A newly discovered backdoor called BLUERABBIT has been found targeting Windows systems with a dangerous mix of file encryption, disk wiping, and data theft.
First observed in mid-to-late March 2026, the malware is believed to be the work of a threat actor with ties to Iran, and its primary targets appear to be organizations based in Israel.
The tool is written in the Go programming language and is built to blend into normal network activity, making it harder for defenders to detect.
What makes BLUERABBIT especially alarming is how complete its toolkit is. It does not just lock files or steal data. It can do both at once, and when operators choose, it can permanently destroy every drive on a compromised machine.
This is not a smash-and-grab operation. It is a carefully engineered platform designed to give attackers full, persistent control from the moment it lands on a system.
Analysts at Binary Defense, who detailed their findings in a report shared with Cyber Security News (CSN), linked BLUERABBIT to the same Iran-nexus cluster responsible for two earlier tools, BLUEWIPE and SEWERGOO, which appeared in June 2025.
The binary was internally named “Rabbit” and compiled as a developmental build, with symbols left intact, giving researchers unusual visibility into how the malware operates under the hood.
BLUERABBIT disguises its command-and-control traffic to look like routine business messaging software.
Rather than reaching out over standard web protocols, it routes operator instructions through RabbitMQ, a widely used enterprise messaging system.
This design choice makes its network traffic appear legitimate, especially in environments where similar tools are already deployed as part of normal operations.
The malware stores task results using Redis and sends stolen files to attacker-controlled cloud storage through MinIO, an open-source platform compatible with Amazon S3 storage.
Together, these three channels give attackers a quiet, business-like infrastructure that many traditional security tools will not flag as suspicious activity.
Hackers Use BLUERABBIT Backdoor
Once BLUERABBIT runs, it checks a Windows registry key to see if it has executed before. If it is the first run, it creates a scheduled task called “OneDrive Update,” impersonating a real Microsoft service to stay hidden.
This task restarts every 60 seconds and survives reboots, meaning simply closing the process will not remove it from a system.
The malware gives operators several destructive choices. It can encrypt files across every drive on a system using a “.candy” extension and replace the desktop wallpaper with an AI-generated alert image.
Two separate disk-wiping modules are also available: one overwrites drives with random data in a single pass, while the other layers zeros, random data, and 0xFF values across all drives, leaving no path to recovery.
Before any destruction begins, BLUERABBIT takes ownership of critical Windows boot files and modifies the registry to disable automatic recovery and system repair. Once this sequence starts, Windows cannot reboot into a safe state or attempt any form of self-repair.
Detection Opportunities and How Defenders Can Respond
Defenders have several reliable signals to watch for. BLUERABBIT stages files in folders that look like Windows GUIDs but include letters beyond A through F.
Real Windows GUIDs only use hexadecimal characters, so any folder containing characters like G through Z in that format is anomalous and worth investigating immediately.
Unusual AMQP traffic from endpoint workstations is another strong warning sign, since this protocol is not typical for everyday devices.
Security teams should also watch for the MinIO client being launched by unexpected parent processes, as this strongly suggests automated data exfiltration is already underway.
Any process running takeown or icacls on core boot files outside a scheduled maintenance window should trigger an immediate alert.
The data theft before encryption follows a double extortion model, meaning victims may have already lost sensitive information before they realize they have been targeted.
Proactively hunting for early-stage indicators is the most effective defense posture teams can adopt right now.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Hash (SHA-256) | 633d4cbd496b1094495da89a64f5e6c31a0f6… | BLUERABBIT malware sample |
| File Hash (SHA-256) | 9706a192e2c1a1faaf0a521daf31c2af60ff4590… | BLUERABBIT malware sample |
| File Hash (SHA-256) | ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75… | BLUERABBIT malware sample |
| File Hash (SHA-256) | f622ed85ef31ad4ab973f4e74524866fe1bb44f… | BLUERABBIT malware sample |
| IP Address | 185.182.193.21 | Attacker-controlled C2 infrastructure |
| IP Address | 212.8.248.104 | Attacker-controlled C2 infrastructure |
| JA3 | 806dab5164cf60d94026b88ab2d9851d | TLS fingerprint associated with BLUERABBIT |
| JA4 | t13i131000_f57a46bbacb6_e5728521abd4 | TLS fingerprint associated with BLUERABBIT |
| JA3 | d80125b9429e9d5f06ace959f00de8d0 | TLS fingerprint associated with BLUERABBIT |
| JA3S | d75f9129bb5d05492a65ff78e081bcb2 | TLS server fingerprint associated with BLUERABBIT |
| JA4 | t13i130900_f57a46bbacb6_e7c285222651 | TLS fingerprint associated with BLUERABBIT |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
