```html ```
top of page

Saturday Sweep: An Iranian Wiper Wearing a OneDrive Costume, an AI Phishing Kit for $400 a Month, and a Ryuk Operator Finally in Cuffs

  • Writer: Patrick Duggan
    Patrick Duggan
  • 4 minutes ago
  • 3 min read

Three things off this morning's sweep that did not merit their own headline but should not go into the weekend unremarked. One of them is on a beat we have been standing watch over all year.



GigaWiper: an Iranian destruction kit disguised as a Windows update


This is the one to actually care about, because it is our beat and because it is built to end machines, not ransom them. Microsoft Threat Intelligence documented GigaWiper, a Go-based Windows backdoor that is really three older destructive tools bolted into one, offered as menu commands the operator picks from: a raw disk wiper that overwrites the physical drive and the partition table before rebooting; a fake-ransomware module that encrypts files, slaps a .candy extension on them, and changes the wallpaper to an alarm image — with no ransom note and no saved key, because getting your files back was never the point; and a second wiper aimed at the Windows drive itself. To stay quiet it impersonates OneDrive, registering a scheduled task named "OneDrive Update" that runs every minute, and it runs its command-and-control over RabbitMQ, Redis, and MinIO.


Here is why it lands on our desk specifically. One of GigaWiper's modules is a rewrite of Crucio — and Crucio was documented in a December 2023 CISA advisory as a tool deployed by CyberAv3ngers, the crew formally attributed to Iran's IRGC Cyber-Electronic Command. We have kept CyberAv3ngers on standing watch all year precisely because their signature is destructive operations against operational-technology and critical-infrastructure targets, not extortion for profit. GigaWiper is that doctrine, modernized and modularized: fake ransomware as cover for a wipe, so the victim wastes the first crucial hours thinking they can pay their way out while the disk is already gone. If you run OT or critical infrastructure, a scheduled task called "OneDrive Update" firing every sixty seconds is worth a very hard look this weekend.



Forg365: they put the AI in the phishing kit


The barrier to a convincing Microsoft 365 phishing campaign just dropped to $400 a month. Forg365 is a phishing-as-a-service platform, sold and supported over Telegram, that bundles the two attack paths that actually work against M365 right now — adversary-in-the-middle session-token theft and the increasingly popular device-code flow — with an AI lure generator built directly into the operator panel. The operator writes, refines, and sends the malicious email from the same dashboard they use to run post-compromise operations, and a browser extension keeps them inside the victim's Microsoft services without re-authenticating. It hides in plain sight using Amazon SES and Cloudflare Pages so the mail blends into legitimate traffic.


The device-code angle is the part defenders keep underestimating: it never asks for the victim's password at all — it walks them through Microsoft's own legitimate device-authorization flow, which sails past a lot of "watch for credential entry" detection. The lesson we keep repeating holds — the AI here is not exotic, it is a productivity feature for the attacker, lowering the cost and raising the polish of an old attack. Pair this with the SimpleHelp OIDC bypass we covered as the Djinn-stealer delivery vector on July 1 (CVE-2026-48558, now on CISA's KEV list) and the picture for identity infrastructure this month is consistent: the perimeter is your login flow, and it is under coordinated, increasingly automated assault.



Ryuk: an operator finally answers for it


A member of the Ryuk ransomware operation has pleaded guilty in the United States. Ryuk was one of the most financially damaging ransomware families of its era, and named operators actually facing consequences remains rare enough to note. It does not change your patching this weekend, but it is a reminder worth keeping on the record: the leak sites and the affiliate handles are run by people, and occasionally the people are identified, extradited, and made to answer. We document the crews as adversaries with profiles and receipts; this is one of those profiles gaining a courtroom entry.


Held to about ninety-five percent. Credit where it is due: GigaWiper analysis to Microsoft Threat Intelligence, with the Crucio-to-CyberAv3ngers lineage from CISA's 2023 advisory; Forg365 to the researchers who mapped its Telegram operation; the Ryuk plea to the US Department of Justice. What we add is the placement — one of these is not a random Saturday headline, it is the next move by a crew we have been watching all year.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page