GigaWiper Backdoor Targets Israel Entities

A Windows backdoor, dubbed GigaWiper by Microsoft and BLUERABBIT by Binary Defense, has deployed destructive payloads and espionage tools against Israeli organizations. This malware, attributed to an Iran-nexus group by Binary Defense citing Google's Threat Intelligence Group, bundles disk wiping, fake ransomware, and spyware functionality. At the same time, a "weak randomness" vulnerability, called Ill Bloom, led to the coordinated theft of $3.1 million from 431 cryptocurrency wallets on May 27, with total movements from exposed wallets exceeding $5 million since then.

Microsoft has addressed a zero-day Elevation of Privilege (EoP) vulnerability, CVE-2026-50656, known as RoguePlanet, in Microsoft Defender. Successful exploitation of this flaw could allow attackers to escalate privileges to NT AUTHORITY\SYSTEM, granting full control over affected Windows systems. This roundup details these developments, providing technical context and actionable intelligence.

How does the GigaWiper backdoor operate?

The GigaWiper backdoor, also known as BLUERABBIT, is a multi-functional Windows malware written in Go (Golang) that combines destructive and espionage tools. Microsoft's analysis shows the malware is a composite of three distinct destructive programs that an operator can selectively deploy once access to a target system is established. Binary Defense, which identified the malware as BLUERABBIT in March 2026, ties it to an Iran-nexus group engaged in cyber espionage and destructive operations against Israeli organizations.

The malware executes commands as numbered options, giving its operators flexibility in their objectives after compromise. The destructive components include a raw disk wiper designed to overwrite the physical drive and obliterate the partition table, leading to irreversible data loss upon reboot. Another module functions as fake ransomware, based on older code identified as Crucio, which encrypts files with a .candy extension and modifies desktop wallpaper to display a warning. This module intentionally omits any ransom note or key preservation, making decryption impossible and confirming its purpose as a destructive mechanism, not a for-profit ransomware operation.

A third destructive component specifically targets the Windows drive, repeatedly overwriting its contents with varying data patterns. Microsoft tracks this module as a Go-language rewrite of a wiper previously identified as FlockWiper. All three destructive functionalities prevent recovery from affected systems. Offline backups are important for recovery. Microsoft believes the same developer is responsible for creating Crucio, FlockWiper, and the integrated GigaWiper backdoor.

Beyond its destructive potential, GigaWiper possesses espionage capabilities. The backdoor can capture screenshots from all connected monitors and record screen activity as a user operates the system. It can also establish a covert VNC session, enabling the attacker to stream the display and remotely control the mouse and keyboard. The malware gathers full system details, manipulates running processes and services, modifies the Windows Registry, and can clear Windows event logs to conceal its activities. Analysis of the malware samples has revealed dormant command stubs, including those for a keylogger and additional wiper functionalities, suggesting the tool is still under active development and expansion. A PurpleOps analysis on nation-state cyber capabilities provides more information on how nation-state actors develop complex tools like GigaWiper.

To maintain persistence and evade detection, GigaWiper impersonates legitimate system processes and services. It creates a scheduled task named "OneDrive Update" configured to run every minute and registers its presence in the HKCU\SOFTWARE\OneDrive\Environment registry key. When establishing its remote-control channel, the malware uses a firewall rule named after a genuine Windows component, Microsoft.Windows.CloudExperienceHost, to blend in with normal network traffic. For its command-and-control (C2) communications, GigaWiper uses common enterprise services like RabbitMQ for tasking, Redis for transmitting results, and MinIO for data exfiltration. The use of these legitimate business services makes its C2 traffic harder to distinguish from normal network activity within environments where these tools are already in use.

The connection to the Iran-nexus group is important because the Crucio code within GigaWiper was previously identified in a December 2023 CISA advisory concerning CyberAv3ngers, a group linked to Iran's Islamic Revolutionary Guard Corps (IRGC). This group breached water and energy critical infrastructure across the US, Israel, the UK, and Ireland in 2023, including taking control of a Pennsylvania water authority's booster station. Microsoft observed destructive activity starting October 2025; Binary Defense first identified BLUERABBIT in March 2026. This indicates an ongoing, evolving threat. The combination of destructive and espionage tools within a single implant shows that the malware no longer dictates attacker intent; the operator determines the objective after compromise.

What should defenders do to mitigate GigaWiper?

Specific indicators can help detect and mitigate GigaWiper activity. Defenders should look for a scheduled task named "OneDrive Update" that recurs every minute. Abnormal RabbitMQ or Redis traffic originating from user desktops, rather than designated servers, can also signal compromise. Also, the presence of processes using takeown and icacls to modify ownership of Windows boot files like bootmgr and ntoskrnl.exe outside of scheduled maintenance windows warrants immediate investigation.

Microsoft recommends several product actions to counter this threat. Enabling tamper protection on endpoint security solutions prevents attackers from disabling antivirus software. Blocking the known command and control servers, specifically 185.182.193[.]21 and 212.8.248[.]104, is an important network defense. Deploying endpoint detection and response (EDR) in block mode and activating cloud-delivered protection with automatic remediation are also key measures. Microsoft's official report provides a complete list of file hashes, server addresses, detection names, and other details for further technical analysis.

What is the 'Ill Bloom' crypto wallet vulnerability?

The "Ill Bloom" vulnerability refers to a flaw in the random-number generation processes of certain cryptocurrency wallet software, enabling attackers to deduce users' recovery phrases and drain their funds. Security firm Coinspect identified this vulnerability, which stems from the use of weak random-number generators when software creates the 12- or 24-word recovery (seed) phrase. These phrases, intended to be extremely difficult to guess, become susceptible to brute-force attacks when the pool of possible phrases is significantly reduced by insufficient randomness.

On May 27, a coordinated attack exploiting Ill Bloom resulted in the theft of approximately $3.1 million from 431 cryptocurrency wallets. Since this initial sweep, an additional $2 million has moved from exposed wallets, though Coinspect notes that it is unclear how much of this latter movement constitutes theft versus owners moving funds to safety. Unpermitted fund movements strongly indicate this vulnerability's exploitation. This attack primarily impacts older or less prominent mobile software wallets, with some vulnerable instances dating back to 2018. Hardware wallets and most mainstream software wallets are not affected by this particular flaw.

Coinspect reconstructed the attack methodology, generating the full set of predictable phrases from weak random-number generators. From these phrases, they derived corresponding wallet addresses and then cross-referenced these with public blockchain records to identify addresses still holding funds. This process created a watchlist of weak wallets, regardless of the specific application used to generate them. The May 27 sweep primarily affected Bitcoin wallets, accounting for roughly $2.57 million of the stolen funds, including a single Bitcoin address that lost over $1.1 million. Other affected cryptocurrencies include Ethereum, Rootstock, Tron, and Polygon. At its peak in 2022, the identified set of vulnerable wallets held an estimated $12.56 million in assets.

How can users determine if their wallets are vulnerable and what action should they take?

Users can check if their public wallet address is on Coinspect's list of known-vulnerable wallets by using the free checker at illbloom.org. This tool accepts Bitcoin, Tron, Solana, and Ethereum-style addresses (compatible with Ethereum, Polygon, BNB, and other EVM chains). Because a single weak recovery phrase can control funds across multiple blockchains, users are advised to check every address linked to their seed phrase, not just those that may have already been drained. While a "clean" result is not an absolute guarantee of safety due to the list's ongoing development, a match serves as a definitive warning.

If an address matches the vulnerable list, users must immediately treat the recovery phrase as compromised. The recommended course of action involves creating a completely new wallet, ensuring a fresh recovery phrase is generated. Attempting to re-import the old phrase into a new or reinstalled application will merely recreate the vulnerable wallet. Following the creation of a secure new wallet, all funds from the compromised wallet should be transferred to the new, securely generated address. Users are cautioned against "rescue" scams, which often demand private keys or seed phrases. A legitimate checker will never request such sensitive information, nor will it ask users to send funds for "recovery" or "protection." Hardware wallets are the most secure option for moving funds, provided a new recovery phrase is generated directly on the device.

This "Ill Bloom" incident is not an isolated event; similar weak-randomness flaws have appeared repeatedly in the cryptocurrency ecosystem. Past examples include Milk Sad (CVE-2023-39910) in the Libbitcoin Explorer command-line tool in 2023, which also led to millions in theft. The Trust Wallet browser extension was affected by a close cousin, CVE-2023-31290, in the same year. The Randstorm exploit, discovered in 2023, also exposed Bitcoin wallets created between 2011 and 2015 due to poor random number generation in underlying browser code. These recurring vulnerabilities show a system challenge in ensuring the cryptographic strength of recovery phrase generation across various wallet implementations. A PurpleOps report on advanced persistent threat tactics provides additional research on digital asset security.

How did Microsoft patch the RoguePlanet zero-day in Defender?

Microsoft has deployed a security update to remediate the RoguePlanet zero-day vulnerability, tracked as CVE-2026-50656, an Elevation of Privilege (EoP) flaw within Microsoft Defender. This vulnerability allowed a standard user account to escalate its privileges to NT AUTHORITY\SYSTEM, the highest privilege level on a Windows system. An attacker who had already gained initial access to a standard user account could use RoguePlanet to achieve complete control over the compromised system without requiring administrative credentials or advanced hacking techniques.

The fix for CVE-2026-50656 was implemented through the release of Microsoft Malware Protection Engine version 1.1.26060.3008. This engine is the core scanning component that supports Microsoft Defender and other Microsoft security products. For systems where another antivirus solution, such as Malwarebytes, is actively protecting the PC and Microsoft Defender Antivirus is consequently turned off, this specific vulnerability does not pose a risk. In such scenarios, Defender's scanning engine is not operational, preventing exploitation through this particular flaw.

How can users verify their Microsoft Defender protection status?

For most users, Microsoft Defender automatically updates both its malware definitions and the Microsoft Malware Protection Engine, ensuring continuous protection without manual intervention. However, users can confirm their system's protection status and engine version. This process involves navigating to Windows Security, selecting "Virus & threat protection," and then under "Virus & threat protection updates," clicking "Check for updates." Further verification of the "Engine Version" can be found by clicking the "Settings" (cog icon) and then "About."

To be protected, the Engine Version must be 1.1.26060.3008 or higher. If a system is running an older version (e.g., 1.1.26050.11 or lower), users should manually run Windows Update and check for Defender updates again, or allow the automatic update process to complete. Keep automatic updates enabled for Microsoft Defender to ensure timely application of security patches. Understanding such widespread vulnerabilities is important. A PurpleOps deep dive into supply chain vulnerabilities offers more information on similar issues.

Technical Takeaways

  • The GigaWiper/BLUERABBIT backdoor, written in Go, offers operators a flexible platform for both destructive attacks (raw disk wiping, fake ransomware based on Crucio, FlockWiper rewrite) and espionage (screenshots, screen recording, VNC sessions, system information gathering).
  • Attributed to an Iran-nexus group (potentially CyberAv3ngers), GigaWiper targets Israeli organizations and has been linked to past attacks on US critical infrastructure.
  • The "Ill Bloom" vulnerability exploited weak random-number generation in crypto wallet recovery phrases, resulting in the theft of $3.1 million from 431 wallets on May 27, 2026, primarily affecting Bitcoin, Ethereum, Rootstock, Tron, and Polygon.
  • CVE-2026-50656 (RoguePlanet), an EoP zero-day in Microsoft Defender, allowed standard users to gain NT AUTHORITY\SYSTEM privileges, and has been patched by Microsoft Malware Protection Engine version 1.1.26060.3008.
  • The use of legitimate business services like RabbitMQ, Redis, and MinIO for GigaWiper's command-and-control operations enhances its stealth capabilities on corporate networks.