Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from.
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Fake ransomware built on older code called Crucio. It encrypts files, adds a .candy extension, and changes the desktop wallpaper to an alarming warning image. There is no ransom note and no saved key, so there is nothing to pay and nothing to decrypt.
Command 17: Service manager... service_operation create delete restart query start list stop
After it finishes wiping the drives, the malware forces an immediate reboot by invoking Windows shutdown functionality with restart and zero-delay options.
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-based Windows backdoor with destructive and surveillance capabilities. It can wipe raw disks, overwrite the Windows drive, run fake ransomware that encrypts files without saving the key, take screenshots, record screens, open hidden VNC sessions, manage services and registry settings, and clear event logs. It masquerades as OneDrive for persistence and uses RabbitMQ, Redis, and MinIO for command, result handling, and exfiltration.
A Golang-based modular backdoor with RabbitMQ/Redis C2, persistence, remote administration, screen capture/recording, registry/process/service management, and multiple destructive payloads including physical disk wiping, secure multi-pass wiping, BSOD/boot sabotage, and fake ransomware-style irreversible file encryption.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.