GigaWiper / BLUERABBIT: Iranian-Linked Destructive Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware

GigaWiper / BLUERABBIT: Iranian-Linked Destructive Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware

TTP Advisory: GigaWiper / BLUERABBIT | No CVE | Threat Actor: Likely Iranian (per Google TIG) | Target: Windows systems | Capabilities: Disk wiping, fake ransomware, spyware, remote control | Discovered by: Microsoft / Binary Defense


What Happened

Microsoft has analysed a destructive Windows backdoor called GigaWiper that bundles three older destructive programs into one tool, offered as commands the operator can choose from. Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake ‘ransomware’ that scrambles files with a key it never saves. The same malicious files appear in a separate Binary Defense report under the name BLUERABBIT, with both analyses sharing matching command servers. Binary Defense, citing Google’s Threat Intelligence Group, ties the malware to likely Iranian threat actors.


Capabilities

  • Full disk wiping — destroys all data on the system
  • Windows drive overwriting — targets the OS partition specifically
  • Fake ransomware — scrambles files with a key that is never saved, making recovery impossible even with ransom payment
  • Spyware/remote control — backdoor functionality for persistent access

Exploited?

Yes — active malware in use. Microsoft and Binary Defense have both analysed the same malware samples. The Iranian attribution aligns with ongoing destructive cyber operations. This is post-compromise malware — it is delivered after an attacker has already gained initial access.


Mitigation

  • EDR detection: Ensure endpoint detection tools can identify GigaWiper/BLUERABBIT indicators of compromise.
  • Offline backups: Maintain immutable, offline backups that cannot be deleted or encrypted from compromised systems.
  • Network segmentation: Limit lateral movement capabilities to contain post-compromise destructive operations.

Recommendations

  • Update EDR signatures: Incorporate GigaWiper/BLUERABBIT IOCs into detection systems.
  • Test backup restoration: Verify that offline backups can be restored independently of the production environment.
  • Monitor for destructive patterns: Sudden disk activity, unexpected reboots, or file encryption without ransom note should trigger immediate incident response.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 10, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!