<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Destructive - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/destructive/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 15:51:46 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/destructive/feed.xml" rel="self" type="application/rss+xml"/><item><title>GigaWiper: Multi-Payload Destructive Backdoor</title><link>https://feed.craftedsignal.io/briefs/2026-07-gigawiper/</link><pubDate>Thu, 09 Jul 2026 15:51:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-gigawiper/</guid><description>GigaWiper is a sophisticated, Golang-based destructive backdoor observed since October 2025 by Microsoft Threat Intelligence, that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including physical disk wiping, ransomware-like encryption derived from Crucio, and multi-pass secure wiping reimplemented from FlockWiper.</description><content:encoded><![CDATA[<p>Since October 2025, Microsoft Threat Intelligence has been tracking GigaWiper, a highly destructive Golang-based backdoor that consolidates multiple wiper and ransomware-like capabilities. This implant stands out for its modular design, merging code from previously distinct malware families such as a standalone physical disk wiper, a destructive component derived from Crucio ransomware that encrypts files with unrecoverable keys, and a multi-pass secure wiping logic reimagined from FlockWiper. GigaWiper establishes persistence via a scheduled task and a registry key, communicating with its command-and-control (C2) infrastructure over RabbitMQ and Redis. This consolidation into a single platform reflects an operational efficiency trend among threat actors, aiming to reduce deployment footprints while expanding destructive potential across targeted environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial execution of the GigaWiper backdoor implant on a compromised system.</li>
<li>The implant checks for prior execution via the <code>HKCU\SOFTWARE\OneDrive\Environment</code> registry key and creates a scheduled task named &quot;OneDrive Update&quot; for persistence, running every minute and at system startup.</li>
<li>GigaWiper establishes command-and-control (C2) communication channels, utilizing RabbitMQ and Redis.</li>
<li>Upon receiving a destructive command from the C2, GigaWiper enumerates physical disk drives using Windows Management Instrumentation (WMI) queries to identify targets.</li>
<li>It proceeds to target non-Windows drives, removing their partition references via <code>DeviceIoControl</code> with <code>IOCTL_DISK_CREATE_DISK</code> to reinitialize partitioning metadata.</li>
<li>The malware then overwrites the raw content of the identified drives in 0xA00000-sized chunks, filling the first byte with randomized data and the rest with zeros, effectively destroying data.</li>
<li>In some variants, GigaWiper encrypts files using a mechanism derived from Crucio ransomware, where encryption keys are not saved, rendering data unrecoverable.</li>
<li>Finally, it forces an immediate system reboot by invoking Windows shutdown functionality with restart and zero-delay options to finalize the destructive impact.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>GigaWiper's primary impact is severe data destruction and system unavailability. Observed since October 2025, it has been used to wipe compromised environments, rendering systems inoperable and data irrecoverable. The consolidation of multiple wiping and ransomware capabilities means that organizations face a multi-pronged attack that not only deletes files and partitions but also encrypts data without any recovery possibility. This leads to significant operational disruption, data loss, and substantial recovery costs across targeted organizations. While specific victim counts or sectors are not detailed, the nature of the threat indicates potential for widespread damage across any Windows-based enterprise environment.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rules to your SIEM/EDR and tune them for your environment.</li>
<li>Enable Sysmon process-creation logging to capture <code>schtasks.exe</code> and <code>shutdown.exe</code> activity to activate the rules above.</li>
<li>Monitor for modifications to the <code>HKCU\SOFTWARE\OneDrive\Environment</code> registry key by unfamiliar processes, leveraging <code>registry_set</code> logs.</li>
<li>Implement strong egress filtering to detect and block suspicious outbound connections, particularly those to unknown RabbitMQ or Redis endpoints.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wiper</category><category>destructive</category><category>backdoor</category><category>ransomware</category><category>golang</category><category>windows</category></item></channel></rss>