Friday, July 10, 2026

The Good, the Bad and the Ugly in Cybersecurity – Week 28

The Good | Authorities Apprehend Pro-Russian Hacktivist & Dismantle Global Fraud Networks

Spanish authorities, acting on intelligence provided by the FBI, have apprehended a suspected core member of the pro-Russian hacktivist syndicates CyberArmy of Russia Reborn (CARR) and Z-Pentest.

While masquerading as ideologically motivated collectives, these groups have actively executed disruptive cyberattacks against critical infrastructure, including food processing and water facilities across the United States and Europe. Investigators allege the arrested individual, residing in Palencia, provided extensive operational and logistical support to a Ukrainian hacker working for CARR, even attempting to facilitate their escape to Russia.

The individual is also suspected of coordinating cyber operations for the NoName057(16) group using encrypted messaging platforms. In a March 2026 raid, law enforcement officers seized multiple computers and successfully froze cryptocurrency wallets utilized to launder illicit proceeds generated from stolen data sales. The suspect currently faces ongoing criminal investigations for alleged collaboration with a recognized terrorist organization and severe computer damage.

In a massive global crackdown on social engineering and financial fraud, international law enforcement agencies have arrested 5,811 suspects and seized approximately $293 million in illicit assets. Codenamed “Operation First Light 2026”, the coordinated initiative spanned 97 countries and specifically targeted business email compromise (BEC), investment scams, and money laundering syndicates operating between January and April. Interpol actively coordinated the extensive joint action, collaborating directly with regional policing bodies like ASEANAPOL, GCCPOL, and Europol to swiftly block over 31,000 fraudulent bank accounts and virtual wallets.

Eswatini police seized electronic devices, foreign currency, and realistic replicas of Brazilian police uniforms, signage, and equipment (Source: Interpol)

Investigators identified more than 142,000 victims worldwide and pinpointed an additional 15,600 suspects for future prosecution. This success builds upon recent international efforts, including Operation Synergia II, to dismantle the sprawling infrastructure supporting transnational cybercrime. Officials emphasize that robust, cross-border law enforcement cooperation remains essential to combat the escalating threat of organized cyber-enabled financial crimes globally.

The Bad | Threat Actors Deploy Forg365 PhaaS to Hijack Microsoft Accounts

Cyber researchers have identified a new phishing-as-a-service (PhaaS) operation dubbed Forg365, which targets Microsoft 365 enterprise accounts. Blending adversary-in-the-middle (AiTM) techniques with device-code phishing, the platform provides an integrated dashboard to manage post-compromise activities.

Forg365 works by incorporating AI to assist in generating customized phishing lures. By integrating AI directly into the control panel, Forg365 developers significantly lowered the financial cost needed to launch targeted campaigns. To remain undetected, its operators route messages through legitimate Amazon SES infrastructure while hosting their landing pages on Cloudflare.

The Forg365 panel (Source: ZeroBec)

The operation leverages the OAuth 2.0 device code authentication flow, originally designed for input-constrained devices. Attackers present victims with a deceptive verification page, tricking them into authorizing an attacker-controlled gadget rather than stealing their password directly.

Once initial access is achieved, the platform ensures persistence through a specialized browser extension called ForgCookie. Compatible with Microsoft Edge, Google Chrome, and Brave, this extension operates silently to request account data, clear session cookies, and trigger a hidden OAuth flow to capture fresh tokens. Doing so grants attackers continuous access to the victim’s Microsoft services without requiring them to ever re-authenticate.

To protect its administration panel from being accessed by security defenders, Forg365 integrates robust anti-analysis features. The platform utilizes debugger traps, polymorphic code, and dynamic sandbox checks to evade detection, redirecting connections to innocuous websites whenever a VPN is detected.

Administrators can defend against these hijacking techniques by monitoring Microsoft Entra logs for unexpected device-code authentication events. Organizations can also restrict or entirely disable device-code flows unless absolutely necessary. In the event of a suspected compromise, security teams should revoke all OAuth grants and refresh session tokens to sever access.

The Ugly | Rival Espionage Actors Breach & Spy On Pakistani Law Enforcement Networks

Between February 2024 and April 2026, suspected state-sponsored threat actors based in China and India separately converged on several Pakistani law enforcement organizations in unrelated cyberespionage campaigns.

According to SentinelLABS, operators heavily targeted the Balochistan Police, compromising critical network appliances and web servers. By infiltrating these critical systems, both nations actively sought independent visibility into Pakistan’s internal security posture and ongoing counter-militancy operations.

The China-nexus intrusions, leveraging PlugX, ShadowPad, and Cobalt Strike malware, were likely driven by Beijing’s concerns over the safety of Chinese nationals working on regional infrastructure projects within the China-Pakistan Economic Corridor (CPEC). Ongoing terrorist attacks have left the Chinese government dissatisfied with Pakistani protection and data from Balochistan Police would give the PRC direct insights.

Conversely, the India-nexus activity utilized Remcos backdoors to gather intelligence on the restive Balochistan province, a recurring flashpoint in the adversarial relationship between the two countries. Control over Balochistan Police networks means having invaluable visibility on how Pakistan manages their security posture as well as persistent access to civilian data.

Timeline of C2 traffic to Pakistani law enforcement organizations
Timeline of C2 traffic to Pakistani law enforcement organizations (Source: SentinelLABS)

One China-aligned threat actor specifically compromised the Balochistan Police Force’s Complaint Management System (CMS), a web application that actively serves both law enforcement personnel and Pakistani civilian users. The attackers uploaded custom malware implants disguised as routine portal updates, effectively weaponizing the digitalization of public policing services.

One payload masqueraded as a legitimate component of endpoint security software to evade initial detection and deploy an AsyncRAT client in order to establish persistent footholds into internal police networks while simultaneously surveilling citizens utilizing the platform.

This multi-actor convergence highlights how modernized policing infrastructure can serve as a high-value intelligence target for rival nations seeking comprehensive regional data.



from SentinelOne https://ift.tt/XPjGWK9
via IFTTT

Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative

Security is never finished. That conviction is where the Secure Future Initiative (SFI) started two years ago and continues to guide us today. AI is reshaping cybersecurity. Cyberattackers can discover vulnerabilities, chain attack paths, and scale exploitation faster than manual approaches allow. Defenders can use the same advances to identify risk, strengthen protections, and accelerate response. As the threat landscape evolves, security must evolve with it.

This latest SFI progress report shows how Microsoft is adapting to that reality: strengthening security foundations for an AI-accelerated cyberthreat landscape, applying AI to improve security outcomes at scale, and preparing for future challenges such as scalable quantum computing.

This report organizes our progress into three outcome-driven themes—secure foundations, proactive defense, and future-ready security—and shares lessons learned, practical guidance, and deeper insights across the culture, governance, principles, and engineering pillars that underpin security at Microsoft.

Secure foundations

The most consequential security failures rarely come from a single missing control. They come from environments where identity gaps, unmanaged assets, and inconsistent configurations sit side by side, creating composite attack paths that determined threat actors can chain together. SFI addresses this systemically, strengthening security across our environment. The results show the progress:

  • Phishing-resistant multifactor authentication now protects 99.97% of user/device pairs at Microsoft.
  • More than 732,000 resources have had public access revoked, with network isolation scaling across 1 million resources.
  • 1.4 million unused apps were decommissioned and cross-boundary credential isolation reached 98.7%.
  • Engineering defaults now prevent 83% of pipelines from accessing unapproved package endpoints.

These controls form reinforcing layers: identity feeds access governance, access governance feeds segmentation, segmentation contains blast radius, and engineering defaults reduce what enters production in the first place. One of the lessons we have learned is that foundations are durable only when they’re continuously validated, not periodically audited.

Proactive defense

Secure foundations reduce the attack surface. Proactive defense builds on that foundation to find and fix weaknesses quickly. Traditional practices like code review and penetration testing remain essential. The difference now is that frontier AI can discover vulnerabilities and chain exploit paths faster than manual review can keep up. That’s a threat and, when used well, an advantage. We’ve leaned into that advantage to find real risk earlier and close it before a cyberattacker can act.

  • We built a multi-agent AI system that delivers proactive assessment of a cloud service’s source code, identity configurations, network topology, and runtime state to surface composite vulnerabilities that a single-layer review could not catch. More than 90% of findings confirmed by our security engineers, enabling proactive actions to improve security posture.
  • This system builds on other tools in our security portfolio—such as the Microsoft Security multi-model agentic scanning system (codename MDASH), which scans source code to identify, validate, and prioritize vulnerabilities at scale—and adds configuration, identity, network, and runtime context to comprehensively assess the service.
  • More than 100 new detections were added this year (more than 350 total), shifting from signature-based to behavior- and baseline-driven detection.
  • More than 550,000 critical and high-risk open-source vulnerabilities were remediated, with about 3 million container vulnerabilities patched per month through automation.

Future-ready security

Some risks have not fully arrived yet, but waiting for them is not an option. The most urgent example is the transition to post-quantum cryptography. The threat is already here in the form of “harvest now, decrypt later”: data encrypted today could be captured and decrypted once quantum capability matures.

  • We are accelerating the Microsoft Quantum Safe Program (QSP) timeline, with the goal of transitioning to post-quantum cryptography (PQC) in critical products and services by 2029.          
  • PQC is now an SFI-measured engineering requirement, with workstreams advancing across network traffic, data-at-rest protection, and trust chain modernization.
  • Quantum-safe algorithms (ML-KEM, ML-DSA) are available today across major platforms.
  • Read more in the recent blog: Accelerating quantum-safe readiness.

Governance, culture, and principles

Foundational progress like this is only possible because of the people committed to making it possible. Security is a core responsibility for every employee at Microsoft: mandatory Trust Code training was completed by more than 99% of full-time employees. Governance is what makes it scale, with accountability driven through our Deputy Chief Information Security Officer (CISO) structure and a centralized risk register. And our principles—secure by design, secure by default, secure in operations—are what turn intent into product, like Microsoft 365 Baseline Security Mode. Tools alone don’t create durable security; culture, accountability, and secure defaults do.

What you can do today

Throughout the report, we share actionable guidance for organizations at any stage of their security journey. A few starting points:

  • Enforce phishing-resistant multifactor authentication and eliminate legacy authentication protocols.
  • Inventory every tenant and classify it. Apply secure-by-default provisioning with drift detection.
  • Evaluate how identity, code, configuration, and network relationships interact in production. Prioritize composite attack paths over isolated findings.
  • Inventory your cryptographic dependencies now and establish transition plans for post-quantum readiness.
  • Enable Baseline Security Mode in Microsoft 365 for secure-by-default configuration at no additional cost.

Read the full SFI report, including detailed pillar-level progress and additional customer guidance.

Each hardening action changes the cyberattacker’s approach. The compounding effect of SFI is that attackers face a shrinking set of viable paths, while defenders gain better telemetry, stronger defaults, and sharper prioritization for the paths that remain.

Security is a team sport. We are grateful for the partnership of our customers, security researchers, and the broader industry as we work together to make the world a safer place for all.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative appeared first on Microsoft Security Blog.



from Microsoft Security Blog https://ift.tt/0MGvKqr
via IFTTT

Ransomware Negotiator Gets 70 Months in Prison for Aiding BlackCat Attacks

A 41-year-old former ransomware negotiator has been sentenced to nearly six years (i.e., 70 months) in prison in the U.S. for their role in conspiring with the now-defunct BlackCat ransomware operators to extort multiple victims and working with two other cybersecurity professionals to target additional victims in 2023.

In a sentencing memorandum, federal prosecutors described Martino as a "double agent working to maximize the harm to his clients and the financial gain to cybercriminals who paid him a part of the ransom."

Angelo Martino, 41, of Land O'Lakes, Florida, pleaded guilty to one-count information charging him with conspiring to interfere with interstate commerce through extortion back in April. The defendant worked as a negotiator on behalf of five different ransomware victims, while providing BlackCat attackers with confidential information regarding their negotiating position and strategy without their knowledge or permission.

This information included details about the victims' insurance policy limits and internal negotiation positions, allowing the operators to maximize the ransom amounts they were required to pay.

"Angelo Martino's victims shared heartbreaking accounts of how their businesses were nearly destroyed, while the people they hired to help them instead betrayed them to ransomware gangs," said Assistant Attorney General A. Tysen Duva of the U.S. Justice Department's Criminal Division.

In addition, Martino was also accused of colluding with Ryan Goldberg, 41, of Georgia, and Kevin Martin, 36, of Texas, to successfully deploy BlackCat ransomware between April 2023 and November 2023 against multiple victims located throughout the U.S. Martino and Martin were employed at DigitalMint, while Goldberg was working as an incident response manager for cybersecurity company Sygnia.

Both Goldberg and Martin were sentenced to four years each in prison back in May 2026 for carrying out the attacks after pleading guilty to their crimes last December.

"He was hired to help victims in a moment of crisis," said U.S. Attorney Jason A. Reding QuiƱones for the Southern District of Florida.

"Instead, Martino betrayed them, fed their confidential negotiating positions to ransomware criminals, and helped squeeze them for more money. This case sends a clear message: we will pursue the hackers who deploy ransomware, the insiders who enable them, and the money they steal from American victims."

The Justice Department said law enforcement has seized $10 million of assets from Martino to date, including digital currency, vehicles, a food truck, and a luxury fishing boat that he purchased from the illicit proceeds. Martino is expected to appear in court on September 17, 2026, to determine the exact amount of restitution to be ordered against him.

"Angelo Martino sold out the very victims he was hired to represent, handing their confidential negotiating positions to BlackCat actors to drive up ransoms and enrich himself," said Assistant Director Brett Leatherman of the FBI Cyber Division.



from The Hacker News https://ift.tt/vcQKAjN
via IFTTT

Thursday, July 9, 2026

WolfSSL, GeoVision, VTK vulnerabilities

WolfSSL, GeoVision, VTK vulnerabilities

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in WolfSSF, fourteen in GeoVision, and one vulnerability in VTK-DICOM.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

WolfSSL vulnerabilities

Discovered by Ankur Tyagi of Cisco Talos.

WolfSSL aims to provide "lightweight and embedded security solutions" for both individual and business needs. WolfSSL is an open-source product to provide secure data transfer.

Talos discovered two improper input validation vulnerabilities (TALOS-2026-2409 (CVE-2026-28739) and TALOS-2026-2410 (CVE-2026-25106)) and one integer underflow vulnerability (TALOS-2026-2408 (CVE-2026-33091)) in WolfSSL.

GeoVision vulnerabilities

Discovered by Philippe Laulheret of Cisco Talos.

GeoVision specializes in security technologies, including cameras and monitoring solutions, access control, and machine-identification.

Talos released 14 advisories for GeoVision vulnerabilities, covering 37 CVEs:

  • TALOS-2026-2411 (CVE-2026-12488) memory corruption vulnerabilities
  • TALOS-2026-2379 (CVE-2026-12486, CVE-2026-12849, CVE-2026-12850, CVE-2026-12851) OS command injection vulnerabilities
  • TALOS-2026-2377 (CVE-2026-12485, CVE-2026-12846, CVE-2026-12847, CVE-2026-12848) buffer overflow vulnerabilities
  • TALOS-2026-2369 (CVE-2026-42370) stack overflow vulnerability
  • TALOS-2026-2333 (CVE-2026-7372, CVE-2026-42369) stack overflow vulnerabilities
  • TALOS-2026-2329 (CVE-2026-42368) privilege escalation vulnerability
  • TALOS-2026-2328 (CVE-2026-42367) privilege escalation vulnerability
  • TALOS-2026-2327 (CVE-2026-7371, CVE-2026-42366) reflected cross-site scripting (XSS) vulnerabilities
  • TALOS-2025-2326 (CVE-2026-42364) OS command injection vulnerability
  • TALOS-2025-2332 (CVE-2026-42365) guessable session cookie vulnerability
  • TALOS-2025-2322 (CVE-2026-7161) insufficient encryption vulnerability
  • TALOS-2026-2375 (CVE-2026-57273, CVE-2026-57274, CVE-2026-57275, CVE-2026-57276, CVE-2026-57277, CVE-2026-57278) stack-based buffer overflow vulnerabilities
  • TALOS-2026-2373 (CVE-2026-13131, CVE-2026-13132, CVE-2026-57264, CVE-2026-57265, CVE-2026-57266, CVE-2026-57267, CVE-2026-57268, CVE-2026-57269, CVE-2026-57270, CVE-2026-57271, CVE-2026-57272) out-of-bounds read vulnerabilities
  • TALOS-2026-2370 (CVE-2026-13125) lack of authentication vulnerability

VTK-DICOM vulnerability

Discovered by Emmanuel Tacheau of Cisco Talos.

The Virtualization Toolkit (VTK) is an open source software solution for handling scientific data, for use in tools for 3D rendering. The VTK-DICOM API is specifically to allow VTK users to parse Digital Imaging and Communications in Medicine (DICOM) medical data.

Talos found one vulnerability in VTK-DICOM, TALOS-2026-2366 (CVE-2026-22879), which is a heap-based buffer overflow vulnerability.



from Cisco Talos Blog https://ift.tt/2L9pcGk
via IFTTT

When the systems are up but the business is down

The defining risk to resilience today is not the outage. It is the ad hoc response that follows when partial failure has not been planned for.

On July 19, 2024, a single misconfigured file in a routine software update disabled 8.5 million Windows devices worldwide. Across sectors, the disruption grounded flights, diverted hospital patients, and took financial institutions offline. The fix itself took only 80 minutes. Recovery took days, because every affected device required manual remediation.

The organizations that recovered most quickly did so not because of their superior IT capability, but because a virtual workspace architecture allowed employees to continue working independent of the state of the underlying device. Organizations without that capability spent the first day simply establishing the scope of impact.

That interval, between systems being restored and the business resuming operation, is where resilience is now determined.

The cost of disruption is material

Many large enterprises surveyed reported revenue losses attributable to an outage within the past twelve months and more than half experience a disruption at least weekly. The average high impact outage now costs $1.9 million per hour, and the average data breach costs $4.88 million, with ransomware present in nearly half of all cases. These figures are unlikely to surprise senior IT leadership. What is less widely recognized is that most continuity plans were designed around total outage followed by clean restoration, a failure mode that occurs infrequently today.

Today’s disruptions are typically more limited in scope. An identity provider experiences latency, a cloud region degrades, or a SaaS platform throttles under load, often without triggering any alert, even as employees find themselves unable to work. By the time the pattern is recognized, workarounds are already underway, including shadow applications, expanded access privileges, and bypassed controls intended to preserve productivity. That ad hoc response, not the outage itself, constitutes the primary exposure.

This loss of control compounds into a secondary crisis, as access exceptions remain open and audit trails become incomplete. Regulatory bodies have responded accordingly, with DORA, the UK PRA, and FFIEC each shifting the standard of evidence from demonstrating that a plan exists to demonstrating that it withstood real disruption.

What prepared organizations do differently

They establish service tiers in advance of disruption, determining beforehand what is non-negotiable, what may degrade, and who holds decision authority, rather than negotiating these questions during the first hour of an incident, which remains standard practice elsewhere.

They map dependencies by workflow rather than by organizational structure, enabling precise understanding of the downstream effect of an identity outage or third-party API failure.

Most significantly, they design continuity protocols to tighten controls under pressure rather than relax them, even though the prevailing instinct during a crisis is to ease governance to preserve operational momentum. The organizations that perform best take the opposite approach, predetermining access restrictions and exception authority so that execution follows an established plan rather than an ad hoc response.

These organizations also rehearse their response through tabletop exercises and rollback drills conducted on a recurring basis, and those that sustain this discipline report fewer severe incidents and faster recovery as a direct result. The differentiating factor is preparation, not circumstance.

Where Citrix fits

This goes beyond a list of capabilities. It is the operational foundation that holds when other systems do not. The Citrix platform sustains employee access independent of underlying device or infrastructure failure, and reroutes workloads automatically when services degrade, eliminating reliance on manual intervention when it matters most. It also enforces access governance at the application layer rather than the network layer, ensuring that an operational incident does not become a compliance incident as well. At the same time, it reduces the time between detection and diagnosis, and replaces ad hoc recovery with a structured return to a known-good state.

The result is measurable across industries, with a European rail operator, a major U.S. hospital system, and a global accounting firm each having documented reduced downtime, fewer unresolved access exceptions, and faster recovery using this approach.

Considerations for the next disruption

Leadership should be able to answer the following questions before disruption occurs, not after. Are your Tier 0 services clearly identified, with defined limits for permissible downtime? Has your organization tested operation without its primary identity or cloud provider, using an actual runbook rather than a theoretical exercise? Organizations that can answer these with confidence are the ones that will weather the next incident, not merely survive it.

Your next disruption is already on the calendar. You just don’t know the date yet.



from Citrix Blogs https://ift.tt/alftz1W
via IFTTT

New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware

Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from.

Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake "ransomware" that scrambles files with a key it never saves.

Because this is malware and not a single flaw, there is no patch to chase; GigaWiper is what an attacker runs after they are already inside, which makes early detection and clean, offline backups the real defense.

The same malicious files show up in a second report under another name: BLUERABBIT, a backdoor Binary Defense flagged last month.

Microsoft lists four hashes for the GigaWiper backdoor; Binary Defense lists the same four for BLUERABBIT, and both command servers match. Binary Defense, citing Google's Threat Intelligence Group, ties the malware to a likely Iran-nexus group aimed at Israeli organizations. Microsoft names no country.

Three ways to destroy a machine

GigaWiper is written in Go (also called Golang) and runs on Windows. It takes orders as numbered commands, and three of them destroy the machine, each in a different way:

  • A raw disk wiper that overwrites the physical drive and wipes the partition table (the map of how the disk is laid out) before rebooting. There is no file-by-file deletion to reverse; it destroys the disk contents directly.
  • Fake ransomware built on older code called Crucio. It encrypts files, adds a .candy extension, and changes the desktop wallpaper to an alarming warning image. There is no ransom note and no saved key, so there is nothing to pay and nothing to decrypt. This is destruction wearing a ransomware costume.
  • The last targets the Windows drive, overwriting it several times with different data patterns. Microsoft says it is a Go rewrite of a wiper it tracks as FlockWiper.

None of these leaves a way back: encrypted files cannot be unlocked because the key is gone, and wiped drives can only be rebuilt from clean backups. The goal is a dead machine, not a payout.

It spies, too

Destruction is only half of it. The same backdoor can quietly watch and control an infected PC. It takes screenshots of every monitor, records the screen while someone is working, and can open a hidden VNC session that streams the display and lets the attacker type and move the mouse.

It also collects system details, manages running programs and services, edits the registry, and can wipe Windows event logs to cover its tracks. Microsoft found more commands sitting dormant in the samples it examined, including stubs for a keylogger and additional wipers.

To stay out of sight, GigaWiper pretends to be OneDrive. It creates a scheduled task named OneDrive Update that runs every minute and tracks itself in a registry key under HKCU\SOFTWARE\OneDrive\Environment. When it opens its remote-control channel, it hides behind a firewall rule named after a real Windows component, Microsoft.Windows.CloudExperienceHost.

For its command traffic, it skips ordinary web requests and rides on real business services instead: RabbitMQ for tasking, Redis for results, and MinIO for exfiltration. Because those are legitimate tools rather than a custom malware channel, the traffic looks ordinary on networks that already run them.

Where GigaWiper came from

Microsoft traces GigaWiper's fake-ransomware code back to Crucio and its multi-pass wiper back to FlockWiper, and assesses that the same developer built all three. It names no country. But Crucio is not anonymous. Its code was listed as suspected ransomware in a December 2023 CISA advisory on CyberAv3ngers, a group linked to Iran's Islamic Revolutionary Guard Corps.

That is the same crew, THN reported, that broke into water and energy sites across the US, Israel, the UK, and Ireland in 2023, logging into internet-exposed industrial controllers. In one case, they took control of a booster station at a Pennsylvania water authority. The Crucio sample Microsoft cites carries the same fingerprint listed in that advisory.

Microsoft also found a recurring tag, "GRAT", in both FlockWiper's debug paths and GigaWiper's own function names, tying the two tools together and hinting at a further component that has not surfaced yet. The timing differs by source: Microsoft dates the destructive activity to October 2025, while Binary Defense first saw the same files as BLUERABBIT in March 2026.

Part of a bigger wave

Iran-linked wiper activity against Israel has drawn repeated warnings through 2025 and 2026. Palo Alto Networks' Unit 42 has tracked a parallel surge, much of it from a separate group, Handala Hack, and in March 2026 Israel's National Cyber Directorate warned of Iranian wiper attacks on local organizations.

The tactic GigaWiper uses is old: NotPetya in 2017 also posed as ransomware while quietly destroying data. The disguise buys the attacker time: a wrecked machine first looks like a ransomware case someone might recover from, not the total loss it is.

Microsoft frames GigaWiper as operators folding separate tools into one flexible platform. For defenders, the consequence is concrete: when a single implant can watch, steal, or destroy, the tool no longer reveals the goal. You used to read intent from the malware you found; here, the operator decides after they are already inside.

One platform, two vendor names, and dormant command stubs still in the code point to a tool still being built out.

What defenders should do

Spotting it fast comes down to a few specific signals:

  • A OneDrive Update scheduled task that repeats every minute.
  • RabbitMQ or Redis traffic from ordinary desktops rather than servers.
  • Processes using takeown and icacls to take ownership of Windows boot files like bootmgr and ntoskrnl.exe outside maintenance windows.

On the product side, Microsoft recommends turning on tamper protection so attackers cannot switch off your antivirus, blocking the two known command servers (185.182.193[.]21 and 212.8.248[.]104), running endpoint detection in block mode, and enabling cloud-delivered protection and automatic remediation. The full list of file hashes, server addresses, and detection names is in Microsoft's report.

The Hacker News has reached out to Microsoft and to Binary Defense for confirmation that GigaWiper and BLUERABBIT are the same malware, and for details on victim scope and attribution, and will update this story with any response.



from The Hacker News https://ift.tt/mhBRWKH
via IFTTT

ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories

Most security mess starts as admin work. A link gets clicked. A tool gets trusted. A bucket name gets reused. A setting stays loose because nobody wants to touch it.

This week is full of that kind of damage. Not loud. Not clever. Just small gaps doing big jobs. The worst part is how normal it all looks until the bill arrives.

The full ThreatsDay list is below.

  1. Global fraud bust

    A global anti-fraud operation involving 97 countries and territories has resulted in the arrest of 5,811 individuals and the interception of $293 million in illicit assets as part of an operation codenamed First Light 2026 that took place between January 15 and April 30, 2026, to tackle social engineering scams and associated money laundering activities. "Over 142,000 victims globally were identified during Operation First Light 2026, highlighting the extent to which social engineering scams and fraud have escalated into a major transnational threat, affecting individuals, businesses, and governments," INTERPOL said. More than 23,000 cases were solved, and 15,606 suspects have been identified. In Eswatini, authorities arrested 82 people and dismantled a criminal network running illegal online gambling, money laundering, and elaborate impersonation scams. The Thai police made two arrests and uncovered a money laundering scheme that converted illicit funds from romance scams into various cryptocurrencies, using cross-chain token swaps to obscure the financial trail.

  2. Payment SDK typosquats

    A cluster of 17 malicious npm and PyPI packages have been found to typosquat Paysafe, Skrill, and Neteller SDKs to steal system information and developer secrets, and exfiltrate them to an Ngrok endpoint. The malware skips machines that have less than two CPU cores, and the hostname or username contains sandbox, analyzer, cuckoo, virus, malware, vmware, or vbox. "The threat actor targeted payment app SDKs, which might indicate a financial motive or the desire to monetize using payment app accounts," Socket said. "The threat actor used their obfuscator 'properly.' They did not re-use the same obfuscation key across versions or packages, which is intended to prevent signatures from tracking this malware by the same key. This resulted in different hashes for each file."

  3. Stealthy code injection

    Cybersecurity researchers have outlined a technique called Process Parameter Poisoning (P³) that can be used to code in foreign processes without raising any security alarms. "P³-Shellcode Loader is a loader that implements a code injection technique which leverages the Process Parameters structure (Process Parameter Poisoning) as an execution and staging location for shellcode injection into remote processes, without triggering common detection mechanisms," researchers Max Hirschberger and Ogulcan Ugur said. "One major advantage of this technique is that no processes are created in a suspended state and no threads or processes are suspended during its execution."

  4. Unauthenticated file access

    A critical security flaw in Esri ArcGIS Server 12.0 and prior (CVE-2026-9181, CVSS score: 9.8/7.5) could be exploited to access sensitive files on the system without requiring valid credentials by sending crafted path parameters. "The vulnerability exists in the ArcGIS Server REST Uploads resource, where insufficient validation of crafted path parameters allows an unauthenticated remote attacker to traverse outside the intended directory boundary," Horizon3.ai said.

  5. Ransomware tooling overlap

    A new analysis of the Interlock (aka Hive0163) ransomware operation has identified links with TAG-124 (aka KongTuke and Landupdate808). The threat actor is known to employ a variety of mostly custom malware, including NodeSnake, Interlock RAT, JunkFiction downloader (aka Dormouse), Supper (aka SocksShell and WINDYTWIST), and JunkFiction cryptor. IBM X-Force said it has discovered strong overlaps between NodeSnake, ModeloRAT, JunkFiction downloader, Interlock RAT, and Supper malware variants, indicating a shared original codebase or possibly common developers. Rhysida, on the other hand, often uses Endico downloader, Broomstick (aka Oyster or CleanUpLoader), Supper, and Tomb cryptor (aka Textshell or pkr_mtsi). Evidence indicates a relationship with IceNova (aka Latrodectus) operators and ITG23 (aka TrickBot). Early versions of JunkFiction date back to May 2024, with the downloader being used to Supper, which then delivers CrossTec Remote Control, a legitimate remote administration tool. "The fact that both ModeloRAT and NodeSnake were deployed by TAG-124/KongTuke, possessed overlaps with other malware families belonging to the Interlock toolkit and used the same exploit during their operations, supports the theory that these activities may be linked," IBM X-Force said.

  6. Claude data warning

    China's National Vulnerability Database (CNVDB) is urging developers to uninstall recent Claude Code versions over concerns that they can gather sensitive user data without consent. The "backdoor code" can collect details such as a user's location and identity, and forward them to remote servers. The agency said the alert only applies to Claude Code versions 2.1.91 (April 2) to 2.1.196 (June 29). "It is recommended that relevant units and users immediately conduct a comprehensive investigation," CNVDB said. "For development terminals with the above-mentioned affected versions installed, immediately uninstall or upgrade to the latest secure version with the relevant backdoor code removed; strengthen the control of external access permissions and traffic monitoring of development tools within core business network segments to prevent the unauthorized transmission of sensitive data." The disclosure comes shortly after a report that Claude contained covert code designed to prevent Chinese AI companies from extracting details about its inner workings. Anthropic subsequently said it was an experiment to protect against model distillation.

  7. Teams support lure

    A social engineering campaign has combined email phishing with a fake IT support scam abusing Microsoft Teams calls to deliver EtherRAT. "The attack lures the victim with a fake 'Employee Survey' email and PDF, then pivots to a Microsoft Teams call from an actor impersonating a 'System Administrator,'" Palo Alto Networks Unit 42 said. "The actor abuses Teams remote control (give/request control) to control the victim's machine, then guides the victim to install different remote RMM tools to establish persistence - HopToDesk and AnyDesk. The actor uses cmd.exe > curl.exe to download a malicious MSI (v7.msi) from camorreado[.]click and execute it. The MSI is a multi-stage loader that downloads a legitimate Node.js runtime, decrypts an embedded payload through a multi-step cipher chain, and runs EtherRAT."

  8. Scattered Spider link

    The notorious cybercrime group known as Scattered Spider is called by various names, including Octo Tempest, Muddled Libra, and UNC3944. Group-IB, which designated the term 0ktapus to a social engineering attack campaign targeting Twilio in August 2022, said Scattered Spider can be best described as a decentralized cybercrime collective analogous to The Com, with 0ktapus acting as a sub-cluster within the group. Scattered Spider comprises smaller clusters that are united by the use of shared tradecraft and English as a common language, but act separately. "Physical device theft activity from mobile carrier stores has been observed in at least one subcluster, for SIM swapping purposes," Group-IB said. "Subclusters target all kinds of sectors, either as end-targets for direct exploitation or as stepping stones to gather intelligence or tools for future attacks." The end goal of these attacks is cryptocurrency theft and ransomware, leading to extortion.

  9. LINE espionage scheme

    Taiwanese authorities have charged two local businessmen with allegedly assisting Chinese government-linked hackers carry out a sprawling espionage campaign targeting politicians, academics, journalists, and civil society groups. The suspects are believed to have run a company that collected and leased accounts for the LINE messaging app to operators linked to China's cyber forces. The accounts were then used to impersonate international journalists and build trust with targets and ultimately deliver malware designed to compromise their computers. The LINE accounts were rented by a Chinese firm named Xiamen Empress Information Technology.

  10. Meta phishing abuse

    An unknown threat actor is manipulating Meta's Business Account Manager to send spam emails that bypass email filters since at least November 2025 and trick victims into providing their Meta account details to the attacker on attacker-controlled web pages. The emails were sent from a Meta business account. "Starting in June, they modified their phishing lure to incorporate a chatbot, run through a fraudulent account on Facebook Messenger, and began sending credentials to a private Telegram channel," Huntress said. "The phishing campaign appears to target businesses and attempts to capture credentials, MFA codes, business and personal phone numbers, email addresses, and an image of the target's ID or passport." Meta has since taken steps to plug the attack method.

  11. Windows LPE chain

    In August 2025, SafeBreach researcher Ron Ben Yizhak disclosed details of an issue (CVE-2025-49760) in Microsoft's Windows Remote Procedure Call (RPC) communication protocol that could be abused by an attacker to conduct spoofing attacks and impersonate a known server. Then, in October 2025, Microsoft addressed another vulnerability tracked as CVE-2025-59200, which has been described as a spoofing flaw in the Data Sharing Service Client. "By exploiting a vulnerability in the Data Sharing Service (DsSvc) – tracked as CVE-2025-59200 – an attacker can spoof an RPC server, then send a hotkey that bypasses User Interface Privilege Isolation (UIPI) to start a scheduled task," Ben Yizhak said. "The task sends an RPC request to the spoofed server of the attacker and the response injects an XML into a toast notification to elevate privileges from low to medium integrity."

  12. Kernel driver flaws

    Multiple vulnerabilities have been disclosed in RtsPer.sys, an SD card reader driver developed by Realtek. These vulnerabilities enable non-privileged users to leak the contents of the kernel pool and kernel stack, write to arbitrary kernel memory, and read and write physical memory from user mode via the DMA capability of the device, per a security researcher who goes by the name "zwclose." The issues impact many OEMs, including Dell, Lenovo, and possibly other laptops equipped with an SD card reader manufactured by Realtek. The issues have been assigned the CVEs: CVE-2022-25477, CVE-2022-25478, CVE-2022-25479, CVE-2022-25480, CVE-2024-40431, and CVE-2024-40432. The complete set of fixes was released by Realtek in August 2024.

  13. New ransomware behavior

    Ransomware attacks that deploy WhiteLock involve the locker communicating with external servers during the encryption process and terminating Services related to remote access tools, such as AnyDesk and TeamViewer, to prevent victims from responding remotely. "After registering an infected device, WhiteLock checks whether AnyDesk and TeamViewer are installed on the victim's device," AhnLab said. "If these tools are present, it terminates the relevant Services in subsequent stages. This behavior is interpreted as an attempt to prevent security personnel or administrators from isolating the infected system or responding in real time through remote access tools." Another new ransomware entrant is Prinz Eugen, which was first detected in May 2026. "The encryptor is freshly built, written in Go, and more technically deliberate than many first-wave ransomware samples," Threatdown said. "It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk." The ransomware is advertised by a threat actor named ROOTBOY on underground forums, who has previously engaged in data sale and extortion activity between July and November 2025. The development comes as the Bumblebee malware loader, deployed via SEO poisoning through a trojanized installer for ManageEngine OpManager, has been leveraged by threat actors to drop AdaptixC2, which then acts as a conduit for Akira ransomware deployment.

  14. Chrome extension hijack

    Cybersecurity researchers have flagged a new browser-based threat dubbed GhostChrome-X that uses Google Chrome to establish and maintain access to compromised hosts. "Two aspects in particular make GhostChrome-X noteworthy. First, the malware directly targets Chrome's extension trust model by modifying protected configuration files and forging the integrity metadata required for Chrome to accept an attacker-controlled extension as a legitimate browser component," Rubrik Zero Labs said. "Second, rather than functioning solely as a data-stealing extension, GhostChrome-X integrates browser-based access with operating system-level command execution, enabling the browser to serve as a persistent platform for ongoing attacker operations." Once active, the malware establishes persistence using scheduled tasks and Registry Run keys, while communicating with an external server to collect browser cookies, browsing history, and submitted form data. It also supports remote command execution on the infected system and "monitors WebAuthn activity and enables attacker-controlled interactions with WebAuthn-enabled websites from within the victim's browser session."

  15. Tax refund RAT lure

    A phishing and malware campaign is using Indian Income Tax Return (ITR) refund lures to deliver a multi-stage AutoIt infection chain that leads to the deployment of AsyncRAT. The campaign has targeted financial and technology organizations. "The operation is notable for the way it combines credible email delivery, compromised web infrastructure, Dropbox-hosted payloads, password-protected archives, AutoIt staging, sandbox-aware execution, persistence, process injection, and a final .NET RAT payload," ZeroBEC said. "More recent samples shifted to LX RAT, a commercially marketed remote access trojan protected by the LX Crypter / LX Protector ecosystem." Fraudulent tax assessment notifications have also been used to distribute a trojan-like payload to targeted users using DLL side-loading techniques. The rogue DLL features persistence mechanisms, system information discovery, user activity monitoring, dynamic payload execution, and encrypted command-and-control (C2) communication. "The observed capabilities -- including modular payload loading, encrypted communication, persistence mechanisms, and remote execution functionality -- indicate that the campaign is designed to establish unauthorized access to and maintain control over compromised hosts," CYFIRMA said.

  16. Fileless Remcos loader

    Another campaign targeting India, this time using GST-themed ZIP archive lures to deliver a variant of the Remcos RAT malware family. "One notable characteristic of this infection chain was its reliance on in-memory execution techniques / fileless malware and Steganography," K7 Labs said. "By avoiding disk-based artifacts, the threat reduces forensic evidence and increases its ability to evade traditional security tools and signature-based detection methods."

  17. Teams access phish

    An active phishing campaign is using Microsoft Teams-themed lures to distribute a legitimate remote access tool configured for unauthorized access. "Victims are directed to convincing landing pages that impersonate collaboration and productivity services, where they are prompted to download software presented as a meeting transcript viewer, recording utility, or document-related application," CYFIRMA noted. "The use of compromised business websites provides reputational legitimacy, while dedicated infrastructure enables rapid deployment and campaign scalability. The operation demonstrates active maintenance, with the majority of identified infrastructure observed within the last three to six months, indicating continued development and operational investment."

  18. ADFS token forgery risk

    Google-owned Mandiant has revealed that "when ADFS certificates are manually rotated, configuration drift can silently leave active signing keys exposed in Machine DPAPI," adding "in environments where AutoCertificateRollover is disabled, and certificates are manually rotated, the database often becomes a 'ghost'—a record that still exists, still decrypts successfully, but references a certificate no longer used for token signing by the ADFS service." The tech giant has warned that the technique could be exploited by bad actors to forge high-privilege SAML tokens.

  19. Cloud exfiltration controls

    Amazon Web Services (AWS) has emphasized the need for a layered strategy for egress security and to prevent data exfiltration. "Without egress controls in place, that outbound traffic can flow freely, and the unauthorized access might go unnoticed until a compliance audit, customer complaint, or incident notification forces discovery," AWS said. The risk is compounded by agentic AI systems, in which an unauthorized party can manipulate an autonomous agent’s objectives to silently exfiltrate data and achieve code execution. "As organizations deploy AI agents with access to tools, APIs, and code interpreters, these agents become high-value targets, and their outbound network activity must be constrained with the same rigor as any other workload," AWS said.

  20. Cloud data rerouting

    Palo Alto Networks Unit 42 has identified a bucket hijacking technique that impacts major cloud service providers. It has been described as a fundamental architectural flaw. "An attacker can silently compromise an organization's active data streams by rerouting data into an external storage bucket," Unit 42 said. "Because a storage bucket name is globally unique, an attacker can simply delete the bucket and then recreate it under the attacker's own account using the same name. This, therefore, creates a global namespace risk. This bucket hijacking reroutes critical logs and sensitive data directly to the attacker's environment." A similar attack method, dubbed Bucket Monopoly, was detailed by Aqua Security in 2024. There is no evidence that the attack technique has been abused in the wild. In recent weeks, Unit 42 has also warned that: (1) insecure default configurations and overly permissive enrollment rights in Active Directory Certificate Services (AD CS) can be exploited for privilege escalation, unauthorized identity impersonation, and persistence; (2) Kubernetes identities can be abused in combination with exposed attack surfaces to escalate privileges from initial access to sensitive backend cloud infrastructure; (3) multi-agent AI systems can introduce new pathways for exploitation through inter-agent communication and orchestration via prompt injection due to a model's inability to reliably differentiate between developer-defined instructions and adversarial user input, and a lack of agent capability scoping and tool input sanitization; (4) Amazon Bedrock AgentCore's Code Interpreter sandbox network isolation mode can be bypassed to allow sending and receiving of data from external endpoints via DNS tunneling by taking advantage of a lack of session token enforcement; and (5) AgentCore starter toolkit's auto-create logic generates identity and access management (IAM) roles that grant privileges broadly across the AWS account, rather than being scoped to individual resources, effectively introducing what's called an Agent God Mode that makes it possible to escalate privileges and compromise every other AgentCore agent within the AWS account. 

The useful lesson this week is not “watch for weird behavior.” Weird is late. By then the fake support call has a session, the package has run, the bucket is gone, and the quiet process already has somewhere to send data.

Watch the normal paths instead. Names that look almost right. Tools asking for slightly too much. Services that still trust old state. Traffic that should have had nowhere to go. Most of the damage here did not need magic. It needed permission, habit, and nobody looking closely enough. 



from The Hacker News https://ift.tt/8P7fobd
via IFTTT

GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware

In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage.

GigaWiper is particularly notable for its makeup. It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction:

  • A standalone wiper that operates at the physical disk level, overwriting raw disk content and removing partition metadata.
  • A destructive command that derives from Crucio ransomware and encrypts files with randomly generated keys that are never saved, making decryption impossible.
  • A wiping command that reimplements the logic of FlockWiper, a C-based malware reimplemented in Golang with additional multi-pass secure wiping.

The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences. GigaWiper exemplifies threat actors investing in operational efficiency, merging standalone tools into unified platforms that reduce their deployment footprint while expanding their destructive capabilities.

In this blog, we provide a code-level analysis of GigaWiper’s architecture. We’re sharing these findings, along with Microsoft Defender detections and mitigation recommendations, to enable organizations and the security community to investigate and defend against GigaWiper and similar destructive threats.

A wiper inside a backdoor

Beginning in October 2025, Microsoft Threat Intelligence started observing compromised environments being wiped with destructive tooling. Looking closely at the intrusions, we observed two types of GigaWiper samples:

  • Standalone wiper binaries
  • Larger binaries with robust backdoor functionality

Both sample types are unstripped portable executable (PE) files written in Golang. Comparing the two samples showed that the standalone wiper’s code is fully embedded inside the backdoor as one of the commands.

The standalone wiper binary

The standalone wiper is an unstripped PE written in Golang. Instead of deleting individual files, it wipes at the physical disk level. It identifies physical drives, determines which drive contains the Windows installation, removes partition references from other drives, overwrites raw disk content, and then reboots the system.

The wiper starts by enumerating physical disks through Windows Management Instrumentation (WMI) using the following query, giving it the device identifiers and disk metadata it needs before deciding how to handle each drive:

Code snippet showing a Golang function using Windows Management Instrumentation (WMI) to enumerate physical disk drives for GigaWiper destructive activity.
Figure 1. Query for enumerating physical disks through WMI

The malware then calls main.FindWindowsDrive to determine which physical disk contains the Windows installation (for example, \\.\PHYSICALDRIVE0). With that drive identified, it iterates the remaining disk list and calls main.unallocateDrive on each non-Windows drive to remove their partition references. This is achieved with DeviceIoControl and IOCTL_DISK_CREATE_DISK, which reinitializes the disk’s partitioning metadata and effectively wipes the existing partition table entries. If successful, the malware prints to the console “Partitions removed successfully.”

Next, it proceeds to wipe each drive. It calls main.writeRandToDrive to overwrite each drive in chunks of size 0xA00000. The first byte of each buffer is randomized with crypto/rand.Read, while the rest is filled with zeros. If random generation fails, it uses the byte value “1” instead. This pattern might be intended to avoid detections or mitigations that look for conspicuous full-disk zeroing behavior.

After it finishes wiping the drives, the malware forces an immediate reboot by invoking Windows shutdown functionality with restart and zero-delay options.

The wiper binary as a backdoor command

Next, we analyzed the larger backdoor. The same wiper functionality is also present as one component of the backdoor. The code flow and function names in the larger backdoor are identical to those of the standalone wiper, with the wiper’s main.main routine implemented in the backdoor as the rabbit_tools_tool_wipe_main.WipeMain function.

Side-by-side comparison of function lists for standalone wiper and backdoor wiper modules, highlighting identical routines for disk wiping and drive management.
Figure 2. Left: Standalone wiper functions. Right: The same wiper functions replicated in the backdoor

Backdoor capabilities

With the wiper routine overlap established, this section focuses on the backdoor’s additional capabilities. Beyond destructive functionality, the backdoor sets persistence and implements C2 communication over RabbitMQ and Redis. In analyzing these backdoor capabilities, we discovered that some backdoor commands contain code from additional malware families.

Persistence

The backdoor creates and uses the registry key HKCU\SOFTWARE\OneDrive\Environment to track its execution count. If the key is absent on the system, the malware determines that it’s running on the system for the first time and proceeds to create the key, setting it to “0”. It then creates a new scheduled task named OneDrive Update by running the following command before printing “Task created. Original process exiting.” and exiting the process. The scheduled task is configured to essentially run every minute in addition to running once on system startup.

Code snippet showing the creation of a scheduled task for persistence, including PowerShell commands to execute a hidden task, set triggers, and configure settings for frequent execution.
Figure 3. Command that creates scheduled task for persistence

In subsequent executions, when the registry key exists and is greater than “0”, the malware increments it,  determines that it is running as a scheduled task (prints “Running from Task Scheduler…”), and continues execution normally.

Communication

GigaWiper uses two modes of communication:

  • RabbitMQ over AMQP for receiving commands from the C2 server
  • Redis server for updating command status and output

The malware decrypts a hard-coded configuration using AES with a hard-coded key. For example, one observed sample uses 185.182.193[.]21:5544 as a RabbitMQ C2 server, and 185.182.193[.]21:7542 for a Redis server, where it uploads results. The configuration also specifies the credentials to use to connect to the RabbitMQ and Redis servers.

To receive commands from the RabbitMQ C2 server, the malware declares a queue and binds it to a fanout exchange named “All”. Because “All” is a fanout exchange, any command published to it is broadcast to every bound queue across infected clients. To enable targeted commands, the malware also declares a topic exchange named “Topic”.  The backdoor binds the queue to “Topic” when the actor issues command 8 (See Commands section) and provides a routing key.

Each command sent by the C2 server is a cmd.Task structure with the following fields:

  • task_id
  • command_code
  • args

To update the Redis server with command status and output, the malware sends it a cmd.Result struct with the following fields:

  • error
  • target_ip
  • task_id
  • target_computer_name
  • output
  • pwd
  • time
  • status
  • work_status

Commands

GigaWiper logs several types of commands using specific categories:

  • “always run command” – Commands that are meant to run continuously (like screen recording)
  • “manage command” – Commands used to manage things on the system like services or the Registry
  • “special command” / “shell command” – Modes of command 7

Each command is represented by a numeric command code from 1 to 20:


Command 1: Calls WipeMain, which is identical to the standalone wiper described in the last section


Command 2: Triggers a Blue screen error (BSOD) and prevents the device from booting

This is achieved by running a sequence of hard-coded destructive commands that disable Windows recovery, take ownership, and grant permissions to critical boot and kernel files before deleting them.

Code sample showing GigaWiper malware’s function for executing registry and boot configuration commands, including registry key modifications and deletion of Windows boot files for persistence and destructive actions.
Figure 4. Series of commands that lead to BSOD

Command 3: Calls RanMain and BigBangExtortMain to trigger a file encryption process that imitates ransomware

The key and initialization vector (IV) that the malware uses to encrypt files are random and are not saved anywhere. The malware reads and encrypts each file, excluding files with extensions like .exe and .dll that are critical for the system to load. Each file is read and AES-CBC encrypted in chunks before being deleted with os.Remove. The file is renamed with the .candy extension.

It drops the following hard-coded image to ./image_danger.jpg and sets it as the wallpaper:

Image showing a hooded figure at a keyboard surrounded by red warning symbols, skulls, biohazard icons, and the words "HIGH-ALERT," representing a ransomware attack and system compromise.
Figure 5. Image dropped by backdoor and set as the wallpaper

Command 4: Uses MinIO Client (mc) to upload a file to a remote storage

The path to the MinIO client to use is supplied in the command arguments alongside additional settings:

  • IPandPort
  • AliasName
  • Username
  • Password
  • BucketName
  • SourcePath
  • MCPath – The path to MinIO Client (mc.exe) to use

Command 5: File encryption utility

This command bulk encrypts or decrypts files with AES-256 in Cipher Block Chaining (CBC) mode. The following are the command arguments:

  • key
  • iv
  • path – The path to encrypt/decrypt (either a directory or a file)
  • key_file
  • enc – A mode that specifies whether to perform encryption or decryption

The server can specify a key and IV in the arguments. If in encryption mode but no key or IV were provided, the malware generates a random key and IV and stores them in key.txt.

If in decryption mode, the malware first tries to read the key and IV from the provided key file. If it was not provided, the malware attempts to use the key and IV sent as arguments.

Interestingly, the error message shows a glimpse of what running this command might look like from the actor side:

Key/IV required. Use -k/-i or –keyfile


Command 6: Runs the PE from the map RTYPE_map_string_cmd_appInfoStc[“6”]

We have not seen this structure populated in the binary. The logging message “Exec cmd wipe-file” suggests that this is meant to contain wiper functionality.


Command 7: This command has two types:

Type: shell command – Command for running PowerShell commands. The malware appends ;”|?????|$pwd” to the command. This causes the output of each command to include |?????|, followed by the current working directory. Then, the malware calls os.Chdir to change the working directory to the path output by $pwd, so the next command runs in that same folder.

Type: special command – When command 7 is run with one of the following arguments, it is considered a “special command” and handled as follows:

  • purge_cmd_queue: Empties the queue of shell commands, then stops the process run by command 7 “shell command” if it exists
  • purge_queue: Empties the queue of normal commands, then stops the process run by commands 6 or 13 if it exists (those are two of the “always run” commands)
  • pwd: Sets a global flag to indicate the working status, which is sent to the server in shell command 7, and then proceeds to run pwd using shell command 7.

Command 8: RabbitMQ route manager; allows binding the queue to the “Topic” exchange to receive targeted, non-broadcast commands (Type: manage command)

This command receives a mode of operation (1/2/3), followed by a list of routing keys as arguments:

  • Mode 1 – Binds each provided routing key
  • Mode 2 – Unbinds each provided routing key
  • Mode 3 – Pairs update mode: for each old,new pair, unbinds the old key then binds the new one

Command 9: Takes one screenshot per active monitor/display

The malware saves each screenshot to a PNG file in .\<timestamp\<monitor_index>.png (for example .\2026-06-10_12-30-00\0.png).


Command 10: Records the screen when the user is not idle (10s) and the system is unlocked(Type: always run command)

Recordings are saved in the folder C:\ProgramData\output.


Command 11: Runs the PE from the map RTYPE_map_string_cmd_appInfoStc[“11”] (Type: always run) command

We have not seen this structure populated in the binary. The logging message “Exec cmd keylog” suggests that this is meant to be a keylogger functionality.


Command 12: Calls WipeCMain to wipe the system

This command is like command 1 (WipeMain), but with a few important differences:

  • It only wipes the drive with the Windows installation. Usually it is the C drive, hence the name WipeCMain.
  • It performs secure wiping: It wipes the drive with multiple passes, each time overwriting it with different bytes (0s, 0xFF, random bytes…), and prints status messages between passes:
    • Pass 1 Time took: %s\n
    • Pass 2 Time took: %s\n
    • Pass 3 Time took: %s\n

Command 13: Runs the PE from the map RTYPE_map_string_cmd_appInfoStc[“13”]

The logging message “Exec cmd wipe32” suggests that this is meant to be another wiper binary. It is run as admin using the command:

PowerShell command example using Start-Process with runAs verb to launch an executable with elevated privileges.

Command 14: (not implemented)


Command 15: Collects system info by calling the function GRATClientInfo (Type: manage command)

The command arguments control the amount of info collected:

  • long
  • short

Collected system info includes:

  • IP address
  • Machine GUID
  • CPU information
  • OS information
  • Network configuration
  • Firmware
  • User information
  • Antivirus software information, collected by running the following command:
PowerShell command used to collect installed antivirus product names and output them as JSON.

Command 16: Process manager (Type: manage command)

Arguments specify the process and operation to perform:

  • process_name
  • process_path
  • process_id
  • process_operation – Performs one of the operations below:
    • createProcess
    • resumeProcess
    • suspendProcess
    • exit (does nothing, returns empty response)
    • list
    • killProcess
    • processInfo – Returns the info below:
      • process_name
      • process_user_name
      • process_id
      • process_thread_count
      • process_memory_info
      • process_exe_path
      • process_status
      • process_error

Command 17: Service manager (Type: manage command)

This command is similar to the other manage commands, but for services. It has the following arguments:

  • service_name
  • service_display_name
  • service_exe_path
  • service_operation
    • create
    • delete
    • restart
    • query
    • start
    • list
    • stop

Command 18: Registry manager (Type: manage command)

On first execution, the malware runs rabbit_bin.RunOnceRegistryMain.gowrap1 in the background as a goroutine. On subsequent executions, the routine receives and returns input and output through Go channels. From there, it operates almost like an interactive session, persisting its position in the Registry between requests, and allowing the following operations (arguments):

  • registry_root_key
  • registry_key_path
  • registry_key_name
  • registry_value_entities
  • registry_operation
    • show – Enumerates current key, subkeys, and values
    • navigate – Change current position to a new key and send its contents
    • back – Go up one level from current key
    • exit – Exits the current session
    • createKey
    • deleteKey
    • deleteValue
    • setValue

Command 19: Clears Windows event logs

First, the malware ensures that it’s running with Administrator privileges. Next, it deletes the System, Setup, Application, and ForwardedEvents event logs by running the following command for each:

Command line example showing use of wevutil.exe to clear a specified Windows event log.

Then, for unknown reasons, it prints the hard-coded string “kharbvnmhkjbkjb”.

Finally, it attempts to delete the Security event logs using wevutil.exe. If it fails, it prints the message “Failed to clear Security with wevtutil. Attempting manual removal…” and attempts to directly delete the log file C:\Windows\System32\winevt\Logs\Security.evtx.


Command 20: Starts a server so the attackers can remotely control the system in a VNC-like manner; allows keyboard and mouse control and streams the screen to the attackers (Type: always run command)

This occurs over TCP with the port provided as a command argument. The malware first deletes the existing firewall rule if it exists. The rule name impersonates legitimate Windows firewall rule names:

A code snippet referencing Microsoft.Windows.CloudExperienceHost and a resource path for appDescription.

Finally, the malware creates rules with that name to allow inbound and outbound traffic to its own program over a port provided in the command arguments. The following command is run once with Inbound then with Outbound:

PowerShell command creating a masqueraded Windows firewall rule named after Windows Cloud Experience Host to allow inbound traffic for a specified program and port.

How GigaWiper was assembled

The standalone wiper, implemented as command 1, is only one part of the interesting anatomy of GigaWiper.

The backdoor contains code for two additional wiping commands: command 3, implemented as rabbit_tools_tool_ran_main_cmd_extort.RanMain, and command 12, implemented as rabbit_tools_tool_wipec_main.WipeCMain. Further analysis showed that, like the standalone wiper, these originated from two separate, older malware families previously used by the same threat actor.

In other words, the GigaWiper backdoor is an amalgamation of at least three standalone malware families, stitched together as commands within a single implant, and combined with new backdoor functionality.

RanMain and BigBangExtortMain

As mentioned, command 3 is handled by rabbit_tools_tool_ran_main_cmd_extort.RanMain, which calls rabbit_tools_tool_ran_main_bin.BigBangExtortMain to encrypt the files on the victim system and rename them with the .candy extension. This is a wiper disguised as ransomware. The key and IV are randomly generated but not saved anywhere, and no ransom note is dropped. As a result, the actor has neither the ability nor, apparently, the intent to ever decrypt the files.

The function BigBangExtortMain is notable. A function with the same name was used in the Crucio ransomware, which was documented in a Cybersecurity and Infrastructure Security Agency (CISA) advisory published in December 2023. GigaWiper backdoor command 3 is heavily based on Crucio’s code, leading to the assessment that the same threat actor developed both malware families.

File directory structure showing functions and modules from bigbang and tool_ran_main malware families, including BigBangExtortMain and RanMain components used in GigaWiper.
Figure 6. Left: Crucio functions. Right: GigaWiper’s ran_main functions.

WipeCMain

Command 12 represents the third wiper family that was incorporated into the GigaWiper backdoor. This command is handled by rabbit_tools_tool_wipec_main.WipeCMain. It is very similar to command 1, WipeMain, except that it wipes only the Windows installation drive, and performs more secure wiping with multiple passes.

Our research revealed that WipeCMain is essentially identical to the standalone wiper that Microsoft tracks as FlockWiper. While FlockWiper was written in C, its logic appears to have been reimplemented in Golang within GigaWiper. In essence, the two variants follow the same core execution flow, and many of the strings are identical, though the GigaWiper implementation appears to be a more updated version. FlockWiper was first uploaded to VirusTotal in June 2025, months before GigaWiper was first observed in the wild.

Another notable detail is that the observed FlockWiper samples contain program database (PDB) paths referencing “GRAT”:

  • A:\GRAT\CWipeNew\Release\CWipeNew.pdb
  • E:\files\new\GRAT\CWipe\Release\CWipe.pdb

The name “GRAT” is also prevalent in several function names within the GigaWiper backdoor. Although the FlockWiper binaries do not include “GRAT” functionality, the PDB paths provide another link between the two malware families.

File directory tree showing multiple function names and binaries with the “GRAT” string highlighted, indicating its prevalence in GigaWiper and FlockWiper tool implementations.
Figure 7. References to “GRAT” in function names

Conclusion: Multiple destructive capabilities consolidated into a single implant

GigaWiper is a backdoor with extensive operational capabilities that allow a threat actor to maintain control over infected systems, execute commands, deploy additional tooling, and ultimately trigger one of multiple destructive commands on demand. It allows the threat actor to operate with flexibility, enabling both quiet espionage activity and destructive wiping operations.

Our research reveals that GigaWiper was created by combining and reimplementing components from at least three previously separate malware families. This includes the wiping functionality, and the file-encrypting ransomware that leaves no way to decrypt the files.

We tied GigaWiper to both Crucio and FlockWiper based on code analysis, shared execution flow, function naming, and unique strings. Crucio’s code was the base for GigaWiper command 3, and FlockWiper was recoded in Golang and updated for GigaWiper command 12. In addition, the references of “GRAT” in both the FlockWiper PDB paths and GigaWiper function names provide an additional link between these tools, and suggests the possible existence of another related component or framework that has not yet been recovered.

Overall, these findings show the evolution of the actor’s tooling over time. Functionality was merged into a single robust backdoor, granting the actor more ways to control and destroy infected systems.

Defending against destructive threats

To harden networks against GigaWiper, defenders can implement the following mitigation steps:

  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.
  • Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
  • Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
  • Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against techniques used by threat actors:

Microsoft Defender detections

Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.

Tactic Observed activity Microsoft Defender coverage 
ExecutionExecution of malware componentsMicrosoft Defender Antivirus
– Giga
– Wiper
– FlockWiper
– CutBrooch

Microsoft Defender for Endpoint
– ‘WprFlock’ malware was detected
– ‘WprCree’ malware was detected
– ‘FlockWiper’ malware was detected
– ‘GigaWiper’ malware was detected
– Possible ransomware activity
– Ransomware behavior detected in the file system

Microsoft Security Copilot

Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.

Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:

Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.

Threat intelligence reports

Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.

  • Tool profile: GigaWiper

Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

Indicators of compromise

IndicatorTypeDescription
633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001SHA-256GigaWiper backdoor
ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913SHA-256GigaWiper backdoor
f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfdSHA-256GigaWiper backdoor
9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683SHA-256GigaWiper backdoor
3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cdSHA-256GigaWiper standalone wiper
440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3SHA-256Crucio
12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721SHA-256FlockWiper
db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674SHA-256FlockWiper
185.182.193[.]21IP addressGigaWiper C2
212.8.248[.]104IP addressGigaWiper C2

Learn more

For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

The post GigaWiper: Anatomy of a destructive backdoor assembled from multiple malware appeared first on Microsoft Security Blog.



from Microsoft Security Blog https://ift.tt/TmnfO1d
via IFTTT