision flow in the offline and rescue-USB malware removal guide.

Why the fake ransom screen changes the response

Traditional ransomware operators usually need a working decryption path so they can sell the key. GigaWiper’s destructive .candy mode can generate a random key and discard it. The visual result resembles ransomware, but there is nothing useful to negotiate for and no key to retrieve. Treat the event as sabotage and a full breach, not only as a file-recovery problem.

This is the same defensive lesson seen with earlier wipers such as WhisperGate: a ransom-style message does not prove that data recovery is possible. Clean offline backups, isolated recovery credentials, and fast containment matter more than the wording on the victim’s screen.

References

  1. Microsoft Threat Intelligence. “GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware.” Microsoft Security Blog, July 9, 2026. Microsoft report.
  2. Ross Bunker. “BLUERABBIT: A Golang-Based Backdoor with Ransomware and Destructive Capabilities.” Binary Defense ARC Labs, June 9, 2026. Binary Defense analysis.
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?