July 13, 2026
GigaWiper: Destructive Modular Backdoor
Intro

By SOCFortress
3 min read
Intro
GigaWiper (also known as BLUERABBIT) identified by investigators in October 2025. This Golang-based backdoor represents a strategic pivot toward industrial-grade destruction. It is a unified platform that allows an adversary to maintain a persistent presence, conduct weeks of quiet espionage, and ultimately execute a "kill" command from which there is no recovery.
A Modular Amalgamation
GigaWiper is a "Frankenstein" creation, synthesized from at least three previously independent malware families. Rather than building a new weapon from scratch, the developers have modernized and folded existing destructive capabilities into a single, modular backdoor. This modularity allows the actor to operate with extreme efficiency, selecting the specific flavor of damage — file-level, disk-level, or system-wide — needed for a target.
The malware's anatomy includes:
- Crucio Ransomware: The code base used for the backdoor's deceptive encryption module.
- FlockWiper: Originally a C-based wiper, now modernized as a Golang reimplementation within GigaWiper to ensure cross-platform compatibility and detection evasion.
- Standalone Disk Wiper: A physical-level wiper that reinitializes partition metadata and overwrites raw disk content.
The investigative "bread crumbs" left in the code suggest a broader developer framework. Investigators discovered the string "GRAT" embedded in GigaWiper function names and within the PDB paths of earlier FlockWiper samples (e.g., A:\GRAT\CWipeNew\...). This naming convention serves as a strategic link, proving these disparate tools are part of a centralized, evolving arsenal.
"The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences," noted Microsoft Threat Intelligence.
Encryption Without Salvation
One of GigaWiper's most cynical features is its "fake ransomware" function (Command 3). Derived from the Crucio family, this module encrypts files and appends the .candy extension, mimicking a standard extortion attack. It even drops a "danger" wallpaper to complete the theater of a ransom demand.
The technical reality is a death sentence for data. The malware generates random encryption keys and initialization vectors (IVs) that are never saved or transmitted back to the C2 server. Because the keys are discarded the moment the files are processed, decryption is mathematically impossible. This transforms a tool of leverage into a tool of permanent deletion.
Victims should never pay a ransom for files with the .candy extension; the data is effectively destroyed the moment the process begins.
Industrial-Grade Infrastructure for Digital Chaos
GigaWiper's choice of Command-and-Control (C2) infrastructure is surprisingly robust. While many malware authors rely on custom, fragile protocols, GigaWiper utilizes industry-standard messaging and database technologies to ensure resilience:
- RabbitMQ over AMQP: Used for receiving commands via a "fanout" exchange, allowing the actor to broadcast destruction to all infected nodes simultaneously.
- Redis: Used for real-time status updates and to upload output from stolen data.
By leveraging these enterprise-grade tools, the attackers ensure their communications are high-performance and capable of blending in with legitimate network traffic. It is a professionalized approach to management that treats an infection like a distributed cloud application.
The "Always Run" Commands
GigaWiper's capabilities extend far beyond the final wipe. The backdoor facilitates total system surveillance through "always run" commands that allow the actor to monitor a target for weeks before the final payload.
- Continuous Surveillance: Command 10 records the screen whenever the user is active, while Command 20 establishes a VNC-like server for remote keyboard and mouse control.
- System Management: The actor can navigate the registry (Command 18), manipulate services (Command 17), and kill processes (Command 16).
- Persistence: The malware ensures it stays on the system by creating a scheduled task deceptively named "OneDrive Update," configured to run every single minute.
- Investigative Oddities: When clearing event logs (Command 19), the malware prints a peculiar, hard-coded string: "kharbvnmhkjbkjb" — a bizarre calling card in an otherwise professional tool.
To ensure the "kill" is permanent, the actor utilizes Command 2. This special command disables Windows recovery, takes ownership of kernel files, and triggers a Blue Screen of Death (BSOD), leaving the device unable to boot.
Efficiency Over Quantity
The shift from unstripped standalone binaries to a "single robust backdoor" marks a significant evolution in the actor's operational philosophy. By merging espionage and destruction into one implant, the attacker reduces their footprint while expanding their menu of options.
This efficiency is most visible in the wiping logic. The actor can choose between a quick hit or a thorough sanitization:
- Command 1: A standalone physical disk wiper that overwrites partition metadata to prevent the OS from recognizing the drive.
- Command 12 (Secure Wiping): Based on the modernized FlockWiper logic, this performs an "industrial-grade" multi-pass wipe. It overwrites the Windows installation drive multiple times using a sequence of 0s, 0xFF, and random bytes, ensuring that even advanced forensic recovery is impossible.
GigaWiper signals a transition from "pure" wipers to unified platforms for cyber sabotage. By combining persistent monitoring, registry manipulation, and irreversible encryption, it represents a threat that is far more sophisticated than the ransomware of years past.