A newly identified backdoor, BLUERABBIT, is targeting Windows systems with capabilities for file encryption, disk wiping, and data exfiltration. First detected between mid and late March 2026, the malware is attributed to a threat actor with alleged ties to Iran, primarily focusing on organizations in Israel. Written in Go, BLUERABBIT is designed to blend seamlessly into normal network activity, complicating detection efforts.
BLUERABBIT’s comprehensive toolkit allows it to encrypt files, steal data, and, if commanded, irreversibly destroy all drives on an infected machine. This multifaceted functionality provides attackers with persistent and complete control over compromised systems.
Analysts at Binary Defense, as reported by Cyber Security News, have linked BLUERABBIT to the same Iran-affiliated group responsible for the BLUEWIPE and SEWERGOO tools that emerged in June 2025. The malware, internally named “Rabbit,” was found in a developmental build with intact symbols, offering researchers deeper insights into its operations.
To evade detection, BLUERABBIT disguises its command-and-control (C2) traffic as legitimate business messaging. It routes operator instructions through RabbitMQ, a widely used enterprise messaging system, making its network activity appear normal, especially in environments where such tools are standard. Additionally, the malware stores task results using Redis and transmits stolen files to attacker-controlled cloud storage via MinIO, an open-source platform compatible with Amazon S3. This infrastructure choice allows attackers to operate stealthily, as traditional security tools may not flag this activity as suspicious.
Upon execution, BLUERABBIT checks a Windows registry key to determine if it has run before. If it’s the first execution, it creates a scheduled task named “OneDrive Update,” mimicking a legitimate Microsoft service to remain concealed. This task restarts every 60 seconds and persists through reboots, ensuring the malware’s continued presence on the system.
BLUERABBIT offers operators several destructive options. It can encrypt files across all drives, appending a “.candy” extension, and replace the desktop wallpaper with an AI-generated alert image. Two disk-wiping modules are also available: one overwrites drives with random data in a single pass, while the other applies multiple layers of zeros, random data, and 0xFF values, rendering data recovery impossible. Before initiating destruction, the malware takes ownership of critical Windows boot files and modifies the registry to disable automatic recovery and system repair.
BLUERABBIT’s sophisticated design and destructive capabilities underscore the evolving threat landscape. Organizations must enhance their security measures, including monitoring for unusual network traffic patterns and implementing robust endpoint detection and response solutions, to defend against such advanced threats.
Source: Cyber Security News
