TTP Advisory: GigaWiper / BLUERABBIT | No CVE | Threat Actor: Likely Iranian (per Google TIG) | Target: Windows systems | Capabilities: Disk wiping, fake ransomware, spyware, remote control | Discovered by: Microsoft / Binary Defense
What Happened
Microsoft has analysed a destructive Windows backdoor called GigaWiper that bundles three older destructive programs into one tool, offered as commands the operator can choose from. Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake ‘ransomware’ that scrambles files with a key it never saves. The same malicious files appear in a separate Binary Defense report under the name BLUERABBIT, with both analyses sharing matching command servers. Binary Defense, citing Google’s Threat Intelligence Group, ties the malware to likely Iranian threat actors.
Capabilities
- Full disk wiping — destroys all data on the system
- Windows drive overwriting — targets the OS partition specifically
- Fake ransomware — scrambles files with a key that is never saved, making recovery impossible even with ransom payment
- Spyware/remote control — backdoor functionality for persistent access
Exploited?
Yes — active malware in use. Microsoft and Binary Defense have both analysed the same malware samples. The Iranian attribution aligns with ongoing destructive cyber operations. This is post-compromise malware — it is delivered after an attacker has already gained initial access.
Mitigation
- EDR detection: Ensure endpoint detection tools can identify GigaWiper/BLUERABBIT indicators of compromise.
- Offline backups: Maintain immutable, offline backups that cannot be deleted or encrypted from compromised systems.
- Network segmentation: Limit lateral movement capabilities to contain post-compromise destructive operations.
Recommendations
- Update EDR signatures: Incorporate GigaWiper/BLUERABBIT IOCs into detection systems.
- Test backup restoration: Verify that offline backups can be restored independently of the production environment.
- Monitor for destructive patterns: Sudden disk activity, unexpected reboots, or file encryption without ransom note should trigger immediate incident response.
References
- The Hacker News: GigaWiper
- Microsoft Security
- Binary Defense BLUERABBIT Report
Part of the Vulnerability Intelligence series on threat-modeling.com. July 10, 2026 Report.
