A newly identified backdoor, dubbed BLUERABBIT, has been discovered targeting Windows systems with a combination of file encryption, disk wiping, and data exfiltration capabilities. First observed in mid-to-late March 2026, this malware is believed to be the work of a threat actor with ties to Iran, primarily targeting organizations based in Israel. Written in the Go programming language, BLUERABBIT is designed to blend into normal network activity, making detection challenging.
BLUERABBIT’s comprehensive toolkit allows it to lock files, steal data, and, if commanded, permanently destroy all drives on a compromised machine. This indicates a carefully engineered platform aimed at providing attackers with full, persistent control from the moment it infiltrates a system.
Analysts at Binary Defense have linked BLUERABBIT to the same Iran-nexus cluster responsible for earlier tools, BLUEWIPE and SEWERGOO, which appeared in June 2025. The malware was internally named “Rabbit” and compiled as a developmental build, with symbols left intact, offering researchers unusual visibility into its operations.
To evade detection, BLUERABBIT disguises its command-and-control traffic to resemble routine business messaging software. Instead of using standard web protocols, it routes operator instructions through RabbitMQ, a widely used enterprise messaging system. This design choice makes its network traffic appear legitimate, especially in environments where similar tools are already deployed as part of normal operations.
The malware stores task results using Redis and sends stolen files to attacker-controlled cloud storage through MinIO, an open-source platform compatible with Amazon S3 storage. Together, these channels provide attackers with a quiet, business-like infrastructure that many traditional security tools may not flag as suspicious activity.
Upon execution, BLUERABBIT checks a Windows registry key to determine if it has run before. If it’s the first run, it creates a scheduled task named “OneDrive Update,” impersonating a legitimate Microsoft service to remain hidden. This task restarts every 60 seconds and persists through reboots, meaning simply closing the process won’t remove it from the system.
BLUERABBIT offers operators several destructive options. It can encrypt files across every drive on a system using a “.candy” extension and replace the desktop wallpaper with an AI-generated alert image. Additionally, two separate disk-wiping modules are available: one overwrites drives with random data in a single pass, while the other layers zeros, random data, and 0xFF values across all drives, leaving no path to recovery.
Before initiating any destructive actions, BLUERABBIT takes ownership of critical Windows boot files and modifies the registry to disable automatic recovery and system repair. Once these changes are made, the malware can execute its destructive payloads, rendering the system inoperable and data irretrievable.
BLUERABBIT’s emergence underscores the evolving sophistication of cyber threats, particularly those linked to nation-state actors. Its multifaceted capabilities highlight the need for organizations to implement robust security measures, including network monitoring, endpoint protection, and regular system audits. Staying informed about such threats and adopting a proactive security posture are essential steps in mitigating the risks posed by advanced malware like BLUERABBIT.
