Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
The Good | Authorities Apprehend Pro-Russian Hacktivist & Dismantle Global Fraud Networks
Spanish authorities, acting on intelligence provided by the FBI, have apprehended a suspected core member of the pro-Russian hacktivist syndicates CyberArmy of Russia Reborn (CARR) and Z-Pentest.
While masquerading as ideologically motivated collectives, these groups have actively executed disruptive cyberattacks against critical infrastructure, including food processing and water facilities across the United States and Europe. Investigators allege the arrested individual, residing in Palencia, provided extensive operational and logistical support to a Ukrainian hacker working for CARR, even attempting to facilitate their escape to Russia.
The individual is also suspected of coordinating cyber operations for the NoName057(16) group using encrypted messaging platforms. In a March 2026 raid, law enforcement officers seized multiple computers and successfully froze cryptocurrency wallets utilized to launder illicit proceeds generated from stolen data sales. The suspect currently faces ongoing criminal investigations for alleged collaboration with a recognized terrorist organization and severe computer damage.
In a massive global crackdown on social engineering and financial fraud, international law enforcement agencies havearrested5,811 suspects and seized approximately $293 million in illicit assets. Codenamed “Operation First Light 2026”, the coordinated initiative spanned 97 countries and specifically targeted business email compromise (BEC), investment scams, and money laundering syndicates operating between January and April. Interpol actively coordinated the extensive joint action, collaborating directly with regional policing bodies like ASEANAPOL, GCCPOL, and Europol to swiftly block over 31,000 fraudulent bank accounts and virtual wallets.
Eswatini police seized electronic devices, foreign currency, and realistic replicas of Brazilian police uniforms, signage, and equipment (Source: Interpol)
Investigators identified more than 142,000 victims worldwide and pinpointed an additional 15,600 suspects for future prosecution. This success builds upon recent international efforts, including Operation Synergia II, to dismantle the sprawling infrastructure supporting transnational cybercrime. Officials emphasize that robust, cross-border law enforcement cooperation remains essential to combat the escalating threat of organized cyber-enabled financial crimes globally.
The Bad | Threat Actors Deploy Forg365 PhaaS to Hijack Microsoft Accounts
Cyber researchers have identified a new phishing-as-a-service (PhaaS) operation dubbed Forg365, which targets Microsoft 365 enterprise accounts. Blending adversary-in-the-middle (AiTM) techniques with device-code phishing, the platform provides an integrated dashboard to manage post-compromise activities.
Forg365 works by incorporating AI to assist in generating customized phishing lures. By integrating AI directly into the control panel, Forg365 developers significantly lowered the financial cost needed to launch targeted campaigns. To remain undetected, its operators route messages through legitimate Amazon SES infrastructure while hosting their landing pages on Cloudflare.
The Forg365 panel (Source: ZeroBec)
The operation leverages the OAuth 2.0 device code authentication flow, originally designed for input-constrained devices. Attackers present victims with a deceptive verification page, tricking them into authorizing an attacker-controlled gadget rather than stealing their password directly.
Once initial access is achieved, the platform ensures persistence through a specialized browser extension called ForgCookie. Compatible with Microsoft Edge, Google Chrome, and Brave, this extension operates silently to request account data, clear session cookies, and trigger a hidden OAuth flow to capture fresh tokens. Doing so grants attackers continuous access to the victim’s Microsoft services without requiring them to ever re-authenticate.
To protect its administration panel from being accessed by security defenders, Forg365 integrates robust anti-analysis features. The platform utilizes debugger traps, polymorphic code, and dynamic sandbox checks to evade detection, redirecting connections to innocuous websites whenever a VPN is detected.
Administrators can defend against these hijacking techniques by monitoring Microsoft Entra logs for unexpected device-code authentication events. Organizations can also restrict or entirely disable device-code flows unless absolutely necessary. In the event of a suspected compromise, security teams should revoke all OAuth grants and refresh session tokens to sever access.
The Ugly | Rival Espionage Actors Breach & Spy On Pakistani Law Enforcement Networks
Between February 2024 and April 2026, suspected state-sponsored threat actors based in China and India separately converged on several Pakistani law enforcement organizations in unrelated cyberespionage campaigns.
According to SentinelLABS, operators heavily targeted the Balochistan Police, compromising critical network appliances and web servers. By infiltrating these critical systems, both nations actively sought independent visibility into Pakistan’s internal security posture and ongoing counter-militancy operations.
The China-nexus intrusions, leveraging PlugX, ShadowPad, and Cobalt Strike malware, were likely driven by Beijing’s concerns over the safety of Chinese nationals working on regional infrastructure projects within the China-Pakistan Economic Corridor (CPEC). Ongoing terrorist attacks have left the Chinese government dissatisfied with Pakistani protection and data from Balochistan Police would give the PRC direct insights.
Conversely, the India-nexus activity utilized Remcos backdoors to gather intelligence on the restive Balochistan province, a recurring flashpoint in the adversarial relationship between the two countries. Control over Balochistan Police networks means having invaluable visibility on how Pakistan manages their security posture as well as persistent access to civilian data.
Timeline of C2 traffic to Pakistani law enforcement organizations (Source: SentinelLABS)
One China-aligned threat actor specifically compromised the Balochistan Police Force’s Complaint Management System (CMS), a web application that actively serves both law enforcement personnel and Pakistani civilian users. The attackers uploaded custom malware implants disguised as routine portal updates, effectively weaponizing the digitalization of public policing services.
One payload masqueraded as a legitimate component of endpoint security software to evade initial detection and deploy an AsyncRAT client in order to establish persistent footholds into internal police networks while simultaneously surveilling citizens utilizing the platform.
This multi-actor convergence highlights how modernized policing infrastructure can serve as a high-value intelligence target for rival nations seeking comprehensive regional data.
Security is never finished. That conviction is where the Secure Future Initiative (SFI) started two years ago and continues to guide us today. AI is reshaping cybersecurity. Cyberattackers can discover vulnerabilities, chain attack paths, and scale exploitation faster than manual approaches allow. Defenders can use the same advances to identify risk, strengthen protections, and accelerate response. As the threat landscape evolves, security must evolve with it.
This latest SFI progress report shows how Microsoft is adapting to that reality: strengthening security foundations for an AI-accelerated cyberthreat landscape, applying AI to improve security outcomes at scale, and preparing for future challenges such as scalable quantum computing.
This report organizes our progress into three outcome-driven themes—secure foundations, proactive defense, and future-ready security—and shares lessons learned, practical guidance, and deeper insights across the culture, governance, principles, and engineering pillars that underpin security at Microsoft.
Secure foundations
The most consequential security failures rarely come from a single missing control. They come from environments where identity gaps, unmanaged assets, and inconsistent configurations sit side by side, creating composite attack paths that determined threat actors can chain together. SFI addresses this systemically, strengthening security across our environment. The results show the progress:
More than 732,000 resources have had public access revoked, with network isolation scaling across 1 million resources.
1.4 million unused apps were decommissioned and cross-boundary credential isolation reached 98.7%.
Engineering defaults now prevent 83% of pipelines from accessing unapproved package endpoints.
These controls form reinforcing layers: identity feeds access governance, access governance feeds segmentation, segmentation contains blast radius, and engineering defaults reduce what enters production in the first place. One of the lessons we have learned is that foundations are durable only when they’re continuously validated, not periodically audited.
Proactive defense
Secure foundations reduce the attack surface. Proactive defense builds on that foundation to find and fix weaknesses quickly. Traditional practices like code review and penetration testing remain essential. The difference now is that frontier AI can discover vulnerabilities and chain exploit paths faster than manual review can keep up. That’s a threat and, when used well, an advantage. We’ve leaned into that advantage to find real risk earlier and close it before a cyberattacker can act.
We built a multi-agent AI system that delivers proactive assessment of a cloud service’s source code, identity configurations, network topology, and runtime state to surface composite vulnerabilities that a single-layer review could not catch. More than 90% of findings confirmed by our security engineers, enabling proactive actions to improve security posture.
This system builds on other tools in our security portfolio—such as the Microsoft Security multi-model agentic scanning system (codename MDASH), which scans source code to identify, validate, and prioritize vulnerabilities at scale—and adds configuration, identity, network, and runtime context to comprehensively assess the service.
More than 100 new detections were added this year (more than 350 total), shifting from signature-based to behavior- and baseline-driven detection.
More than 550,000 critical and high-risk open-source vulnerabilities were remediated, with about 3 million container vulnerabilities patched per month through automation.
Future-ready security
Some risks have not fully arrived yet, but waiting for them is not an option. The most urgent example is the transition to post-quantum cryptography. The threat is already here in the form of “harvest now, decrypt later”: data encrypted today could be captured and decrypted once quantum capability matures.
We are accelerating the Microsoft Quantum Safe Program (QSP) timeline, with the goal of transitioning to post-quantum cryptography (PQC) in critical products and services by 2029.
PQC is now an SFI-measured engineering requirement, with workstreams advancing across network traffic, data-at-rest protection, and trust chain modernization.
Quantum-safe algorithms (ML-KEM, ML-DSA) are available today across major platforms.
Foundational progress like this is only possible because of the people committed to making it possible. Security is a core responsibility for every employee at Microsoft: mandatory Trust Code training was completed by more than 99% of full-time employees. Governance is what makes it scale, with accountability driven through our Deputy Chief Information Security Officer (CISO) structure and a centralized risk register. And our principles—secure by design, secure by default, secure in operations—are what turn intent into product, like Microsoft 365 Baseline Security Mode. Tools alone don’t create durable security; culture, accountability, and secure defaults do.
What you can do today
Throughout the report, we share actionable guidance for organizations at any stage of their security journey. A few starting points:
Enforce phishing-resistant multifactor authentication and eliminate legacy authentication protocols.
Inventory every tenant and classify it. Apply secure-by-default provisioning with drift detection.
Evaluate how identity, code, configuration, and network relationships interact in production. Prioritize composite attack paths over isolated findings.
Inventory your cryptographic dependencies now and establish transition plans for post-quantum readiness.
Enable Baseline Security Mode in Microsoft 365 for secure-by-default configuration at no additional cost.
Read the full SFI report, including detailed pillar-level progress and additional customer guidance.
Each hardening action changes the cyberattacker’s approach. The compounding effect of SFI is that attackers face a shrinking set of viable paths, while defenders gain better telemetry, stronger defaults, and sharper prioritization for the paths that remain.
Security is a team sport. We are grateful for the partnership of our customers, security researchers, and the broader industry as we work together to make the world a safer place for all.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
A 41-year-old former ransomware negotiator has been sentenced to nearly six years (i.e., 70 months) in prison in the U.S. for their role in conspiring with the now-defunct BlackCat ransomware operators to extort multiple victims and working with two other cybersecurity professionals to target additional victims in 2023.
In a sentencing memorandum, federal prosecutors described Martino as a "double agent working to maximize the harm to his clients and the financial gain to cybercriminals who paid him a part of the ransom."
Angelo Martino, 41, of Land O'Lakes, Florida, pleaded guilty to one-count information charging him with conspiring to interfere with interstate commerce through extortion back in April. The defendant worked as a negotiator on behalf of five different ransomware victims, while providing BlackCat attackers with confidential information regarding their negotiating position and strategy without their knowledge or permission.
This information included details about the victims' insurance policy limits and internal negotiation positions, allowing the operators to maximize the ransom amounts they were required to pay.
"Angelo Martino's victims shared heartbreaking accounts of how their businesses were nearly destroyed, while the people they hired to help them instead betrayed them to ransomware gangs," said Assistant Attorney General A. Tysen Duva of the U.S. Justice Department's Criminal Division.
In addition, Martino was also accused of colluding with Ryan Goldberg, 41, of Georgia, and Kevin Martin, 36, of Texas, to successfully deploy BlackCat ransomware between April 2023 and November 2023 against multiple victims located throughout the U.S. Martino and Martin were employed at DigitalMint, while Goldberg was working as an incident response manager for cybersecurity company Sygnia.
Both Goldberg and Martin were sentenced to four years each in prison back in May 2026 for carrying out the attacks after pleading guilty to their crimes last December.
"He was hired to help victims in a moment of crisis," said U.S. Attorney Jason A. Reding QuiƱones for the Southern District of Florida.
"Instead, Martino betrayed them, fed their confidential negotiating positions to ransomware criminals, and helped squeeze them for more money. This case sends a clear message: we will pursue the hackers who deploy ransomware, the insiders who enable them, and the money they steal from American victims."
The Justice Department said law enforcement has seized $10 million of assets from Martino to date, including digital currency, vehicles, a food truck, and a luxury fishing boat that he purchased from the illicit proceeds. Martino is expected to appear in court on September 17, 2026, to determine the exact amount of restitution to be ordered against him.
"Angelo Martino sold out the very victims he was hired to represent, handing their confidential negotiating positions to BlackCat actors to drive up ransoms and enrich himself," said Assistant Director Brett Leatherman of the FBI Cyber Division.
from The Hacker News https://ift.tt/vcQKAjN
via IFTTT
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities in WolfSSF, fourteen in GeoVision, and one vulnerability in VTK-DICOM.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
WolfSSL vulnerabilities
Discovered by Ankur Tyagi of Cisco Talos.
WolfSSL aims to provide "lightweight and embedded security solutions" for both individual and business needs. WolfSSL is an open-source product to provide secure data transfer.
Talos discovered two improper input validation vulnerabilities (TALOS-2026-2409 (CVE-2026-28739) and TALOS-2026-2410 (CVE-2026-25106)) and one integer underflow vulnerability (TALOS-2026-2408 (CVE-2026-33091)) in WolfSSL.
GeoVision vulnerabilities
Discovered by Philippe Laulheret of Cisco Talos.
GeoVision specializes in security technologies, including cameras and monitoring solutions, access control, and machine-identification.
Talos released 14 advisories for GeoVision vulnerabilities, covering 37 CVEs:
TALOS-2026-2370 (CVE-2026-13125) lack of authentication vulnerability
VTK-DICOM vulnerability
Discovered by Emmanuel Tacheau of Cisco Talos.
The Virtualization Toolkit (VTK) is an open source software solution for handling scientific data, for use in tools for 3D rendering. The VTK-DICOM API is specifically to allow VTK users to parse Digital Imaging and Communications in Medicine (DICOM) medical data.
Talos found one vulnerability in VTK-DICOM, TALOS-2026-2366 (CVE-2026-22879), which is a heap-based buffer overflow vulnerability.
from Cisco Talos Blog https://ift.tt/2L9pcGk
via IFTTT
The defining risk to resilience today is not the outage. It is the ad hoc response that follows when partial failure has not been planned for.
On July 19, 2024, a single misconfigured file in a routine software update disabled 8.5 million Windows devices worldwide. Across sectors, the disruption grounded flights, diverted hospital patients, and took financial institutions offline. The fix itself took only 80 minutes. Recovery took days, because every affected device required manual remediation.
The organizations that recovered most quickly did so not because of their superior IT capability, but because a virtual workspace architecture allowed employees to continue working independent of the state of the underlying device. Organizations without that capability spent the first day simply establishing the scope of impact.
That interval, between systems being restored and the business resuming operation, is where resilience is now determined.
The cost of disruption is material
Many large enterprises surveyed reported revenue losses attributable to an outage within the past twelve months and more than half experience a disruption at least weekly. The average high impact outage now costs $1.9 million per hour, and the average data breach costs $4.88 million, with ransomware present in nearly half of all cases. These figures are unlikely to surprise senior IT leadership. What is less widely recognized is that most continuity plans were designed around total outage followed by clean restoration, a failure mode that occurs infrequently today.
Today’s disruptions are typically more limited in scope. An identity provider experiences latency, a cloud region degrades, or a SaaS platform throttles under load, often without triggering any alert, even as employees find themselves unable to work. By the time the pattern is recognized, workarounds are already underway, including shadow applications, expanded access privileges, and bypassed controls intended to preserve productivity. That ad hoc response, not the outage itself, constitutes the primary exposure.
This loss of control compounds into a secondary crisis, as access exceptions remain open and audit trails become incomplete. Regulatory bodies have responded accordingly, with DORA, the UK PRA, and FFIEC each shifting the standard of evidence from demonstrating that a plan exists to demonstrating that it withstood real disruption.
What prepared organizations do differently
They establish service tiers in advance of disruption, determining beforehand what is non-negotiable, what may degrade, and who holds decision authority, rather than negotiating these questions during the first hour of an incident, which remains standard practice elsewhere.
They map dependencies by workflow rather than by organizational structure, enabling precise understanding of the downstream effect of an identity outage or third-party API failure.
Most significantly, they design continuity protocols to tighten controls under pressure rather than relax them, even though the prevailing instinct during a crisis is to ease governance to preserve operational momentum. The organizations that perform best take the opposite approach, predetermining access restrictions and exception authority so that execution follows an established plan rather than an ad hoc response.
These organizations also rehearse their response through tabletop exercises and rollback drills conducted on a recurring basis, and those that sustain this discipline report fewer severe incidents and faster recovery as a direct result. The differentiating factor is preparation, not circumstance.
Where Citrix fits
This goes beyond a list of capabilities. It is the operational foundation that holds when other systems do not. The Citrix platform sustains employee access independent of underlying device or infrastructure failure, and reroutes workloads automatically when services degrade, eliminating reliance on manual intervention when it matters most. It also enforces access governance at the application layer rather than the network layer, ensuring that an operational incident does not become a compliance incident as well. At the same time, it reduces the time between detection and diagnosis, and replaces ad hoc recovery with a structured return to a known-good state.
The result is measurable across industries, with a European rail operator, a major U.S. hospital system, and a global accounting firm each having documented reduced downtime, fewer unresolved access exceptions, and faster recovery using this approach.
Considerations for the next disruption
Leadership should be able to answer the following questions before disruption occurs, not after. Are your Tier 0 services clearly identified, with defined limits for permissible downtime? Has your organization tested operation without its primary identity or cloud provider, using an actual runbook rather than a theoretical exercise? Organizations that can answer these with confidence are the ones that will weather the next incident, not merely survive it.
Your next disruption is already on the calendar. You just don’t know the date yet.
from Citrix Blogs https://ift.tt/alftz1W
via IFTTT
Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from.
Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake "ransomware" that scrambles files with a key it never saves.
Because this is malware and not a single flaw, there is no patch to chase; GigaWiper is what an attacker runs after they are already inside, which makes early detection and clean, offline backups the real defense.
The same malicious files show up in a second report under another name: BLUERABBIT, a backdoor Binary Defense flagged last month.
Microsoft lists four hashes for the GigaWiper backdoor; Binary Defense lists the same four for BLUERABBIT, and both command servers match. Binary Defense, citing Google's Threat Intelligence Group, ties the malware to a likely Iran-nexus group aimed at Israeli organizations. Microsoft names no country.
Three ways to destroy a machine
GigaWiper is written in Go (also called Golang) and runs on Windows. It takes orders as numbered commands, and three of them destroy the machine, each in a different way:
A raw disk wiper that overwrites the physical drive and wipes the partition table (the map of how the disk is laid out) before rebooting. There is no file-by-file deletion to reverse; it destroys the disk contents directly.
Fake ransomware built on older code called Crucio. It encrypts files, adds a .candy extension, and changes the desktop wallpaper to an alarming warning image. There is no ransom note and no saved key, so there is nothing to pay and nothing to decrypt. This is destruction wearing a ransomware costume.
The last targets the Windows drive, overwriting it several times with different data patterns. Microsoft says it is a Go rewrite of a wiper it tracks as FlockWiper.
None of these leaves a way back: encrypted files cannot be unlocked because the key is gone, and wiped drives can only be rebuilt from clean backups. The goal is a dead machine, not a payout.
It spies, too
Destruction is only half of it. The same backdoor can quietly watch and control an infected PC. It takes screenshots of every monitor, records the screen while someone is working, and can open a hidden VNC session that streams the display and lets the attacker type and move the mouse.
It also collects system details, manages running programs and services, edits the registry, and can wipe Windows event logs to cover its tracks. Microsoft found more commands sitting dormant in the samples it examined, including stubs for a keylogger and additional wipers.
To stay out of sight, GigaWiper pretends to be OneDrive. It creates a scheduled task named OneDrive Update that runs every minute and tracks itself in a registry key under HKCU\SOFTWARE\OneDrive\Environment. When it opens its remote-control channel, it hides behind a firewall rule named after a real Windows component, Microsoft.Windows.CloudExperienceHost.
For its command traffic, it skips ordinary web requests and rides on real business services instead: RabbitMQ for tasking, Redis for results, and MinIO for exfiltration. Because those are legitimate tools rather than a custom malware channel, the traffic looks ordinary on networks that already run them.
Where GigaWiper came from
Microsoft traces GigaWiper's fake-ransomware code back to Crucio and its multi-pass wiper back to FlockWiper, and assesses that the same developer built all three. It names no country. But Crucio is not anonymous. Its code was listed as suspected ransomware in a December 2023 CISA advisory on CyberAv3ngers, a group linked to Iran's Islamic Revolutionary Guard Corps.
That is the same crew, THN reported, that broke into water and energy sites across the US, Israel, the UK, and Ireland in 2023, logging into internet-exposed industrial controllers. In one case, they took control of a booster station at a Pennsylvania water authority. The Crucio sample Microsoft cites carries the same fingerprint listed in that advisory.
Microsoft also found a recurring tag, "GRAT", in both FlockWiper's debug paths and GigaWiper's own function names, tying the two tools together and hinting at a further component that has not surfaced yet. The timing differs by source: Microsoft dates the destructive activity to October 2025, while Binary Defense first saw the same files as BLUERABBIT in March 2026.
Part of a bigger wave
Iran-linked wiper activity against Israel has drawn repeated warnings through 2025 and 2026. Palo Alto Networks' Unit 42 has tracked a parallel surge, much of it from a separate group, Handala Hack, and in March 2026 Israel's National Cyber Directorate warned of Iranian wiper attacks on local organizations.
The tactic GigaWiper uses is old: NotPetya in 2017 also posed as ransomware while quietly destroying data. The disguise buys the attacker time: a wrecked machine first looks like a ransomware case someone might recover from, not the total loss it is.
Microsoft frames GigaWiper as operators folding separate tools into one flexible platform. For defenders, the consequence is concrete: when a single implant can watch, steal, or destroy, the tool no longer reveals the goal. You used to read intent from the malware you found; here, the operator decides after they are already inside.
One platform, two vendor names, and dormant command stubs still in the code point to a tool still being built out.
What defenders should do
Spotting it fast comes down to a few specific signals:
A OneDrive Update scheduled task that repeats every minute.
RabbitMQ or Redis traffic from ordinary desktops rather than servers.
Processes using takeown and icacls to take ownership of Windows boot files like bootmgr and ntoskrnl.exe outside maintenance windows.
On the product side, Microsoft recommends turning on tamper protection so attackers cannot switch off your antivirus, blocking the two known command servers (185.182.193[.]21 and 212.8.248[.]104), running endpoint detection in block mode, and enabling cloud-delivered protection and automatic remediation. The full list of file hashes, server addresses, and detection names is in Microsoft's report.
The Hacker News has reached out to Microsoft and to Binary Defense for confirmation that GigaWiper and BLUERABBIT are the same malware, and for details on victim scope and attribution, and will update this story with any response.
from The Hacker News https://ift.tt/mhBRWKH
via IFTTT
Most security mess starts as admin work. A link gets clicked. A tool gets trusted. A bucket name gets reused. A setting stays loose because nobody wants to touch it.
This week is full of that kind of damage. Not loud. Not clever. Just small gaps doing big jobs. The worst part is how normal it all looks until the bill arrives.
A global anti-fraud operation involving 97 countries and territories has resulted in the arrest of 5,811 individuals and the interception of $293 million in illicit assets as part of an operation codenamed First Light 2026 that took place between January 15 and April 30, 2026, to tackle social engineering scams and associated money laundering activities. "Over 142,000 victims globally were identified during Operation First Light 2026, highlighting the extent to which social engineering scams and fraud have escalated into a major transnational threat, affecting individuals, businesses, and governments," INTERPOL said. More than 23,000 cases were solved, and 15,606 suspects have been identified. In Eswatini, authorities arrested 82 people and dismantled a criminal network running illegal online gambling, money laundering, and elaborate impersonation scams. The Thai police made two arrests and uncovered a money laundering scheme that converted illicit funds from romance scams into various cryptocurrencies, using cross-chain token swaps to obscure the financial trail.
A cluster of 17 malicious npm and PyPI packages have been found to typosquat Paysafe, Skrill, and Neteller SDKs to steal system information and developer secrets, and exfiltrate them to an Ngrok endpoint. The malware skips machines that have less than two CPU cores, and the hostname or username contains sandbox, analyzer, cuckoo, virus, malware, vmware, or vbox. "The threat actor targeted payment app SDKs, which might indicate a financial motive or the desire to monetize using payment app accounts," Socket said. "The threat actor used their obfuscator 'properly.' They did not re-use the same obfuscation key across versions or packages, which is intended to prevent signatures from tracking this malware by the same key. This resulted in different hashes for each file."
Cybersecurity researchers have outlined a technique called Process Parameter Poisoning (P³) that can be used to code in foreign processes without raising any security alarms. "P³-Shellcode Loader is a loader that implements a code injection technique which leverages the Process Parameters structure (Process Parameter Poisoning) as an execution and staging location for shellcode injection into remote processes, without triggering common detection mechanisms," researchers Max Hirschberger and Ogulcan Ugur said. "One major advantage of this technique is that no processes are created in a suspended state and no threads or processes are suspended during its execution."
A critical security flaw in Esri ArcGIS Server 12.0 and prior (CVE-2026-9181, CVSS score: 9.8/7.5) could be exploited to access sensitive files on the system without requiring valid credentials by sending crafted path parameters. "The vulnerability exists in the ArcGIS Server REST Uploads resource, where insufficient validation of crafted path parameters allows an unauthenticated remote attacker to traverse outside the intended directory boundary," Horizon3.ai said.
A new analysis of the Interlock (aka Hive0163) ransomware operation has identified links with TAG-124 (aka KongTuke and Landupdate808). The threat actor is known to employ a variety of mostly custom malware, including NodeSnake, Interlock RAT, JunkFiction downloader (aka Dormouse), Supper (aka SocksShell and WINDYTWIST), and JunkFiction cryptor. IBM X-Force said it has discovered strong overlaps between NodeSnake, ModeloRAT, JunkFiction downloader, Interlock RAT, and Supper malware variants, indicating a shared original codebase or possibly common developers. Rhysida, on the other hand, often uses Endico downloader, Broomstick (aka Oyster or CleanUpLoader), Supper, and Tomb cryptor (aka Textshell or pkr_mtsi). Evidence indicates a relationship with IceNova (aka Latrodectus) operators and ITG23 (aka TrickBot). Early versions of JunkFiction date back to May 2024, with the downloader being used to Supper, which then delivers CrossTec Remote Control, a legitimate remote administration tool. "The fact that both ModeloRAT and NodeSnake were deployed by TAG-124/KongTuke, possessed overlaps with other malware families belonging to the Interlock toolkit and used the same exploit during their operations, supports the theory that these activities may be linked," IBM X-Force said.
China's National Vulnerability Database (CNVDB) is urging developers to uninstall recent Claude Code versions over concerns that they can gather sensitive user data without consent. The "backdoor code" can collect details such as a user's location and identity, and forward them to remote servers. The agency said the alert only applies to Claude Code versions 2.1.91 (April 2) to 2.1.196 (June 29). "It is recommended that relevant units and users immediately conduct a comprehensive investigation," CNVDB said. "For development terminals with the above-mentioned affected versions installed, immediately uninstall or upgrade to the latest secure version with the relevant backdoor code removed; strengthen the control of external access permissions and traffic monitoring of development tools within core business network segments to prevent the unauthorized transmission of sensitive data." The disclosure comes shortly after a report that Claude contained covert code designed to prevent Chinese AI companies from extracting details about its inner workings. Anthropic subsequently said it was an experiment to protect against model distillation.
A social engineering campaign has combined email phishing with a fake IT support scam abusing Microsoft Teams calls to deliver EtherRAT. "The attack lures the victim with a fake 'Employee Survey' email and PDF, then pivots to a Microsoft Teams call from an actor impersonating a 'System Administrator,'" Palo Alto Networks Unit 42 said. "The actor abuses Teams remote control (give/request control) to control the victim's machine, then guides the victim to install different remote RMM tools to establish persistence - HopToDesk and AnyDesk. The actor uses cmd.exe > curl.exe to download a malicious MSI (v7.msi) from camorreado[.]click and execute it. The MSI is a multi-stage loader that downloads a legitimate Node.js runtime, decrypts an embedded payload through a multi-step cipher chain, and runs EtherRAT."
The notorious cybercrime group known as Scattered Spider is called by various names, including Octo Tempest, Muddled Libra, and UNC3944. Group-IB, which designated the term 0ktapus to a social engineering attack campaign targeting Twilio in August 2022, said Scattered Spider can be best described as a decentralized cybercrime collective analogous to The Com, with 0ktapus acting as a sub-cluster within the group. Scattered Spider comprises smaller clusters that are united by the use of shared tradecraft and English as a common language, but act separately. "Physical device theft activity from mobile carrier stores has been observed in at least one subcluster, for SIM swapping purposes," Group-IB said. "Subclusters target all kinds of sectors, either as end-targets for direct exploitation or as stepping stones to gather intelligence or tools for future attacks." The end goal of these attacks is cryptocurrency theft and ransomware, leading to extortion.
Taiwanese authorities have charged two local businessmen with allegedly assisting Chinese government-linked hackers carry out a sprawling espionage campaign targeting politicians, academics, journalists, and civil society groups. The suspects are believed to have run a company that collected and leased accounts for the LINE messaging app to operators linked to China's cyber forces. The accounts were then used to impersonate international journalists and build trust with targets and ultimately deliver malware designed to compromise their computers. The LINE accounts were rented by a Chinese firm named Xiamen Empress Information Technology.
An unknown threat actor is manipulating Meta's Business Account Manager to send spam emails that bypass email filters since at least November 2025 and trick victims into providing their Meta account details to the attacker on attacker-controlled web pages. The emails were sent from a Meta business account. "Starting in June, they modified their phishing lure to incorporate a chatbot, run through a fraudulent account on Facebook Messenger, and began sending credentials to a private Telegram channel," Huntress said. "The phishing campaign appears to target businesses and attempts to capture credentials, MFA codes, business and personal phone numbers, email addresses, and an image of the target's ID or passport." Meta has since taken steps to plug the attack method.
In August 2025, SafeBreach researcher Ron Ben Yizhak disclosed details of an issue (CVE-2025-49760) in Microsoft's Windows Remote Procedure Call (RPC) communication protocol that could be abused by an attacker to conduct spoofing attacks and impersonate a known server. Then, in October 2025, Microsoft addressed another vulnerability tracked as CVE-2025-59200, which has been described as a spoofing flaw in the Data Sharing Service Client. "By exploiting a vulnerability in the Data Sharing Service (DsSvc) – tracked as CVE-2025-59200 – an attacker can spoof an RPC server, then send a hotkey that bypasses User Interface Privilege Isolation (UIPI) to start a scheduled task," Ben Yizhak said. "The task sends an RPC request to the spoofed server of the attacker and the response injects an XML into a toast notification to elevate privileges from low to medium integrity."
Multiple vulnerabilities have been disclosed in RtsPer.sys, an SD card reader driver developed by Realtek. These vulnerabilities enable non-privileged users to leak the contents of the kernel pool and kernel stack, write to arbitrary kernel memory, and read and write physical memory from user mode via the DMA capability of the device, per a security researcher who goes by the name "zwclose." The issues impact many OEMs, including Dell, Lenovo, and possibly other laptops equipped with an SD card reader manufactured by Realtek. The issues have been assigned the CVEs: CVE-2022-25477, CVE-2022-25478, CVE-2022-25479, CVE-2022-25480, CVE-2024-40431, and CVE-2024-40432. The complete set of fixes was released by Realtek in August 2024.
Ransomware attacks that deploy WhiteLock involve the locker communicating with external servers during the encryption process and terminating Services related to remote access tools, such as AnyDesk and TeamViewer, to prevent victims from responding remotely. "After registering an infected device, WhiteLock checks whether AnyDesk and TeamViewer are installed on the victim's device," AhnLab said. "If these tools are present, it terminates the relevant Services in subsequent stages. This behavior is interpreted as an attempt to prevent security personnel or administrators from isolating the infected system or responding in real time through remote access tools." Another new ransomware entrant is Prinz Eugen, which was first detected in May 2026. "The encryptor is freshly built, written in Go, and more technically deliberate than many first-wave ransomware samples," Threatdown said. "It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk." The ransomware is advertised by a threat actor named ROOTBOY on underground forums, who has previously engaged in data sale and extortion activity between July and November 2025. The development comes as the Bumblebee malware loader, deployed via SEO poisoning through a trojanized installer for ManageEngine OpManager, has been leveraged by threat actors to drop AdaptixC2, which then acts as a conduit for Akira ransomware deployment.
Cybersecurity researchers have flagged a new browser-based threat dubbed GhostChrome-X that uses Google Chrome to establish and maintain access to compromised hosts. "Two aspects in particular make GhostChrome-X noteworthy. First, the malware directly targets Chrome's extension trust model by modifying protected configuration files and forging the integrity metadata required for Chrome to accept an attacker-controlled extension as a legitimate browser component," Rubrik Zero Labs said. "Second, rather than functioning solely as a data-stealing extension, GhostChrome-X integrates browser-based access with operating system-level command execution, enabling the browser to serve as a persistent platform for ongoing attacker operations." Once active, the malware establishes persistence using scheduled tasks and Registry Run keys, while communicating with an external server to collect browser cookies, browsing history, and submitted form data. It also supports remote command execution on the infected system and "monitors WebAuthn activity and enables attacker-controlled interactions with WebAuthn-enabled websites from within the victim's browser session."
A phishing and malware campaign is using Indian Income Tax Return (ITR) refund lures to deliver a multi-stage AutoIt infection chain that leads to the deployment of AsyncRAT. The campaign has targeted financial and technology organizations. "The operation is notable for the way it combines credible email delivery, compromised web infrastructure, Dropbox-hosted payloads, password-protected archives, AutoIt staging, sandbox-aware execution, persistence, process injection, and a final .NET RAT payload," ZeroBEC said. "More recent samples shifted to LX RAT, a commercially marketed remote access trojan protected by the LX Crypter / LX Protector ecosystem." Fraudulent tax assessment notifications have also been used to distribute a trojan-like payload to targeted users using DLL side-loading techniques. The rogue DLL features persistence mechanisms, system information discovery, user activity monitoring, dynamic payload execution, and encrypted command-and-control (C2) communication. "The observed capabilities -- including modular payload loading, encrypted communication, persistence mechanisms, and remote execution functionality -- indicate that the campaign is designed to establish unauthorized access to and maintain control over compromised hosts," CYFIRMA said.
Another campaign targeting India, this time using GST-themed ZIP archive lures to deliver a variant of the Remcos RAT malware family. "One notable characteristic of this infection chain was its reliance on in-memory execution techniques / fileless malware and Steganography," K7 Labs said. "By avoiding disk-based artifacts, the threat reduces forensic evidence and increases its ability to evade traditional security tools and signature-based detection methods."
An active phishing campaign is using Microsoft Teams-themed lures to distribute a legitimate remote access tool configured for unauthorized access. "Victims are directed to convincing landing pages that impersonate collaboration and productivity services, where they are prompted to download software presented as a meeting transcript viewer, recording utility, or document-related application," CYFIRMA noted. "The use of compromised business websites provides reputational legitimacy, while dedicated infrastructure enables rapid deployment and campaign scalability. The operation demonstrates active maintenance, with the majority of identified infrastructure observed within the last three to six months, indicating continued development and operational investment."
Google-owned Mandiant has revealed that "when ADFS certificates are manually rotated, configuration drift can silently leave active signing keys exposed in Machine DPAPI," adding "in environments where AutoCertificateRollover is disabled, and certificates are manually rotated, the database often becomes a 'ghost'—a record that still exists, still decrypts successfully, but references a certificate no longer used for token signing by the ADFS service." The tech giant has warned that the technique could be exploited by bad actors to forge high-privilege SAML tokens.
Amazon Web Services (AWS) has emphasized the need for a layered strategy for egress security and to prevent data exfiltration. "Without egress controls in place, that outbound traffic can flow freely, and the unauthorized access might go unnoticed until a compliance audit, customer complaint, or incident notification forces discovery," AWS said. The risk is compounded by agentic AI systems, in which an unauthorized party can manipulate an autonomous agent’s objectives to silently exfiltrate data and achieve code execution. "As organizations deploy AI agents with access to tools, APIs, and code interpreters, these agents become high-value targets, and their outbound network activity must be constrained with the same rigor as any other workload," AWS said.
Palo Alto Networks Unit 42 has identified a bucket hijacking technique that impacts major cloud service providers. It has been described as a fundamental architectural flaw. "An attacker can silently compromise an organization's active data streams by rerouting data into an external storage bucket," Unit 42 said. "Because a storage bucket name is globally unique, an attacker can simply delete the bucket and then recreate it under the attacker's own account using the same name. This, therefore, creates a global namespace risk. This bucket hijacking reroutes critical logs and sensitive data directly to the attacker's environment." A similar attack method, dubbed Bucket Monopoly, was detailed by Aqua Security in 2024. There is no evidence that the attack technique has been abused in the wild. In recent weeks, Unit 42 has also warned that: (1) insecure default configurations and overly permissive enrollment rights in Active Directory Certificate Services (AD CS) can be exploited for privilege escalation, unauthorized identity impersonation, and persistence; (2) Kubernetes identities can be abused in combination with exposed attack surfaces to escalate privileges from initial access to sensitive backend cloud infrastructure; (3) multi-agent AI systems can introduce new pathways for exploitation through inter-agent communication and orchestration via prompt injection due to a model's inability to reliably differentiate between developer-defined instructions and adversarial user input, and a lack of agent capability scoping and tool input sanitization; (4) Amazon Bedrock AgentCore's Code Interpreter sandbox network isolation mode can be bypassed to allow sending and receiving of data from external endpoints via DNS tunneling by taking advantage of a lack of session token enforcement; and (5) AgentCore starter toolkit's auto-create logic generates identity and access management (IAM) roles that grant privileges broadly across the AWS account, rather than being scoped to individual resources, effectively introducing what's called an Agent God Mode that makes it possible to escalate privileges and compromise every other AgentCore agent within the AWS account.
The useful lesson this week is not “watch for weird behavior.” Weird is late. By then the fake support call has a session, the package has run, the bucket is gone, and the quiet process already has somewhere to send data.
Watch the normal paths instead. Names that look almost right. Tools asking for slightly too much. Services that still trust old state. Traffic that should have had nowhere to go. Most of the damage here did not need magic. It needed permission, habit, and nobody looking closely enough.
from The Hacker News https://ift.tt/8P7fobd
via IFTTT
In October 2025, Microsoft Threat Intelligence identified destructive wiping activity and uncovered a sophisticated Go programming language (Golang)-based backdoor we now track as GigaWiper, a versatile implant that combines robust command-and-control (C2) capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage.
GigaWiper is particularly notable for its makeup. It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction:
A standalone wiper that operates at the physical disk level, overwriting raw disk content and removing partition metadata.
A destructive command that derives from Crucio ransomware and encrypts files with randomly generated keys that are never saved, making decryption impossible.
A wiping command that reimplements the logic of FlockWiper, a C-based malware reimplemented in Golang with additional multi-pass secure wiping.
The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences. GigaWiper exemplifies threat actors investing in operational efficiency, merging standalone tools into unified platforms that reduce their deployment footprint while expanding their destructive capabilities.
In this blog, we provide a code-level analysis of GigaWiper’s architecture. We’re sharing these findings, along with Microsoft Defender detections and mitigation recommendations, to enable organizations and the security community to investigate and defend against GigaWiper and similar destructive threats.
A wiper inside a backdoor
Beginning in October 2025, Microsoft Threat Intelligence started observing compromised environments being wiped with destructive tooling. Looking closely at the intrusions, we observed two types of GigaWiper samples:
Standalone wiper binaries
Larger binaries with robust backdoor functionality
Both sample types are unstripped portable executable (PE) files written in Golang. Comparing the two samples showed that the standalone wiper’s code is fully embedded inside the backdoor as one of the commands.
The standalone wiper binary
The standalone wiper is an unstripped PE written in Golang. Instead of deleting individual files, it wipes at the physical disk level. It identifies physical drives, determines which drive contains the Windows installation, removes partition references from other drives, overwrites raw disk content, and then reboots the system.
The wiper starts by enumerating physical disks through Windows Management Instrumentation (WMI) using the following query, giving it the device identifiers and disk metadata it needs before deciding how to handle each drive:
Figure 1. Query for enumerating physical disks through WMI
The malware then calls main.FindWindowsDrive to determine which physical disk contains the Windows installation (for example, \\.\PHYSICALDRIVE0). With that drive identified, it iterates the remaining disk list and calls main.unallocateDrive on each non-Windows drive to remove their partition references. This is achieved with DeviceIoControl and IOCTL_DISK_CREATE_DISK, which reinitializes the disk’s partitioning metadata and effectively wipes the existing partition table entries. If successful, the malware prints to the console “Partitions removed successfully.”
Next, it proceeds to wipe each drive. It calls main.writeRandToDrive to overwrite each drive in chunks of size 0xA00000. The first byte of each buffer is randomized with crypto/rand.Read, while the rest is filled with zeros. If random generation fails, it uses the byte value “1” instead. This pattern might be intended to avoid detections or mitigations that look for conspicuous full-disk zeroing behavior.
After it finishes wiping the drives, the malware forces an immediate reboot by invoking Windows shutdown functionality with restart and zero-delay options.
The wiper binary as a backdoor command
Next, we analyzed the larger backdoor. The same wiper functionality is also present as one component of the backdoor. The code flow and function names in the larger backdoor are identical to those of the standalone wiper, with the wiper’s main.main routine implemented in the backdoor as the rabbit_tools_tool_wipe_main.WipeMain function.
Figure 2. Left: Standalone wiper functions. Right: The same wiper functions replicated in the backdoor
Backdoor capabilities
With the wiper routine overlap established, this section focuses on the backdoor’s additional capabilities. Beyond destructive functionality, the backdoor sets persistence and implements C2 communication over RabbitMQ and Redis. In analyzing these backdoor capabilities, we discovered that some backdoor commands contain code from additional malware families.
Persistence
The backdoor creates and uses the registry key HKCU\SOFTWARE\OneDrive\Environment to track its execution count. If the key is absent on the system, the malware determines that it’s running on the system for the first time and proceeds to create the key, setting it to “0”. It then creates a new scheduled task named OneDrive Update by running the following command before printing “Task created. Original process exiting.” and exiting the process. The scheduled task is configured to essentially run every minute in addition to running once on system startup.
Figure 3. Command that creates scheduled task for persistence
In subsequent executions, when the registry key exists and is greater than “0”, the malware increments it, determines that it is running as a scheduled task (prints “Running from Task Scheduler…”), and continues execution normally.
Communication
GigaWiper uses two modes of communication:
RabbitMQ over AMQP for receiving commands from the C2 server
Redis server for updating command status and output
The malware decrypts a hard-coded configuration using AES with a hard-coded key. For example, one observed sample uses 185.182.193[.]21:5544 as a RabbitMQ C2 server, and 185.182.193[.]21:7542 for a Redis server, where it uploads results. The configuration also specifies the credentials to use to connect to the RabbitMQ and Redis servers.
To receive commands from the RabbitMQ C2 server, the malware declares a queue and binds it to a fanout exchange named “All”. Because “All” is a fanout exchange, any command published to it is broadcast to every bound queue across infected clients. To enable targeted commands, the malware also declares a topic exchange named “Topic”. The backdoor binds the queue to “Topic” when the actor issues command 8 (See Commands section) and provides a routing key.
Each command sent by the C2 server is a cmd.Task structure with the following fields:
task_id
command_code
args
To update the Redis server with command status and output, the malware sends it a cmd.Result struct with the following fields:
error
target_ip
task_id
target_computer_name
output
pwd
time
status
work_status
Commands
GigaWiper logs several types of commands using specific categories:
“always run command” – Commands that are meant to run continuously (like screen recording)
“manage command” – Commands used to manage things on the system like services or the Registry
“special command” / “shell command” – Modes of command 7
Each command is represented by a numeric command code from 1 to 20:
Command 1: Calls WipeMain, which is identical to the standalone wiper described in the last section
Command 2: Triggers a Blue screen error (BSOD) and prevents the device from booting
This is achieved by running a sequence of hard-coded destructive commands that disable Windows recovery, take ownership, and grant permissions to critical boot and kernel files before deleting them.
Figure 4. Series of commands that lead to BSOD
Command 3: Calls RanMain and BigBangExtortMain to trigger a file encryption process that imitates ransomware
The key and initialization vector (IV) that the malware uses to encrypt files are random and are not saved anywhere. The malware reads and encrypts each file, excluding files with extensions like .exe and .dll that are critical for the system to load. Each file is read and AES-CBC encrypted in chunks before being deleted with os.Remove. The file is renamed with the .candy extension.
It drops the following hard-coded image to ./image_danger.jpg and sets it as the wallpaper:
Figure 5. Image dropped by backdoor and set as the wallpaper
Command 4: Uses MinIO Client (mc) to upload a file to a remote storage
The path to the MinIO client to use is supplied in the command arguments alongside additional settings:
IPandPort
AliasName
Username
Password
BucketName
SourcePath
MCPath – The path to MinIO Client (mc.exe) to use
Command 5: File encryption utility
This command bulk encrypts or decrypts files with AES-256 in Cipher Block Chaining (CBC) mode. The following are the command arguments:
key
iv
path – The path to encrypt/decrypt (either a directory or a file)
key_file
enc – A mode that specifies whether to perform encryption or decryption
The server can specify a key and IV in the arguments. If in encryption mode but no key or IV were provided, the malware generates a random key and IV and stores them in key.txt.
If in decryption mode, the malware first tries to read the key and IV from the provided key file. If it was not provided, the malware attempts to use the key and IV sent as arguments.
Interestingly, the error message shows a glimpse of what running this command might look like from the actor side:
Key/IV required. Use -k/-i or –keyfile
Command 6: Runs the PE from the map RTYPE_map_string_cmd_appInfoStc[“6”]
We have not seen this structure populated in the binary. The logging message “Exec cmd wipe-file” suggests that this is meant to contain wiper functionality.
Command 7: This command has two types:
Type: shell command – Command for running PowerShell commands. The malware appends ;”|?????|$pwd” to the command. This causes the output of each command to include |?????|, followed by the current working directory. Then, the malware calls os.Chdir to change the working directory to the path output by $pwd, so the next command runs in that same folder.
Type: special command – When command 7 is run with one of the following arguments, it is considered a “special command” and handled as follows:
purge_cmd_queue: Empties the queue of shell commands, then stops the process run by command 7 “shell command” if it exists
purge_queue: Empties the queue of normal commands, then stops the process run by commands 6 or 13 if it exists (those are two of the “always run” commands)
pwd: Sets a global flag to indicate the working status, which is sent to the server in shell command 7, and then proceeds to run pwd using shell command 7.
Command 8: RabbitMQ route manager; allows binding the queue to the “Topic” exchange to receive targeted, non-broadcast commands (Type: manage command)
This command receives a mode of operation (1/2/3), followed by a list of routing keys as arguments:
Mode 1 – Binds each provided routing key
Mode 2 – Unbinds each provided routing key
Mode 3 – Pairs update mode: for each old,new pair, unbinds the old key then binds the new one
Command 9: Takes one screenshot per active monitor/display
The malware saves each screenshot to a PNG file in .\<timestamp\<monitor_index>.png (for example .\2026-06-10_12-30-00\0.png).
Command 10: Records the screen when the user is not idle (10s) and the system is unlocked(Type: always run command)
Recordings are saved in the folder C:\ProgramData\output.
Command 11: Runs the PE from the map RTYPE_map_string_cmd_appInfoStc[“11”] (Type: always run) command
We have not seen this structure populated in the binary. The logging message “Exec cmd keylog” suggests that this is meant to be a keylogger functionality.
Command 12: Calls WipeCMain to wipe the system
This command is like command 1 (WipeMain), but with a few important differences:
It only wipes the drive with the Windows installation. Usually it is the C drive, hence the name WipeCMain.
It performs secure wiping: It wipes the drive with multiple passes, each time overwriting it with different bytes (0s, 0xFF, random bytes…), and prints status messages between passes:
Pass 1 Time took: %s\n
Pass 2 Time took: %s\n
Pass 3 Time took: %s\n
…
Command 13: Runs the PE from the map RTYPE_map_string_cmd_appInfoStc[“13”]
The logging message “Exec cmd wipe32” suggests that this is meant to be another wiper binary. It is run as admin using the command:
Command 14: (not implemented)
Command 15: Collects system info by calling the function GRATClientInfo (Type: manage command)
The command arguments control the amount of info collected:
long
short
Collected system info includes:
IP address
Machine GUID
CPU information
OS information
Network configuration
Firmware
User information
Antivirus software information, collected by running the following command:
Command 16: Process manager (Type: manage command)
Arguments specify the process and operation to perform:
process_name
process_path
process_id
process_operation – Performs one of the operations below:
createProcess
resumeProcess
suspendProcess
exit (does nothing, returns empty response)
list
killProcess
processInfo – Returns the info below:
process_name
process_user_name
process_id
process_thread_count
process_memory_info
process_exe_path
process_status
process_error
Command 17: Service manager (Type: manage command)
This command is similar to the other manage commands, but for services. It has the following arguments:
On first execution, the malware runs rabbit_bin.RunOnceRegistryMain.gowrap1 in the background as a goroutine. On subsequent executions, the routine receives and returns input and output through Go channels. From there, it operates almost like an interactive session, persisting its position in the Registry between requests, and allowing the following operations (arguments):
registry_root_key
registry_key_path
registry_key_name
registry_value_entities
registry_operation
show – Enumerates current key, subkeys, and values
navigate – Change current position to a new key and send its contents
back – Go up one level from current key
exit – Exits the current session
createKey
deleteKey
deleteValue
setValue
Command 19: Clears Windows event logs
First, the malware ensures that it’s running with Administrator privileges. Next, it deletes the System, Setup, Application, and ForwardedEvents event logs by running the following command for each:
Then, for unknown reasons, it prints the hard-coded string “kharbvnmhkjbkjb”.
Finally, it attempts to delete the Security event logs using wevutil.exe. If it fails, it prints the message “Failed to clear Security with wevtutil. Attempting manual removal…” and attempts to directly delete the log file C:\Windows\System32\winevt\Logs\Security.evtx.
Command 20: Starts a server so the attackers can remotely control the system in a VNC-like manner; allows keyboard and mouse control and streams the screen to the attackers (Type: always run command)
This occurs over TCP with the port provided as a command argument. The malware first deletes the existing firewall rule if it exists. The rule name impersonates legitimate Windows firewall rule names:
Finally, the malware creates rules with that name to allow inbound and outbound traffic to its own program over a port provided in the command arguments. The following command is run once with Inbound then with Outbound:
How GigaWiper was assembled
The standalone wiper, implemented as command 1, is only one part of the interesting anatomy of GigaWiper.
The backdoor contains code for two additional wiping commands: command 3, implemented as rabbit_tools_tool_ran_main_cmd_extort.RanMain, and command 12, implemented as rabbit_tools_tool_wipec_main.WipeCMain. Further analysis showed that, like the standalone wiper, these originated from two separate, older malware families previously used by the same threat actor.
In other words, the GigaWiper backdoor is an amalgamation of at least three standalone malware families, stitched together as commands within a single implant, and combined with new backdoor functionality.
RanMain and BigBangExtortMain
As mentioned, command 3 is handled by rabbit_tools_tool_ran_main_cmd_extort.RanMain, which calls rabbit_tools_tool_ran_main_bin.BigBangExtortMain to encrypt the files on the victim system and rename them with the .candy extension. This is a wiper disguised as ransomware. The key and IV are randomly generated but not saved anywhere, and no ransom note is dropped. As a result, the actor has neither the ability nor, apparently, the intent to ever decrypt the files.
The function BigBangExtortMain is notable. A function with the same name was used in the Crucio ransomware, which was documented in a Cybersecurity and Infrastructure Security Agency (CISA) advisory published in December 2023. GigaWiper backdoor command 3 is heavily based on Crucio’s code, leading to the assessment that the same threat actor developed both malware families.
Command 12 represents the third wiper family that was incorporated into the GigaWiper backdoor. This command is handled by rabbit_tools_tool_wipec_main.WipeCMain. It is very similar to command 1, WipeMain, except that it wipes only the Windows installation drive, and performs more secure wiping with multiple passes.
Our research revealed that WipeCMain is essentially identical to the standalone wiper that Microsoft tracks as FlockWiper. While FlockWiper was written in C, its logic appears to have been reimplemented in Golang within GigaWiper. In essence, the two variants follow the same core execution flow, and many of the strings are identical, though the GigaWiper implementation appears to be a more updated version. FlockWiper was first uploaded to VirusTotal in June 2025, months before GigaWiper was first observed in the wild.
Another notable detail is that the observed FlockWiper samples contain program database (PDB) paths referencing “GRAT”:
A:\GRAT\CWipeNew\Release\CWipeNew.pdb
E:\files\new\GRAT\CWipe\Release\CWipe.pdb
The name “GRAT” is also prevalent in several function names within the GigaWiper backdoor. Although the FlockWiper binaries do not include “GRAT” functionality, the PDB paths provide another link between the two malware families.
Figure 7. References to “GRAT” in function names
Conclusion: Multiple destructive capabilities consolidated into a single implant
GigaWiper is a backdoor with extensive operational capabilities that allow a threat actor to maintain control over infected systems, execute commands, deploy additional tooling, and ultimately trigger one of multiple destructive commands on demand. It allows the threat actor to operate with flexibility, enabling both quiet espionage activity and destructive wiping operations.
Our research reveals that GigaWiper was created by combining and reimplementing components from at least three previously separate malware families. This includes the wiping functionality, and the file-encrypting ransomware that leaves no way to decrypt the files.
We tied GigaWiper to both Crucio and FlockWiper based on code analysis, shared execution flow, function naming, and unique strings. Crucio’s code was the base for GigaWiper command 3, and FlockWiper was recoded in Golang and updated for GigaWiper command 12. In addition, the references of “GRAT” in both the FlockWiper PDB paths and GigaWiper function names provide an additional link between these tools, and suggests the possible existence of another related component or framework that has not yet been recovered.
Overall, these findings show the evolution of the actor’s tooling over time. Functionality was merged into a single robust backdoor, granting the actor more ways to control and destroy infected systems.
Defending against destructive threats
To harden networks against GigaWiper, defenders can implement the following mitigation steps:
Turn on tenant-wide tamper protection features to prevent attackers from stopping security services or using antivirus exclusions. Without tamper protection, attackers could simply turn off Microsoft Defender Antivirus without the need to acquire higher privileges.
If there is an issue with a device during roll out of various antivirus features, the device can be placed in troubleshooting mode to turn off tamper protection temporarily without impacting the wider organizational security policy.
Block direct access to known C2 infrastructure where possible, informed by your organization’s threat intelligence sources.
Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.
Run endpoint detection and response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
Allow investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
Microsoft Defender XDR customers can also implement the following attack surface reduction rules to harden an environment against techniques used by threat actors:
Microsoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Microsoft Defender for Endpoint – ‘WprFlock’ malware was detected – ‘WprCree’ malware was detected – ‘FlockWiper’ malware was detected – ‘GigaWiper’ malware was detected – Possible ransomware activity – Ransomware behavior detected in the file system
Microsoft Security Copilot
Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.
Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.
Threat intelligence reports
Microsoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.
Tool profile: GigaWiper
Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.