Microsoft dates the destructive activity to October 2025, and its analysis shows why the incident matters: this is not a single exploit to patch but a multi-purpose backdoor that lets an operator choose how — and whether — to destroy a machine.
Three destructive modes and silent spying
Microsoft calls the Windows backdoor GigaWiper. Instead of being a single crash-for-cash tool, it bundles three older destructive programs into one implant that accepts numbered commands. Three commands explicitly render a host irrecoverable:
- A raw disk wiper that overwrites the physical drive and wipes the partition table before rebooting, destroying the disk layout rather than removing files one by one.
- A fake ransomware module built on older Crucio code that encrypts files, appends a .candy extension, and changes the desktop wallpaper to a warning image — but never saves the key, so the encryption is irreversible.
- A multi-pass overwrite targeting the Windows drive, a Go rewrite of a wiper Microsoft tracks as FlockWiper.
Microsoft emphasizes that none of these modes leaves a way back: encrypted files cannot be unlocked because the key is gone, and wiped drives can only be rebuilt from clean backups. The implant is also a spying platform. The same backdoor can take screenshots of every monitor, record screens while someone works, open a hidden VNC session for remote control, collect system details, manage processes and services, edit the registry, and wipe Windows event logs. Microsoft found additional dormant commands in examined samples, including stubs for a keylogger and extra wipers.
Built to hide: masquerade, firewall rules, and legitimate services
GigaWiper takes multiple steps to blend in. It pretends to be OneDrive by creating a scheduled task named OneDrive Update that runs every minute and by recording itself under the registry key HKCU\SOFTWARE\OneDrive\Environment. When it opens its remote-control channel it hides behind a firewall rule named Microsoft.Windows.CloudExperienceHost.
For command-and-control and exfiltration, GigaWiper skips bespoke HTTP traffic and instead uses standard business services: RabbitMQ for tasking, Redis for results, and MinIO for exfiltration. Microsoft warns that because those channels are legitimate enterprise tools, their use can make the malware’s network traffic look ordinary on networks that already run those services.
Crucio, FlockWiper, and the recurring GRAT tag
Microsoft traces the fake-ransomware portion back to Crucio and identifies the multi-pass wiper as a Go rewrite of FlockWiper, assessing that the same developer built all three components. Microsoft found a recurring tag, "GRAT", in FlockWiper debug paths and in GigaWiper function names, tying the tools together and suggesting further components not yet seen.
Microsoft names no country in its assessment. Binary Defense, which reported the same malicious files under the name BLUERABBIT, lists the same four file hashes and the same command servers Microsoft provided; Binary Defense, citing Google's Threat Intelligence Group, ties the malware to a likely Iran-nexus group aimed at Israeli organizations. The timing differs by source: Microsoft dates destructive activity to October 2025, while Binary Defense first saw the files as BLUERABBIT in March 2026. Microsoft also notes a Crucio sample that carries the same fingerprint listed in a December 2023 CISA advisory on CyberAv3ngers.
Signals defenders can use and Microsoft’s mitigations
Microsoft highlights a short list of practical, observable signals defenders should look for:
- A scheduled task named OneDrive Update that repeats every minute.
- RabbitMQ or Redis traffic originating from ordinary desktops rather than servers.
- Processes using takeown and icacls to take ownership of Windows boot files such as bootmgr and ntoskrnl.exe outside maintenance windows.
On products and blocking, Microsoft recommends turning on tamper protection, running endpoint detection in block mode, enabling cloud-delivered protection and automatic remediation, and blocking the two known command servers at 185.182.193[.]21 and 212.8.248[.]104. Microsoft also published a full list of file hashes, server addresses, and detection names in its report.
What this means for defenders, Israeli organizations, and Microsoft & Binary Defense
- Defenders and security teams: Treat a discovered implant as potentially destructive by design; prioritize rapid detection, offline clean backups, and the specific signals Microsoft lists rather than looking for a single patchable vulnerability.
- Israeli organizations: Binary Defense and Google's Threat Intelligence Group have linked sightings to a likely Iran-nexus group with targeting against Israeli organizations; organizations in the region should watch for the listed indicators and the two command-server IPs.
- Microsoft and Binary Defense: Both vendors published overlapping technical data — Microsoft under the name GigaWiper and Binary Defense under BLUERABBIT — and share matching hashes and command servers, reinforcing the operational link even as attribution and victim scope remain to be fully confirmed.
The core tactical shift here is simple and stark: attackers folded spying and irreversible destruction into one flexible implant, and because that implant acts after initial access rather than exploiting a patchable flaw, the defensive emphasis must be on detection, isolation, and resilient backups. The Hacker News has reached out to Microsoft and to Binary Defense for confirmation that GigaWiper and BLUERABBIT are the same malware and for details on victim scope and attribution, and will update the story with any response.




