GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
Summary
Hide ▲
Show ▼
The GigaWiper / BLUERABBIT malware activity now combines disk wiping, fake ransomware, and spyware backdoor functions on Windows, increasing the chance that one intrusion can monitor, destroy, or irreversibly disable infected machines. The implant is written in Go, masquerades as OneDrive, and can run a OneDrive Update scheduled task while hiding its state in the registry. It also routes command traffic through RabbitMQ, Redis, and MinIO, which can make the activity harder to spot on networks that already use those services.
Related Happenings
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware Activity
H score22
First: 26.06.2026 13:30
Last: 26.06.2026 13:30
Sources 1
About this happening:
The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
TinyRCT backdoor with persistence, exfiltration, and self-deletion
Malware ActivityAbout this happening: The **TinyRCT** backdoor appeared in a **2025** intrusion operation, adding stealthy **persistent access** and **control** to the attackers' toolkit. It also supports **command ex...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware Activity
H score27
First: 18.06.2026 19:20
Last: 18.06.2026 19:20
Sources 1
About this happening:
A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware ActivityAbout this happening: A **USB-spreading** clipboard-stealing malware family is actively stealing **seed phrases**, **private keys**, and wallet addresses from **Windows** victims, putting cryptocurrenc...
SprySOCKS Windows backdoor activity against government organizations
Malware Activity
H score23
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
SprySOCKS Windows backdoor activity against government organizations
Malware ActivityAbout this happening: **SprySOCKS** now has documented **Windows variants**, **WIN_DRV** and **WIN_PLUS**, expanding a toolset first known as a **Linux-only backdoor**. The activity is tied to **govern...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware Activity
H score40
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware ActivityAbout this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
H score23
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
Timeline
-
09.07.2026 21:08 2 articles · 3h ago
Microsoft identifies GigaWiper destructive Windows backdoor
Initial DisclosureMicrosoft identified GigaWiper as a destructive Windows backdoor written in Go that combines disk wiping, fake ransomware, and spyware functions. The malware hides as OneDrive, uses a OneDrive Update scheduled task, and shares hashes and command servers with BLUERABBIT, while Microsoft also linked its destructive code to older Crucio and FlockWiper components.
Show sources
- New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware — thehackernews.com — 09.07.2026 21:08
- New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware — thehackernews.com — 09.07.2026 21:08