Key Takeaways
Background
GigaWiper represents a significant evolution in destructive malware. Rather than functioning as a standalone wiper or ransomware variant, it operates as a comprehensive offensive platform capable of supporting every stage of an intrusion, from persistence and reconnaissance to remote administration and ultimately destructive operations. This architecture provides attackers with considerable operational flexibility. Instead of deploying multiple malware families throughout an intrusion, operators can maintain long-term access using a single implant before selectively executing destructive functionality when operational objectives require it. Consolidating these capabilities also reduces deployment complexity, minimizes opportunities for defenders to detect additional malware installations, and simplifies attacker C2 operations.
Equally significant is Microsoft's determination that GigaWiper was assembled by integrating multiple previously independent malware families into one framework. Rather than developing entirely new destructive capabilities, the threat actor appears to have modernized and consolidated proven tooling into a single Golang-based platform. This approach suggests an emphasis on operational efficiency and continued investment in reusable malware frameworks rather than disposable campaign-specific malware.
Current Threat Landscape
Historically, destructive malware has largely consisted of purpose-built tools designed to erase data or disrupt operations. Families such as Shamoon, HermeticWiper, WhisperGate, and AcidRain focused primarily on causing immediate operational impact with relatively limited post-compromise functionality.
GigaWiper represents a notable departure from that model.
Rather than existing solely as a destructive payload, GigaWiper integrates persistence, C2, reconnaissance, surveillance, remote administration, and multiple destructive options within a single implant. This modular architecture enables attackers to quietly maintain access before deciding whether to conduct espionage, deploy additional tooling, destroy systems, or perform several of these activities during the same intrusion.
Microsoft identified two primary variants during its investigation:
Further reverse engineering revealed that these destructive components were not developed independently. Instead, Microsoft determined that functionality from at least three previously separate malware families, including Crucio and FlockWiper, had been incorporated into the larger backdoor. This architectral evolution demonstrates a shift away from deploying separate tools toward unified operational platforms capable of adapting to changing mission objectives.
Technical Analysis
Unlike conventional ransomware or standalone wipers, GigaWiper functions as a full-featured remote administration framework capable of executing destructive commands on demand. The malware establishes persistence by creating a scheduled task named OneDrive Update, while maintaining execution state through the registry key HKCU\SOFTWARE\OneDrive\Environment. This persistence mechanism masquerades as legitimate OneDrive configuration data while ensuring the malware automatically executes at regular intervals following system startup.
For C2 communications, GigaWiper employs two separate technologies - RabbitMQ over AMQP for receiving attacker commands and Redis for uploading command results and execution status. Configuration information, including infrastructure addresses and authentication credentials, is encrypted using AES before being embedded within the malware. This separation of command delivery and status reporting reflects a relatively mature C2 architecture more commonly associated with advanced backdoors than traditional destructive malware.
Microsoft identified twenty distinct command functions within the implant, including but not limited to:
This breadth of functionality enables operators to conduct reconnaissance, maintain access, administer compromised hosts, collect intelligence, and ultimately destroy systems without deploying additional malware families.
One particularly noteworthy capability is the malware's destructive encryption routine. Although superficially resembling ransomware, the malware generates random AES encryption keys and initialization vectors that are intentionally discarded after encryption. Unlike conventional ransomware operations, no mechanism exists for recovering encrypted files because the encryption material is never retained. Consequently, the routine creates the appearance of ransomware while functioning as an irreversible data destruction mechanism rather than an extortion tool. Perhaps the most important architectural finding is Microsoft's determination that GigaWiper combines functionality from multiple previously separate malware families into one implant.
The unified framework incorporates:
Rather than deploying these capabilities separately, operators can invoke each through individual command codes within the backdoor. This modular approach significantly expands operational flexibility while reducing deployment complexity and infrastructure requirements. From a defender's perspective, this convergence also complicates detection because the same implant may exhibit behavior ranging from relatively benign administrative activity to catastrophic destructive operations depending on the commands issued by the attacker.
PolySwarm Telemetry Findings
Independent analysis using PolySwarm successfully identified all eight publicly referenced malware samples from Microsoft’s reporting, including four GigaWiper backdoors, one standalone GigaWiper wiper, one Crucio sample, and two FlockWiper samples. Every sample was classified as malicious, independently corroborating Microsoft's reverse engineering findings and confirming broad detection coverage across the malware family.
PolySwarm analysis also identified an intriguing relationship involving several of the GigaWiper backdoor samples. Three of the four backdoor binaries received Zebrocy family classifications from PolySwarm's PolyUnite engine, while ClamAV consistently detected those same samples as Win.Trojan.Zebrocy-6808822-0. The affected samples include:
Technical characteristics supporting the classifier overlap include:
Zebrocy is a long-running malware family historically associated with APT28 (also tracked as Fancy Bear, Sofacy, Sednit, Forest Blizzard, and STRONTIUM), a threat group widely attributed to Russia's GRU Unit 26165 by multiple governments and security vendors.
However, the available evidence suggests the obse
Analyst Commentary
GigaWiper represents a notable evolution in destructive malware engineering. Rather than deploying independent tools for persistence, reconnaissance, surveillance, remote administration, ransomware, and disk wiping, attackers have consolidated these capabilities into a single operational framework capable of supporting an entire intrusion lifecycle. This modular approach reduces deployment complexity while enabling operators to transition seamlessly from intelligence collection to destructive actions as mission objectives evolve.
The independent PolySwarm analysis adds another layer of insight by highlighting technical similarities between several GigaWiper backdoor samples and the historical Zebrocy malware family. Although insufficient to support definitive attribution, these findings demonstrate how collaborative malware intelligence can identify relationships that may not yet appear in public vendor reporting. Such observations can guide future hunting efforts, prioritize reverse engineering, and help analysts identify potential links between seemingly unrelated malware families.
PolySwarm's crowdsourced malware intelligence platform is particularly well suited for threats of this nature. By aggregating verdicts from dozens of independent security engines while correlating historical malware families, behavioral relationships, and emerging variants, PolySwarm enables defenders to identify new campaigns more rapidly than traditional single-vendor approaches. The platform's ability to independently recognize all publicly referenced GigaWiper-related samples, and to surface the unexpected Zebrocy overlap, illustrates how collaborative intelligence can provide defenders with additional context that supports more informed threat hunting and incident response.
IOCs
PolySwarm has multiple samples of malware associated with this activity.
GigaWiper
633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001
f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd
9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683
ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913
3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd
Crucio
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3
FlockWiper
db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674
12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.