Listen to this Post

Introduction
A sophisticated Golang‑based backdoor family now tracked as GigaWiper is raising the bar for destructive malware by merging extensive command‑and‑control (C2) capabilities with multiple interchangeable payloads. What sets GigaWiper apart is not merely its capacity to wipe disks or encrypt files beyond recovery, but the way it consolidates several previously separate wipers and extortion tools into a single modular implant. This consolidation allows operators to switch destruction modes on demand—from physical‑disk wipes to fake ransomware that renders files unrecoverable, all while maintaining persistent, remotely controlled access.
Learning Objectives
- Understand the modular architecture of GigaWiper and how it combines multiple destructive payloads within a single Golang backdoor.
- Analyse the persistence mechanism that abuses a scheduled task named “OneDrive Update” and registry key tracking to maintain stealthy, long‑term access.
- Learn to identify, detect, and mitigate GigaWiper infections using endpoint detection, registry monitoring, and C2 infrastructure blocking.
You Should Know
- The Deceptive Persistence Trick: “OneDrive Update” Scheduled Task
GigaWiper’s stealth begins with a remarkably simple persistence mechanism. On first execution, the implant writes a registry key at `HKCU\SOFTWARE\OneDrive\Environment` to track how many times it has run. It then creates a scheduled task named “OneDrive Update”, configured to execute every minute and at system startup. On subsequent runs, the malware detects the registry value, increments it, and behaves as an expected child process of the scheduled task—an operational choice that reduces suspicion and leverages a trusted Windows scheduler for persistent destructive access.
Step‑by‑step breakdown of the persistence chain:
- First run: Write registry key `HKCU\SOFTWARE\OneDrive\Environment` (value = 1).
- Create scheduled task: `schtasks /create /tn “OneDrive Update” /tr “C:\path\to\gigawiper.exe” /sc MINUTE /mo 1 /ru SYSTEM`
3. Subsequent runs: Read registry value, increment it, execute payload as scheduled‑task child process. - Evasion: The task name mimics legitimate OneDrive updates, blending into normal system activity.
Detection and mitigation commands (Windows):
- List all scheduled tasks:
schtasks /query /fo LIST /v | findstr "OneDrive Update"
- Query the registry key:
reg query HKCU\SOFTWARE\OneDrive\Environment
- Delete the malicious scheduled task:
schtasks /delete /tn "OneDrive Update" /f
- Remove the registry key:
reg delete HKCU\SOFTWARE\OneDrive\Environment /f
- Enable advanced audit policy to monitor scheduled task creation:
auditpol /set /subcategory:"Task Scheduler" /success:enable /failure:enable
- Modular Destruction: Physical‑Disk Wipes, Fake Ransomware, and Multi‑Pass Secure Erasure
GigaWiper is not a single‑purpose wiper; it is a Swiss Army knife of destruction. The standalone component actively enumerates physical disks via WMI, identifies the Windows installation drive, removes partition metadata from non‑system drives using `DeviceIoControl` with IOCTL_DISK_CREATE_DISK, overwrites raw disk sectors in large chunks with randomised‑first‑byte buffers, and forces an immediate restart. Embedded within the backdoor as command 1 (WipeMain) is identical functionality, while command 12 (WipeCMain) offers a C‑drive‑only, multi‑pass secure wipe.
A third destructive command reproduces Crucio‑derived logic: a “ransomware” routine that AES‑CBC encrypts files with randomly generated keys that are never saved, renames victims’ files with a `.candy` extension, and drops no viable recovery path—functionally a wiper masquerading as extortion.
Defensive measures:
- Block `DeviceIoControl` calls from non‑administrative contexts using AppLocker or WDAC (Windows Defender Application Control).
- Monitor for abnormal disk I/O patterns via EDR or Sysmon (Event ID 7 for image loaded, Event ID 11 for file creation).
- Enable Windows Defender tamper protection and cloud‑delivered protection to catch evolving variants.
- C2 and Operational Telemetry: RabbitMQ, Redis, and AES‑Protected Configuration
GigaWiper’s C2 infrastructure is robust and enterprise‑grade. It uses RabbitMQ over AMQP for command distribution and Redis for status and output reporting. The implant decrypts a hard‑coded AES‑protected configuration containing C2 endpoints and credentials; observed infrastructure includes addresses like `185.182.193[.]21` on non‑standard ports.
The RabbitMQ design uses a fanout exchange named “All” for broadcast commands and a topic exchange “Topic” for targeted tasks, with commands modelled as structured `Task` and `Result` objects. This messaging approach scales control across many infected hosts while enabling per‑host targeting when required.
Network detection and blocking (Linux /防火墙):
- Block outbound connections to known C2 IPs:
iptables -A OUTPUT -d 185.182.193.21 -j DROP iptables -A OUTPUT -d 212.8.248.104 -j DROP
- Snort/Suricata rule to detect AMQP traffic on non‑standard ports:
alert tcp $HOME_NET any -> $EXTERNAL_NET 5672:5673 (msg:"GigaWiper RabbitMQ C2"; flow:to_server,established; content:"AMQP"; depth:4; classtype:trojan-activity; sid:20260710;)
- Monitor for Redis connections on port 6379 or non‑standard ports to external IPs.
- Remote Access Arsenal: Keyloggers, Screen Recording, VNC, and More
Beyond wiping and fake‑ransom features, GigaWiper implements a comprehensive suite of remote‑access and system‑management capabilities:
– Process and service management
– Registry navigation and persistent sessions
– File upload via the MinIO client
– Screenshotting and screen recording
– Keylogger and VNC‑like remote control
– Event‑log clearing
This broad functionality transforms GigaWiper from a mere wiper into a full‑spectrum remote access trojan (RAT) capable of espionage, data exfiltration, and prolonged foothold maintenance.
Detection commands (Windows):
- List running processes for可疑 Golang binaries:
Get-Process | Where-Object { $_.Path -match "giga|wiper|temp" } - Check for keylogger hooks using Sysinternals Autoruns:
autoruns64.exe -accepteula -v | findstr "keylog"
- Monitor event log clearing (Event ID 1102):
wevtutil qe Security /c:10 /f:text /q:"[System[(EventID=1102)]]"
- Code Lineage: From FlockWiper and Crucio to GigaWiper
Code overlap and shared strings link GigaWiper to at least three prior families: a standalone wiper, Crucio‑like extortion code (BigBangExtortMain), and FlockWiper, the latter reimplemented from C into Golang for inclusion as WipeCMain. PDB path artifacts referencing “GRAT” further tie these components together and suggest a common developer or framework across iterations.
YARA rule snippet for detecting GigaWiper variants:
rule GigaWiper_Backdoor {
meta:
description = "Detects GigaWiper Golang backdoor"
author = "Threat Intelligence"
date = "2026-07-10"
strings:
$a = "rabbit_tools_tool_wipe_main.WipeMain" wide
$b = "OneDrive Update" wide
$c = "HKCU\SOFTWARE\OneDrive\Environment" wide
$d = "BigBangExtortMain" wide
$e = "WipeCMain" wide
condition:
uint16(0) == 0x5A4D and (all of ($a,$b,$c) or ($d and $e))
}
6. Indicators of Compromise (IoCs) and Threat Hunting
GBHackers and Microsoft Threat Intelligence have published a comprehensive set of IoCs:
| Indicator | Type | Description |
|–||-|
| `633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001` | SHA‑256 | GigaWiper backdoor |
| `ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913` | SHA‑256 | GigaWiper backdoor |
| `f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd` | SHA‑256 | GigaWiper backdoor |
| `9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683` | SHA‑256 | GigaWiper backdoor |
| `3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd` | SHA‑256 | GigaWiper standalone wiper |
| `440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3` | SHA‑256 | Crucio |
| `12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721` | SHA‑256 | FlockWiper |
| `db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674` | SHA‑256 | FlockWiper |
| `185.182.193[.]21` | IP address | GigaWiper C2 |
| `212.8.248[.]104` | IP address | GigaWiper C2 |
Note: IP addresses and domains are intentionally defanged (e.g.,
[.]) to prevent accidental resolution. Re‑fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Threat hunting query (Splunk):
index=windows sourcetype=WinEventLog:Security (EventCode=4698 OR EventCode=4699) TaskName="OneDrive Update" | stats count by host, user, TaskName
7. Mitigation Strategy: A Layered Defence Approach
Defenders should prioritise the following actions:
- Block identified C2 infrastructure at the network perimeter and DNS level.
- Enforce tamper protection and always‑on EDR across all endpoints.
- Prevent unauthorised Scheduled Task creation and registry modifications from non‑privileged contexts using Group Policy and Windows Defender Application Control.
- Map Microsoft’s published detections to network and endpoint controls.
- Enable cloud‑delivered protections to catch evolving variants in real time.
Group Policy settings to harden against scheduled task abuse:
– Disable non‑admin scheduled task creation:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > "Create scheduled tasks" → restrict to Administrators only
– Enable registry auditing for HKCU\SOFTWARE\OneDrive:
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
What Undercode Say
- Modular malware is the new norm: GigaWiper exemplifies a broader shift in destructive tooling—from single‑purpose wipers to modular, remotely orchestrated platforms that combine stealthy persistence with on‑demand weaponisation. This trend demands a rethinking of defence strategies: signature‑based detection alone is no longer sufficient.
- Abuse of trusted system components is the ultimate camouflage: By masquerading as a legitimate “OneDrive Update” scheduled task and leveraging Windows’ own scheduler, GigaWiper demonstrates how attackers exploit built‑in administrative tools to fly under the radar. Defenders must treat any scheduled task with a benign‑sounding name as a potential threat and enforce strict least‑privilege policies.
Analysis: The GigaWiper campaign underscores a critical vulnerability in many enterprise environments: the over‑reliance on perimeter defences while neglecting endpoint visibility and behavioural analytics. The use of RabbitMQ and Redis for C2 communication indicates a level of operational maturity typically associated with state‑sponsored or well‑funded cybercriminal groups. Organisations should invest in proactive threat hunting, leverage threat intelligence feeds to block IoCs, and conduct regular purple‑team exercises to test detection and response capabilities against modular wipers. The consolidation of multiple destructive payloads into a single implant also raises the stakes for incident response—containment must be swift and comprehensive to prevent the attacker from switching between wipe modes.
Prediction
- +1 The disclosure of GigaWiper’s TTPs will drive rapid innovation in endpoint detection and response (EDR) solutions, with vendors incorporating behavioural rules specifically tailored to detect scheduled‑task abuse and registry‑based execution tracking. This will ultimately strengthen the overall security posture of organisations that adopt these updated defences.
-
-1 The modular, Golang‑based architecture of GigaWiper lowers the barrier for other threat actors to clone, modify, and redistribute similar toolkits. We can expect a surge in “wiper‑as‑a‑service” offerings on underground forums, leading to an increase in destructive attacks against mid‑sized enterprises that lack advanced threat hunting capabilities.
-
-1 Because GigaWiper leverages widely used messaging protocols (AMQP) and data stores (Redis) for C2, traditional network security appliances that rely on port‑based or signature‑based detection will struggle to identify malicious traffic. This will force security teams to adopt deep packet inspection and behavioural analytics, increasing operational overhead and potentially creating detection gaps during the transition period.
-
+1 Microsoft’s proactive threat intelligence sharing and the publication of detailed IoCswill enable security information and event management (SIEM) platforms to rapidly deploy detection rules, giving defenders a crucial head start in identifying and containing GigaWiper infections before they escalate to full‑scale data destruction.
▶️ Related Video (82% Match):
https://www.youtube.com/watch?v=1RDye9EQUwo
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


