Iran Linked BLUERABBIT Backdoor Combines Encryption, Data Theft, and Full Disk Wipe on Windows Systems

BLUERABBIT’s Design and Stealth Capabilities

A new backdoor called BLUERABBIT has been discovered targeting Windows systems, combining file encryption, data exfiltration, and permanent disk wiping in a single malicious package. First observed in mid to late March 2026, the malware is written in Go and is attributed to a threat actor with ties to Iran. Its primary targets appear to be organizations based in Israel. The tool is engineered to blend into normal network traffic, using enterprise grade messaging systems to disguise its command and control communications.

Contents

BLUERABBIT’s Design and Stealth Capabilities Impact and Operational Capabilities

Analysts at Binary Defense connected BLUERABBIT to the same Iran nexus cluster responsible for two earlier tools, BLUEWIPE and SEWERGOO, which appeared in June 2025. The binary was internally named Rabbit and compiled as a developmental build with symbols left intact, giving researchers unusual visibility into its inner workings. Rather than using standard web protocols, the malware routes operator instructions through RabbitMQ, a widely used enterprise messaging system, making its network traffic appear legitimate in environments where similar tools are already deployed.

Impact and Operational Capabilities

Once executed, BLUERABBIT checks a Windows registry key to determine if it has run before. On first execution, it creates a scheduled task called OneDrive Update, impersonating a real Microsoft service to avoid detection. The malware stores task results using Redis and sends stolen files to attacker controlled cloud storage through MinIO, an open source platform compatible with Amazon S3 storage. These three channels give attackers a business like infrastructure that many traditional security tools will not flag as suspicious.

What makes BLUERABBIT especially dangerous is the breadth of its destructive capabilities. It can encrypt files, steal sensitive data, and permanently wipe every drive on a compromised system at the operator’s command. This is not a simple smash and grab tool, but a carefully engineered platform designed for persistent, full control over targeted Windows systems from the moment it lands on a network.

Source: Cyber Security News

Iran Linked BLUERABBIT Backdoor Combines Encryption, Data Theft, and Full Disk Wipe on Windows Systems

The BLUERABBIT backdoor uses enterprise messaging protocols like RabbitMQ to hide its command and control traffic while enabling both data theft and complete disk destruction on infected Windows machines.

BLUERABBIT’s Design and Stealth Capabilities

Impact and Operational Capabilities

Trending

JDY Botnet Grows to 1500 Compromised Devices for Recon Operations

Global Police Takedown Hits AudiA6 Crypto Laundering Network Used by Ransomware Gangs

Phantom Mantis Ransomware Group Evolves Into Self-Sufficient Operation With 478 Victims

OceanLotus APT Targets Vietnamese Investors and Construction Firm With SPECTRALVIPER Backdoor

SniperDz PhaaS Platform Arms Criminals with 70+ Brand Impersonation Templates

Related Stories

SolarWinds Serv-U Flaw Added to US Government Alert List After Attacks Detected

Exim Vulnerability Allows Remote Crash via Crafted DNS Responses

BitUnlocker Attack Breaks Windows 11 BitLocker Encryption in Minutes

New Open Source Framework Automates Bug Bounty Testing with 50 Specialized Agents