Full Report
Microsoft says GigaWiper combines at least 3 malware families into one modular tool
Analysis Summary
# Tool/Technique: GigaWiper
## Overview
GigaWiper is a sophisticated, modular, Golang-based destructive backdoor first identified by Microsoft. It functions as a "Swiss Army knife" for threat actors, consolidating command-and-control (C2) capabilities with multiple data-wiping modules and "pure" ransomware functionality (encryption without the possibility of recovery). It represents an evolution in wiper malware by merging previously distinct malware families into a single, on-demand modular framework.
## Technical Details
- **Type:** Backdoor / Wiper / Ransomware
- **Platform:** Windows (Portable Executable)
- **Capabilities:** Disk wiping, file encryption, data exfiltration, screen recording, remote control (HID), and persistence.
- **First Seen:** October 2025 (Spotted by Microsoft)
- **Language:** Golang (Unstripped)
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1547 - Boot or Logon Autostart Execution]
- **[TA0011 - Command and Control]**
- [T1071.004 - Application Layer Protocol: DNS/Custom (AMQP/RabbitMQ)]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- **[TA0010 - Exfiltration]**
- [T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage (MinIO)]
- **[TA0040 - Impact]**
- [T1561.002 - Disk Structure Wipe]
- [T1486 - Data Encrypted for Impact]
- [T1490 - Inhibit System Recovery]
- [T1499 - Endpoint Denial of Service (BSOD)]
## Functionality
### Core Capabilities
- **Modular Command Structure:** Organizes tasks into "Always Run," "Manage Command," "Special Command," and "Shell Command" modes.
- **C2 Communication:** Utilizes **RabbitMQ** over AMQP for receiving commands and **Redis** for status/output reporting.
- **Data Destruction:** Includes a standalone disk wiper that overwrites raw disk content and removes partition metadata at the physical level.
- **Remote Control:** Provides keyboard and mouse control, alongside PowerShell execution and shell access.
### Advanced Features
- **Irreversible Encryption:** Integrates code from the **Crucio ransomware** family to encrypt files with randomly generated keys that are never saved or transmitted, making decryption impossible.
- **Information Harvesting:** Continuous screen recording, screenshots, and system metadata collection.
- **System Sabotage:** Disables Windows recovery environments and triggers a Blue Screen of Death (BSOD) to render the device unbootable.
- **Cloud Exfiltration:** Uses the **MinIO Client (mc)** to automate the upload of stolen data to remote storage buckets.
## Indicators of Compromise
- **File Hashes:** *(Note: Specific MD5/SHA hashes were not provided in the source article text, but unstripped Golang PEs are a primary indicator.)*
- **Network Indicators:**
- RabbitMQ/AMQP traffic on non-standard or standard ports.
- Redis traffic for command status updates.
- Connections to [MinIO] storage endpoints for data exfiltration.
- **Behavioral Indicators:**
- `shutdown /r /t 0` (Zero-delay reboot after disk wiping).
- Clearing of Windows Event Logs.
- Presence of unauthorized screen recording processes.
## Associated Threat Actors
- **Unknown:** Microsoft has not publicly attributed GigaWiper to a named threat group (e.g., APT or FIN) as of the report date, though the sophistication suggests a well-resourced actor.
## Detection Methods
- **Behavioral Detection:**
- Monitor for raw disk access attempts by unauthorized processes.
- Detect high-frequency file encryption patterns without subsequent key exchange.
- Identify unauthorized use of the MinIO Client (`mc.exe`).
- **Network Detection:** Inspect AMQP and Redis protocols originating from endpoints to unusual external or internal IP addresses.
- **Signature-based:** Scan for unstripped Go binaries containing strings related to "Crucio," "FlockWiper," or specific RabbitMQ/Redis library signatures.
## Mitigation Strategies
- **Data Protection:** Maintain offline, immutable backups to recover from irreversible "ransom-wipe" attacks.
- **Hardening:** Disable or restrict PowerShell for non-administrative users and monitor for `vssadmin.exe` or `bcdedit.exe` modifications.
- **Egress Filtering:** Block or monitor outbound connections on ports associated with RabbitMQ/Redis and restrict access to unauthorized cloud storage providers.
- **Access Control:** Implement the principle of least privilege to prevent malware from gaining raw disk access or clearing system logs.
## Related Tools/Techniques
- **Crucio Ransomware:** Integrated into GigaWiper for its encryption routines.
- **FlockWiper:** Reimplemented in Go as a module within GigaWiper.
- **Standalone Wiper:** A physical disk-level destruction tool incorporated into the framework.
- **MinIO Client (mc):** Used for exfiltration.