Back to Blog

High-Severity Threat Alert

Active, destructive Windows backdoor. No patch available.

Security Operations

GigaWiper: There Is No Patch. The Defence Is Detection and Containment.

A destructive backdoor that spies for weeks, then wipes on a single command. Why behaviour, not signatures, is what stops it.

July 15, 2026·Sentryxx Threat Response Team·11 min read

Threat at a Glance

Threat
GigaWiper
Classification
Destructive backdoor (espionage + wiper)
Platform
Windows (written in Go)
Vector
Post-compromise implant. No CVE, nothing to patch
Defence
Behaviour-based detection and rapid containment
Source
Microsoft Threat Intelligence, July 9, 2026

On July 9, 2026, Microsoft Threat Intelligence published its analysis of GigaWiper, a destructive Windows backdoor it first observed in compromised environments in October 2025. We reviewed the research against our own detection content. It is worth walking through: what the malware does, how it behaves on a machine, and what we are doing about it for the organizations we protect.

What GigaWiper is

GigaWiper is written in Go and runs on Windows. It takes instructions as numbered commands, 1 through 20, and several of those commands are destructive.

The important word is backdoor. A traditional wiper is a one-way trip: the attacker gets in, runs the wiper, and destruction is the point. GigaWiper is different. The same implant can capture screenshots and record a user's desktop for weeks, and then, on one command from the operator, overwrite the disks. The espionage and the destruction are the same tool. The operator decides which one runs by sending a command.

GigaWiper is a post-compromise tool. There is no CVE here and nothing to patch. By the time it is on a machine, the attacker is already in. That leaves two things that matter: catching the behaviour early, and containing the machine fast once you do.

Built from older, known malware

GigaWiper is not a single purpose-built tool. Microsoft's analysis shows it is built from at least three previously separate malware families, folded together as on-demand commands inside one backdoor with new command-and-control functionality. The destructive modules come from older, field-tested code rather than something written from scratch.

The fake-ransomware module is based on a ransomware family called Crucio, documented in a CISA advisory published in December 2023. Microsoft found the same function name driving the encryption routine in both Crucio and GigaWiper's command 3, and assessed that the same developer built both. The multi-pass secure wiper is a Go reimplementation of a wiper Microsoft tracks as FlockWiper, first seen on VirusTotal in June 2025. The string “GRAT” appears in FlockWiper's debug paths and in GigaWiper's function names, which points to a further related component that has not been recovered.

Microsoft did not name a country or a group. It did tie GigaWiper's code to the same developer behind Crucio, which is a soft attribution, and a tenuous one, but it is there. Either way, what matters is the lineage: this is proven destructive code that has already been used in the field, reworked into a single implant.

The destructive commands

The destructive commands each work differently, and the recovery path is different for each. The first symptom you see says little about where the operator intends to end up.

Command 1, the raw disk wiper. It bypasses the file system. It enumerates the physical drives, works out which one holds Windows, strips the partition tables from the others, overwrites the raw disk contents, and reboots the machine. There is no file-by-file deletion to reverse, because it destroys the disk at the block level. It does not simply zero the disk; it randomizes the leading byte of each write, which appears to be an attempt to avoid tools that watch for full-disk zeroing.

Command 3, the fake ransomware. This is the one most likely to mislead your incident response. It encrypts files with AES, renames them with a .candy extension, and sets a hard-coded image as the desktop wallpaper. The keys are random and are never saved, and there is no ransom note. There is nothing to pay and nothing to decrypt. It looks like ransomware, so responders spend the first hours treating it as ransomware: looking for a note, looking for a decryptor, working it as a recoverable case. There is no decryptor. The disguise costs your team time and confuses the timeline.

Command 12, the multi-pass secure wiper. This is the FlockWiper-derived module. It works like command 1 but targets the Windows drive specifically, and it overwrites the drive in multiple passes with alternating patterns (zeros, 0xFF, random bytes) to defeat recovery tooling.

There is also command 2, which does not wipe data but makes the machine unbootable. It disables Windows recovery, takes ownership of critical boot and kernel files, and deletes them, leaving the system in a blue-screen state.

The practical takeaway: treat ransomware-like activity with no ransom note as a wiper until proven otherwise. Encrypted files renamed to .candy, a changed wallpaper, no note, and no way to negotiate is not a ransomware incident. Time spent looking for a decryptor is time not spent isolating the machine.

How it hides and communicates

GigaWiper is built to look unremarkable on a busy network.

For persistence, it imitates Microsoft software. It creates a scheduled task named OneDrive Update set to run about every minute and again at startup, and it tracks its execution count in a registry key at HKCU\SOFTWARE\OneDrive\Environment. When it opens its remote-control channel, it creates a Windows firewall rule named after a legitimate Windows component, Microsoft.Windows.CloudExperienceHost, so it does not stand out in a list of firewall rules.

The command-and-control design is the more useful thing to watch. Rather than HTTP or DNS beaconing, GigaWiper uses infrastructure services. It receives tasking over RabbitMQ (an AMQP message broker), reports status and output back over Redis, and exfiltrates files with a MinIO client to attacker-controlled storage. Because those are real tools that many environments run, the traffic can blend in where they are already in use. In one sample Microsoft analyzed, the same C2 host served RabbitMQ on port 5544 and Redis on port 7542.

For tasking, GigaWiper binds its queue to a fanout exchange named “All,” so one command from the operator reaches every infected machine at once. It can also use a topic exchange to hit specific machines. Distributed C2 like this is not new; plenty of malware with a C2 component uses pub/sub messaging. What matters is the blast radius: one command can reach every infected machine across your environment, and the time between the operator sending a wipe and those machines acting on it is short. That is why containment speed matters.

The malware has to communicate before it can destroy, and that is where detection is possible. RabbitMQ and Redis traffic leaving machines that have no reason to use those protocols, especially on non-standard ports, is not normal enterprise traffic. The behaviours worth correlating are network egress, scheduled-task creation, registry writes, and event-log clearing.

Indicators of compromise

Every indicator below is published by Microsoft Threat Intelligence in its July 9, 2026 report, “GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware.” IP addresses are shown in defanged notation.

File hashes (SHA-256)

IndicatorComponent
633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001GigaWiper backdoor
ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913GigaWiper backdoor
f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfdGigaWiper backdoor
9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683GigaWiper backdoor
3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cdGigaWiper standalone wiper
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3Crucio
12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721FlockWiper
db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674FlockWiper

Network indicators

IndicatorDetail
185.182.193[.]21GigaWiper C2 (observed serving RabbitMQ on 5544 and Redis on 7542)
212.8.248[.]104GigaWiper C2
RabbitMQ (AMQP)Command tasking via fanout exchange “All” and topic exchange “Topic”
RedisCommand status and output reporting
MinIO clientFile exfiltration to attacker-controlled storage

Behavioural and host indicators

  • Scheduled task named OneDrive Update running on a roughly one-minute interval
  • Registry key HKCU\SOFTWARE\OneDrive\Environment used for execution-count tracking
  • Windows firewall rule imitating Microsoft.Windows.CloudExperienceHost
  • Files encrypted and renamed with a .candy extension, plus a hard-coded wallpaper change and no ransom note
  • Screen recordings written to C:\ProgramData\output
  • Event logs cleared via the Windows event log utility (wevtutil), including a fallback that directly deletes C:\Windows\System32\winevt\Logs\Security.evtx
  • Deletion of Windows boot, kernel, and recovery files (blue-screen path)
  • VNC-like inbound remote control opened on an attacker-specified TCP port
  • RabbitMQ or Redis connections originating from machines that should never generate them

Because GigaWiper is modular and its operators can rebuild samples and change infrastructure quickly, hash matching alone is not enough. Behaviour-based hunting holds up when the fingerprints change.

How Sentryxx protects our customers

For the organizations we protect, this is the part that matters. Blocking a hash is easy and short-lived, because hashes change. The useful work is watching the behaviour and acting on it early.

Detect. Sentryxx runs a Sumo Logic Cloud SIEM at its core, correlating telemetry from endpoints, network, identity, and infrastructure. For GigaWiper, our detection content keys on the behaviour rather than any single artifact: a roughly one-minute scheduled task posing as a Microsoft updater, RabbitMQ or Redis traffic on unusual ports from machines that never produce it, firewall rules imitating Windows components, event-log clearing, mass file rename to .candy, and deletion of recovery and shadow-copy data. No single one is proof. Together they are a case, and the SIEM assembles it rather than leaving an analyst to connect separate alerts by hand.

Decide. Detections are scored and routed with the context a responder needs: which machine, which user, what it is connected to, and what it can reach next, including backup systems. The decision to contain is made against that context, not a raw alert on its own.

Act. Our SOAR automation, built on D3, carries out containment: isolating the machine, disabling compromised credentials, blocking the C2 at egress, and preserving evidence. It does this regardless of your endpoint vendor or infrastructure, because the containment logic sits in the orchestration layer rather than in any one agent. Whether you run one EDR or three, on-premises, cloud, or hybrid, the response works the same way. Automating the containment step, while people stay in charge of the decisions, is what limits how far an intrusion gets.

Detect. Decide. Act. Against GigaWiper, acting during the window before destruction, automatically and regardless of vendor, is what counts.

Mitigation for everyone, customer or not

You do not need to be a Sentryxx customer to defend against this. This is the checklist we would give any organization that asked, drawn from Microsoft's guidance and our own work:

  1. 1

    Block the two published C2 IPs (185.182.193[.]21 and 212.8.248[.]104) at your egress, and alert on any attempt to reach them.

  2. 2

    Turn on tamper protection so an attacker cannot disable your endpoint protection or add antivirus exclusions before acting.

  3. 3

    Run EDR in block mode with cloud-delivered protection enabled, so behavioural detections are acted on rather than only logged, and allow automated investigation and remediation so response can begin when an alert fires.

  4. 4

    Hunt for the persistence artifacts: the roughly one-minute OneDrive Update scheduled task, the OneDrive\Environment registry key, and firewall rules imitating Windows components.

  5. 5

    Watch your infrastructure protocols: RabbitMQ, Redis, and MinIO traffic leaving machines that have no reason to use them, especially on non-standard ports.

  6. 6

    Treat ransomware-like activity with no ransom note as a wiper. Do not spend hours looking for a decryptor. Isolate first.

  7. 7

    Maintain offline, immutable, and tested backups. Against irreversible destruction, your restore capability is your last line, and it only counts if you have confirmed you can restore from it. Keep backups off the paths the malware could reach.

  8. 8

    Isolate on suspicion. If you find one GigaWiper artifact, treat it as an active intrusion, not a routine cleanup. Disconnect the machine from wired, wireless, VPN, and shared storage, preserve evidence before rebooting or deleting anything, and involve your incident-response owner.

This one concerns us, so we are sharing our approach openly. If you want to talk through your exposure, see the detection content we built for GigaWiper, or get mitigation guidance, message us. Customer or not, we are glad to help. We would rather you have this and never need us.

The bottom line

There is no patch for GigaWiper. It runs after someone is already inside, so the defence comes down to detection and containment: seeing the behaviour early, and containing the machine quickly once you do. A wiper that waits weeks before acting is only hidden until someone is watching for it. A SIEM that correlates the quiet signals and a SOAR that contains the machine when they line up is what closes that gap.

Security. Simplified.

There is nothing to patch and nothing to pay. Against GigaWiper, the only defence is seeing the behaviour early and containing the machine fast. That is exactly what Detect, Decide, Act is built to do.

Concerned about your exposure to GigaWiper?

We are sharing our approach openly. Reach out to talk through your exposure, see the detection content we built for GigaWiper, or get mitigation guidance. Customer or not, we are glad to help.

Source. All technical findings and indicators of compromise are drawn from Microsoft Threat Intelligence, “GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware,” Microsoft Security Blog, July 9, 2026.