{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/destructive/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["critical"],"_cs_tags":["wiper","destructive","backdoor","ransomware","golang","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eSince October 2025, Microsoft Threat Intelligence has been tracking GigaWiper, a highly destructive Golang-based backdoor that consolidates multiple wiper and ransomware-like capabilities. This implant stands out for its modular design, merging code from previously distinct malware families such as a standalone physical disk wiper, a destructive component derived from Crucio ransomware that encrypts files with unrecoverable keys, and a multi-pass secure wiping logic reimagined from FlockWiper. GigaWiper establishes persistence via a scheduled task and a registry key, communicating with its command-and-control (C2) infrastructure over RabbitMQ and Redis. This consolidation into a single platform reflects an operational efficiency trend among threat actors, aiming to reduce deployment footprints while expanding destructive potential across targeted environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial execution of the GigaWiper backdoor implant on a compromised system.\u003c/li\u003e\n\u003cli\u003eThe implant checks for prior execution via the \u003ccode\u003eHKCU\\SOFTWARE\\OneDrive\\Environment\u003c/code\u003e registry key and creates a scheduled task named \u0026quot;OneDrive Update\u0026quot; for persistence, running every minute and at system startup.\u003c/li\u003e\n\u003cli\u003eGigaWiper establishes command-and-control (C2) communication channels, utilizing RabbitMQ and Redis.\u003c/li\u003e\n\u003cli\u003eUpon receiving a destructive command from the C2, GigaWiper enumerates physical disk drives using Windows Management Instrumentation (WMI) queries to identify targets.\u003c/li\u003e\n\u003cli\u003eIt proceeds to target non-Windows drives, removing their partition references via \u003ccode\u003eDeviceIoControl\u003c/code\u003e with \u003ccode\u003eIOCTL_DISK_CREATE_DISK\u003c/code\u003e to reinitialize partitioning metadata.\u003c/li\u003e\n\u003cli\u003eThe malware then overwrites the raw content of the identified drives in 0xA00000-sized chunks, filling the first byte with randomized data and the rest with zeros, effectively destroying data.\u003c/li\u003e\n\u003cli\u003eIn some variants, GigaWiper encrypts files using a mechanism derived from Crucio ransomware, where encryption keys are not saved, rendering data unrecoverable.\u003c/li\u003e\n\u003cli\u003eFinally, it forces an immediate system reboot by invoking Windows shutdown functionality with restart and zero-delay options to finalize the destructive impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eGigaWiper's primary impact is severe data destruction and system unavailability. Observed since October 2025, it has been used to wipe compromised environments, rendering systems inoperable and data irrecoverable. The consolidation of multiple wiping and ransomware capabilities means that organizations face a multi-pronged attack that not only deletes files and partitions but also encrypts data without any recovery possibility. This leads to significant operational disruption, data loss, and substantial recovery costs across targeted organizations. While specific victim counts or sectors are not detailed, the nature of the threat indicates potential for widespread damage across any Windows-based enterprise environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM/EDR and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture \u003ccode\u003eschtasks.exe\u003c/code\u003e and \u003ccode\u003eshutdown.exe\u003c/code\u003e activity to activate the rules above.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to the \u003ccode\u003eHKCU\\SOFTWARE\\OneDrive\\Environment\u003c/code\u003e registry key by unfamiliar processes, leveraging \u003ccode\u003eregistry_set\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eImplement strong egress filtering to detect and block suspicious outbound connections, particularly those to unknown RabbitMQ or Redis endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T15:51:46Z","date_published":"2026-07-09T15:51:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-gigawiper/","summary":"GigaWiper is a sophisticated, Golang-based destructive backdoor observed since October 2025 by Microsoft Threat Intelligence, that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including physical disk wiping, ransomware-like encryption derived from Crucio, and multi-pass secure wiping reimplemented from FlockWiper.","title":"GigaWiper: Multi-Payload Destructive Backdoor","url":"https://feed.craftedsignal.io/briefs/2026-07-gigawiper/"}],"language":"en","title":"CraftedSignal Threat Feed - Destructive","version":"https://jsonfeed.org/version/1.1"}