Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems
Cybersecurity NewsArchived Jun 11, 2026✓ Full text saved
A newly discovered backdoor called BLUERABBIT has been found targeting Windows systems with a dangerous mix of file encryption, disk wiping, and data theft. First observed in mid-to-late March 2026, the malware is believed to be the work of a threat actor with ties to Iran, and its primary targets appear to be organizations based […] The post Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems
By Tushar Subhra Dutta
June 11, 2026
A newly discovered backdoor called BLUERABBIT has been found targeting Windows systems with a dangerous mix of file encryption, disk wiping, and data theft.
First observed in mid-to-late March 2026, the malware is believed to be the work of a threat actor with ties to Iran, and its primary targets appear to be organizations based in Israel.
The tool is written in the Go programming language and is built to blend into normal network activity, making it harder for defenders to detect.
What makes BLUERABBIT especially alarming is how complete its toolkit is. It does not just lock files or steal data. It can do both at once, and when operators choose, it can permanently destroy every drive on a compromised machine.
This is not a smash-and-grab operation. It is a carefully engineered platform designed to give attackers full, persistent control from the moment it lands on a system.
Analysts at Binary Defense, who detailed their findings in a report shared with Cyber Security News (CSN), linked BLUERABBIT to the same Iran-nexus cluster responsible for two earlier tools, BLUEWIPE and SEWERGOO, which appeared in June 2025.
The binary was internally named “Rabbit” and compiled as a developmental build, with symbols left intact, giving researchers unusual visibility into how the malware operates under the hood.
BLUERABBIT disguises its command-and-control traffic to look like routine business messaging software.
Rather than reaching out over standard web protocols, it routes operator instructions through RabbitMQ, a widely used enterprise messaging system.
This design choice makes its network traffic appear legitimate, especially in environments where similar tools are already deployed as part of normal operations.
PowerShell persistence command (Source – Binary Defense)
The malware stores task results using Redis and sends stolen files to attacker-controlled cloud storage through MinIO, an open-source platform compatible with Amazon S3 storage.
Together, these three channels give attackers a quiet, business-like infrastructure that many traditional security tools will not flag as suspicious activity.
Hackers Use BLUERABBIT Backdoor
Once BLUERABBIT runs, it checks a Windows registry key to see if it has executed before. If it is the first run, it creates a scheduled task called “OneDrive Update,” impersonating a real Microsoft service to stay hidden.
This task restarts every 60 seconds and survives reboots, meaning simply closing the process will not remove it from a system.
The malware gives operators several destructive choices. It can encrypt files across every drive on a system using a “.candy” extension and replace the desktop wallpaper with an AI-generated alert image.
Two separate disk-wiping modules are also available: one overwrites drives with random data in a single pass, while the other layers zeros, random data, and 0xFF values across all drives, leaving no path to recovery.
Raw commands (Source – Binary Defense)
Before any destruction begins, BLUERABBIT takes ownership of critical Windows boot files and modifies the registry to disable automatic recovery and system repair. Once this sequence starts, Windows cannot reboot into a safe state or attempt any form of self-repair.
Detection Opportunities and How Defenders Can Respond
Defenders have several reliable signals to watch for. BLUERABBIT stages files in folders that look like Windows GUIDs but include letters beyond A through F.
Real Windows GUIDs only use hexadecimal characters, so any folder containing characters like G through Z in that format is anomalous and worth investigating immediately.
Unusual AMQP traffic from endpoint workstations is another strong warning sign, since this protocol is not typical for everyday devices.
Security teams should also watch for the MinIO client being launched by unexpected parent processes, as this strongly suggests automated data exfiltration is already underway.
Any process running takeown or icacls on core boot files outside a scheduled maintenance window should trigger an immediate alert.
The data theft before encryption follows a double extortion model, meaning victims may have already lost sensitive information before they realize they have been targeted.
Proactively hunting for early-stage indicators is the most effective defense posture teams can adopt right now.
Indicators of Compromise (IoCs):-
Type Indicator Description
File Hash (SHA-256) 633d4cbd496b1094495da89a64f5e6c31a0f6… BLUERABBIT malware sample
File Hash (SHA-256) 9706a192e2c1a1faaf0a521daf31c2af60ff4590… BLUERABBIT malware sample
File Hash (SHA-256) ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75… BLUERABBIT malware sample
File Hash (SHA-256) f622ed85ef31ad4ab973f4e74524866fe1bb44f… BLUERABBIT malware sample
IP Address 185.182.193.21 Attacker-controlled C2 infrastructure
IP Address 212.8.248.104 Attacker-controlled C2 infrastructure
JA3 806dab5164cf60d94026b88ab2d9851d TLS fingerprint associated with BLUERABBIT
JA4 t13i131000_f57a46bbacb6_e5728521abd4 TLS fingerprint associated with BLUERABBIT
JA3 d80125b9429e9d5f06ace959f00de8d0 TLS fingerprint associated with BLUERABBIT
JA3S d75f9129bb5d05492a65ff78e081bcb2 TLS server fingerprint associated with BLUERABBIT
JA4 t13i130900_f57a46bbacb6_e7c285222651 TLS fingerprint associated with BLUERABBIT
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls
Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Escalation
IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets
Anthropic Released Claude Fable 5, the First Model in Mythos Class
Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer
Latest News
Cyber Security News
Cybercriminals Abuse Chinese-Language Guarantee Marketplaces to Trade Stolen Credentials
Cyber Security News
Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release
Cyber Security News
PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability
Cyber Security News
Oracle Emergency Security Update to Fix Critical RCE Vulnerability
Cyber Security
GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan