Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

GigaWiper/BLUERABBIT: Go-based wiper, CyberAv3ngers-linked

Microsoft and Binary Defense concurrently disclose a Go-based Windows destructive backdoor — wipe, fake ransomware, spyware in one binary — attributed to Iran-nexus CyberAv3ngers.

GigaWiper/BLUERABBIT: Go-based wiper, CyberAv3ngers-linked
Image: 0dayNews / 0dayNews Editorial · All rights reserved
airgap airgap · Published · 4 min read

Microsoft Security Blog named a destructive Windows backdoor it tracks as GigaWiper on 2026-07-09. Binary Defense published concurrently under the name BLUERABBIT. Same family, two write-ups, same day. Written in Go. Bundles three destructive stubs — raw disk wipe, multi-pass Windows-drive overwrite, fake-ransomware that encrypts with a key the operator never keeps — plus a surveillance stack (screenshots, screen recording, VNC, registry edit, event-log wipe). Command traffic runs over RabbitMQ, Redis, and MinIO — legitimate business protocols, not a bespoke C2. Microsoft dates the destructive activity to October 2025. Binary Defense first saw samples 2026-03. Public disclosure 2026-07-09. Attribution: CyberAv3ngers, the Iran IRGC-linked group named in CISA’s December 2023 advisory, per Binary Defense — via code fingerprints matching prior Crucio samples. Microsoft names no country. Confidence: family and capability confirmed; attribution vendor-attested, treat as high-but-single-vendor pending independent confirmation.

What’s confirmed

  • Family, two names. Microsoft calls it GigaWiper. Binary Defense calls it BLUERABBIT. Debug paths contain the string “GRAT.” Same binary. Confidence: high, both vendors.
  • Language. Written in Go. Confidence: high.
  • Three destructive modes, operator-selectable. Raw disk wipe including partition-table destruction; multi-pass overwrite of the Windows drive; and a fake-ransomware mode that encrypts files with a key never persisted, presented as ransomware to the victim but destructive by design. Confidence: high.
  • Ransomware component lineage. The fake-ransomware stub reuses code from Crucio — the family CISA called out in the December 2023 CyberAv3ngers advisory. Confidence: high, per Binary Defense fingerprinting.
  • Surveillance stack alongside destruction. Screenshot capture, screen recording, VNC access, registry editing, event-log clearing. Confidence: high.
  • Command channel abuses legitimate protocols. RabbitMQ, Redis, MinIO — services normal enterprises actually run. Detection by protocol alone is not viable. Confidence: high.
  • Persistence. Scheduled task named OneDrive Update set to fire every minute. Registry tracking at HKCU\SOFTWARE\OneDrive\Environment. Confidence: high.
  • Firewall rule. Named Microsoft.Windows.CloudExperienceHost, a legitimate Windows component the operator borrowed the name from. Confidence: high.
  • Attribution. Binary Defense links to CyberAv3ngers, an Iran IRGC-nexus group, against Israeli targets. Microsoft’s write-up names no threat actor and no country. Confidence: high on Binary Defense’s attribution, unconfirmed by Microsoft directly.
  • Timeline dates. Microsoft dates destructive activity to October 2025. Binary Defense first observed samples in March 2026. Disclosure 2026-07-09. Confidence: high.

What’s uncertain — treat accordingly

  • Victim count and named organizations. Neither vendor names a victim organization or gives a count. Binary Defense frames the target set as “Israeli organizations” broadly. Whether the October 2025 activity Microsoft dated to represents a single incident, a campaign, or a demonstration is not stated. Confidence: unconfirmed.
  • Initial access vector. Neither Microsoft nor Binary Defense names how operators get in. Do not assume phishing, do not assume exposed RDP, do not assume vendor-supply-chain until one of them says so. Confidence: unconfirmed.
  • Dormant command stubs. Microsoft notes the binary contains command handlers for capabilities not observed in use. What those capabilities are, and whether they’re staged for a later push or dead code from a prior variant, is not spelled out. Treat as future expansion capacity, not present threat. Confidence: as-stated by Microsoft.
  • Independent corroboration of the CyberAv3ngers attribution. Binary Defense’s code-fingerprint match to Crucio is the load-bearing evidence for the IRGC link. Microsoft’s silence on attribution is not a contradiction, but it is not a second vendor agreeing either. Confidence: single-vendor high; treat as high until a second unrelated vendor confirms.
  • Whether the “wiper masquerading as ransomware” framing was a targeting choice or a distribution choice. Fake ransomware buys deniability — a victim may report a ransomware incident, insurers may pay, the destructive intent stays plausibly deniable. Whether operators used the ransomware framing to slow attribution or simply to blend with a common incident type is not established. Confidence: unconfirmed, analysis-adjacent.

What to do

  • Windows environments with any Israeli-organization exposure — subsidiaries, partners, hosted services, joint ventures. This is the target set both vendors describe. Elevated hunting on that inventory today, not next Patch Tuesday. Confidence: high on target set.
  • Hunt the persistence and telemetry surface both vendors described. Scheduled tasks named OneDrive Update firing every minute; the registry key HKCU\SOFTWARE\OneDrive\Environment; firewall rules named Microsoft.Windows.CloudExperienceHost on hosts that shouldn’t have them. These are named artifacts, not hypotheses.
  • Enterprises running RabbitMQ, Redis, or MinIO. The command channel choice means outbound traffic to those services looks like normal business traffic. Baseline what your legitimate producers and consumers are, and treat unexpected clients on those brokers as investigation-worthy — that’s the concrete detection surface here, and it doesn’t require IOC drops.
  • Backup posture, not recovery posture. A destructive backdoor that also encrypts files with an unrecoverable key is a wiper wearing ransomware’s costume. Do not plan around a decryptor being available. Immutable, offline-tested backups are the answer to this class — verify restore, not just backup existence.
  • CyberAv3ngers-tracked entities. If your organization was named or implicated in the December 2023 CISA advisory, or in the Unitronics PLC campaign that preceded it, you’re on the historical target list this family reuses code from. Assume elevated interest.

Timeline

  • December 2023 — CISA advisory AA23-335A names CyberAv3ngers against U.S. water/wastewater sector, references Crucio-family malware.
  • October 2025 — Microsoft’s dated onset of destructive activity attributed to what it later names GigaWiper.
  • March 2026 — Binary Defense’s first sample observation of what it names BLUERABBIT.
  • 2026-07-09 — Microsoft Security Blog and Binary Defense publish concurrent write-ups; The Hacker News carries the story the same day.

Filed breaking, family and capability high-confidence per Microsoft plus Binary Defense, IRGC/CyberAv3ngers attribution single-vendor high (Binary Defense) with Microsoft silent on attribution, victim set and initial access unconfirmed. Update when a second unrelated vendor corroborates the CyberAv3ngers link, when named victim organizations surface, or when either vendor publishes hashes and network IOCs for the RabbitMQ/Redis/MinIO channels.

Found this useful? Share it.