Close Menu
    What's Hot

    OpenAI’s CEO of AGI Deployment, Fidji Simo, Is Stepping Down

    Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories

    Macron’s sports protectionism – Live Updates

    Facebook X (Twitter) Instagram
    Trending
    • OpenAI’s CEO of AGI Deployment, Fidji Simo, Is Stepping Down
    • Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories
    • Macron’s sports protectionism – Live Updates
    • Syria says captured Damascus bombing suspects are affiliated with ISIL | Syria’s War News
    • Maine’s Senate Race Implodes, Meta’s Threads Rivals Musk’s X, and the Trump Phone Arrives
    • China could be the US tech hedge
    • World Cup 2026: EU lawmakers call for formal investigation into Folarin Balogun ‘scandal’ – Paper Talk | Football News
    • Singles in World Cup host continue to dust off their dating apps amid an influx of tourists
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware

    adminBy adminJuly 9, 2026No Comments6 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware
    Share
    Facebook Twitter LinkedIn Pinterest Email

    New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware

    Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from.

    Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake “ransomware” that scrambles files with a key it never saves.

    Because this is malware and not a single flaw, there is no patch to chase; GigaWiper is what an attacker runs after they are already inside, which makes early detection and clean, offline backups the real defense.

    The same malicious files show up in a second report under another name: BLUERABBIT, a backdoor Binary Defense flagged last month.

    Cybersecurity

    Microsoft lists four hashes for the GigaWiper backdoor; Binary Defense lists the same four for BLUERABBIT, and both command servers match. Binary Defense, citing Google’s Threat Intelligence Group, ties the malware to a likely Iran-nexus group aimed at Israeli organizations. Microsoft names no country.

    Three ways to destroy a machine

    GigaWiper is written in Go (also called Golang) and runs on Windows. It takes orders as numbered commands, and three of them destroy the machine, each in a different way:

    • A raw disk wiper that overwrites the physical drive and wipes the partition table (the map of how the disk is laid out) before rebooting. There is no file-by-file deletion to reverse; it destroys the disk contents directly.
    • Fake ransomware built on older code called Crucio. It encrypts files, adds a .candy extension, and changes the desktop wallpaper to an alarming warning image. There is no ransom note and no saved key, so there is nothing to pay and nothing to decrypt. This is destruction wearing a ransomware costume.
    • The last targets the Windows drive, overwriting it several times with different data patterns. Microsoft says it is a Go rewrite of a wiper it tracks as FlockWiper.

    None of these leaves a way back: encrypted files cannot be unlocked because the key is gone, and wiped drives can only be rebuilt from clean backups. The goal is a dead machine, not a payout.

    It spies, too

    Destruction is only half of it. The same backdoor can quietly watch and control an infected PC. It takes screenshots of every monitor, records the screen while someone is working, and can open a hidden VNC session that streams the display and lets the attacker type and move the mouse.

    It also collects system details, manages running programs and services, edits the registry, and can wipe Windows event logs to cover its tracks. Microsoft found more commands sitting dormant in the samples it examined, including stubs for a keylogger and additional wipers.

    To stay out of sight, GigaWiper pretends to be OneDrive. It creates a scheduled task named OneDrive Update that runs every minute and tracks itself in a registry key under HKCU\SOFTWARE\OneDrive\Environment. When it opens its remote-control channel, it hides behind a firewall rule named after a real Windows component, Microsoft.Windows.CloudExperienceHost.

    For its command traffic, it skips ordinary web requests and rides on real business services instead: RabbitMQ for tasking, Redis for results, and MinIO for exfiltration. Because those are legitimate tools rather than a custom malware channel, the traffic looks ordinary on networks that already run them.

    Where GigaWiper came from

    Microsoft traces GigaWiper’s fake-ransomware code back to Crucio and its multi-pass wiper back to FlockWiper, and assesses that the same developer built all three. It names no country. But Crucio is not anonymous. Its code was listed as suspected ransomware in a December 2023 CISA advisory on CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps.

    That is the same crew, THN reported, that broke into water and energy sites across the US, Israel, the UK, and Ireland in 2023, logging into internet-exposed industrial controllers. In one case, they took control of a booster station at a Pennsylvania water authority. The Crucio sample Microsoft cites carries the same fingerprint listed in that advisory.

    Microsoft also found a recurring tag, “GRAT”, in both FlockWiper’s debug paths and GigaWiper’s own function names, tying the two tools together and hinting at a further component that has not surfaced yet. The timing differs by source: Microsoft dates the destructive activity to October 2025, while Binary Defense first saw the same files as BLUERABBIT in March 2026.

    Part of a bigger wave

    Iran-linked wiper activity against Israel has drawn repeated warnings through 2025 and 2026. Palo Alto Networks’ Unit 42 has tracked a parallel surge, much of it from a separate group, Handala Hack, and in March 2026 Israel’s National Cyber Directorate warned of Iranian wiper attacks on local organizations.

    The tactic GigaWiper uses is old: NotPetya in 2017 also posed as ransomware while quietly destroying data. The disguise buys the attacker time: a wrecked machine first looks like a ransomware case someone might recover from, not the total loss it is.

    Microsoft frames GigaWiper as operators folding separate tools into one flexible platform. For defenders, the consequence is concrete: when a single implant can watch, steal, or destroy, the tool no longer reveals the goal. You used to read intent from the malware you found; here, the operator decides after they are already inside.

    Cybersecurity

    One platform, two vendor names, and dormant command stubs still in the code point to a tool still being built out.

    What defenders should do

    Spotting it fast comes down to a few specific signals:

    • A OneDrive Update scheduled task that repeats every minute.
    • RabbitMQ or Redis traffic from ordinary desktops rather than servers.
    • Processes using takeown and icacls to take ownership of Windows boot files like bootmgr and ntoskrnl.exe outside maintenance windows.

    On the product side, Microsoft recommends turning on tamper protection so attackers cannot switch off your antivirus, blocking the two known command servers (185.182.193[.]21 and 212.8.248[.]104), running endpoint detection in block mode, and enabling cloud-delivered protection and automatic remediation. The full list of file hashes, server addresses, and detection names is in Microsoft’s report.

    The Hacker News has reached out to Microsoft and to Binary Defense for confirmation that GigaWiper and BLUERABBIT are the same malware, and for details on victim scope and attribution, and will update this story with any response.

    Backdoor bundles Disk fake GigaWiper Ransomware spyware Windows wiping
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleBrussels wants action over Trump-Infantino red card controversy – Live Updates
    Next Article Regions Financial: Recent Acquisition Underpins Growth Case For This Sunbelt Regional Bank
    admin
    • Website

    Related Posts

    Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories

    July 9, 2026

    Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs

    July 9, 2026

    npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk

    July 9, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    OpenAI’s CEO of AGI Deployment, Fidji Simo, Is Stepping Down

    Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories

    Macron’s sports protectionism – Live Updates

    Syria says captured Damascus bombing suspects are affiliated with ISIL | Syria’s War News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by