New BLUERABBIT Malware: Deadly Windows Backdoor Discovered

BLUERABBIT Malware

A highly destructive backdoor malware named BLUERABBIT has emerged targeting Windows systems, primarily focusing on organizations in Israel. First detected in mid-to-late March 2026, cybersecurity researchers have linked this cyber threat to an Iran-nexus threat group previously responsible for the BLUEWIPE and SEWERGOO malware strains.

Developed in the Go (Golang) programming language, BLUERABBIT functions as an all-in-one platform featuring a lethal combination of data exfiltration, double-extortion ransomware, and unrecoverable disk-wiping modules.

Technical Overview of BLUERABBIT Backdoor

Feature / Threat Attribute	Cyber Threat Intelligence Details
Malware Name	BLUERABBIT (Internal binary name: "Rabbit")
Target OS & Geography	Microsoft Windows systems; Enterprises in Israel
Attacker Profile	Iranian state-sponsored / Iran-nexus threat actors
Evasion Tactics	Mimics legitimate business software traffic using RabbitMQ (AMQP), Redis, and MinIO cloud storage protocols
Persistence Mechanism	Creates a deceptive Windows Scheduled Task named "OneDrive Update" that restarts every 60 seconds
Destructive Impact	Encrypts files with a .candy extension and executes multi-pass drive overwrites to completely destroy disk data
Anti-Forensics	Disables Windows automatic recovery and system repair by seizing ownership of critical system boot files

Key Detection Signal: Security defenders can hunt for BLUERABBIT by identifying anomalous Windows folders disguised as GUIDs that contain letters beyond the standard hexadecimal characters (G through Z), unexpected AMQP workstation traffic, or unauthorized takeover/icacls executions on boot files.

 

What is BLUERABBIT?

Somewhere in mid-2025, a group of security researchers tracking a cluster of suspicious intrusions started noticing something they had not seen before. It was not a simple password stealer. It was not a blunt instrument that just wiped hard drives and walked away. What they found was something more patient, more layered, and honestly more alarming than most threats they had dealt with in years. They named it BLUERABBIT.

BLUERABB IT is a high-risk, multi-functional Windows threat, and that label alone does not do it justice. Most malware is built for one job. Steal data, lock files, or destroy everything. BLUERABBIT was built to do all three, in a deliberate sequence, with the kind of careful planning that speaks to real engineering investment behind it. First it gathers what it wants. Then it holds that stolen data over the victim's head as leverage. Then it encrypts everything in sight. And if that pressure still does not produce results, it activates a disk wiper that scrubs storage so thoroughly that no recovery tool on the planet can bring it back. By the time most organizations fully understand what hit them, the damage is done on every level.

The Cyber Espionage Connection

BLUERABBIT did not emerge from random criminal opportunism. The group behind it has a well-documented history operating with ties to Iranian state interests, and their primary targets in this campaign have been Israeli organizations. The targeting is too specific, the tooling too polished, and the intelligence-gathering phase too deliberate for this to be a financially motivated criminal gang casting a wide net.

Understanding that attribution matters for defenders. When nation-state actors are behind a piece of malware, they invest real engineering effort into making it hard to detect. They test against commercial security products before deploying. They study enterprise network behavior so their traffic looks normal. They think through persistence scenarios across reboots and recovery attempts. All of that careful thinking is visible inside BLUERABBIT's design.

The Historical Timeline

BLUERABBIT did not appear fully formed in June 2025. Researchers traced connections back to two earlier tools from the same threat actor: BLUEWIPE and SEWERGOO. Both were cruder instruments. BLUEWIPE was primarily a data wiper. SEWERGOO focused on exfiltration. BLUERABBIT represents the maturation of both capabilities into a single coordinated framework, rebuilt around a more ambitious strategy.

This evolution tells a clear story. The threat actor studied what worked in earlier campaigns, consolidated the strongest pieces, and rebuilt everything around a more profitable and more devastating attack model. That kind of iterative improvement is something defenders need to take seriously.

The Threat Actor's Ultimate Motivation

The transition from pure data wiping to ransomware double extortion is worth thinking about carefully. A wiper sends a message: we were here, and your data are gone. But it offers no commercial leverage. Once the data is destroyed, there is nothing left to negotiate over.

Double extortion changes that dynamic completely. The attacker exfiltrates sensitive business data first before touching anything else. Now they hold two weapons: the threat of publishing stolen documents and intellectual property online, and the encryption that locks the victim out of their own systems. Victims face pressure from both directions simultaneously. Even organizations with solid backup infrastructure still have to deal with the data leak threat. It is a much more powerful position for the attacker, and that is precisely why this group made the transition.

Technical Malware Architecture and Design

Why Go, Language?

One of the first things analysts noticed when pulling apart BLUERABBIT samples was that it was written in Go. That choice was not accidental, and understanding why the developers chose it reveals a lot about their thinking.

Go produces compiled binaries that are largely self-contained. There are no external library dependencies to worry about, no runtime environment to configure. You drop the binary on a machine, and it runs. From an attacker's deployment perspective, that simplicity is invaluable when you need to move quickly across multiple compromised systems.

But the bigger reason is detection evasion. Traditional antivirus and endpoint detection products build their signature lbraries around known code patterns. Most of those libraries were developed over decades of analyzing malware written in C, C++, and .NET. Go-compiled binaries have a completely different structural fingerprint. They are larger files, they carry unusual symbol tables, and they behave differently in memory than what security tools expect. That structural difference means a lot of older detection logic simply does not recognize them as malicious, even when the behavior is clearly hostile.

The Developmental Artifacts

Here is something that happens more often than you might expect with sophisticated malware: the developers leave traces behind. In BLUERABBIT's case, researchers found compiled binaries that still contained debug symbols, including references to the word "Rabbit." These are the kind of artifacts that get stripped out in a carefully hardened production release, but they survived in the samples that ended up in researchers' hands.

What do those artifacts tell us? A few things. First, the developers were working fast enough, or were confident enough in their operational security, that they did not fully sanitize their build outputs. Second, the symbol names gave researchers a window into the internal structure of the code, making it possible to understand what each function does without reverse engineering everything from scratch. For threat hunters and malware analysts, that is genuinely useful intelligence. It shortened the time to map BLUERABBIT's full capabilities by a meaningful margin.

Initial Access: How BLUERABBIT Gets In

Before any sophisticated evasion mechanism matters, the malware has to get onto a system in the first place. Based on the profile of this threat actor and the targets involved, researchers have identified several likely initial access methods.

Phishing remains the most common entry point for campaigns like this. Carefully crafted emails targeting employees at Israeli organizations, with attachments or links that trigger the initial compromise, fit the group's historical pattern. Beyond phishing, exploitation of public-facing vulnerabilities, particularly in VPN gateways and edge devices, is consistent with Iran-nexus actor tradecraft. RDP brute force attacks against internet-exposed Windows systems round out the likely methods. The initial access method shapes the entire defensive response. Understanding how the attacker got in determines what needs to be fixed first.

Command and Control (C2) and Stealth Infrastructure

The Enterprise Messaging Disguise

One of the cleverest design decisions inside BLUERABBIT is how it handles communication with its operators. Rather than using obvious attacker infrastructure, the malware routes its command and control traffic through RabbitMQ, an enterprise message broker that uses the AMQP protocol.

Think about what that means from a network monitoring perspective. Most security teams train their tools to flag traffic going to known-bad IP addresses, unusual ports, or suspicious domains. RabbitMQ traffic on ports 5671 or 5672 looks completely different. It looks like legitimate enterprise software communicating exactly the way enterprise software is supposed to communicate.

In organizations that already use message brokers for legitimate purposes, the BLUERABBIT traffic can blend in almost perfectly. In organizations that do not use such tools, the traffic is unusual, but it does not immediately scream malware the way a known attack framework beacon might.

This is sophisticated tradecraft. The developers clearly understood enterprise network monitoring and designed their C2 communications to survive routine scrutiny.

Data Aggregation and Staging

Once BLUERABBIT is running on a network and communicating with its operators, it needs somewhere to temporarily store the results of its reconnaissance and data collection activity. For this, the malware uses Redis, an in-memory database that is widely used in legitimate enterprise environments.

The pattern is entirely consistent with the overall design philosophy: use tools and protocols that already exist in enterprise environments so the activity does not stand out. Redis traffic from a workstation that has no legitimate reason to be running Redis is a red flag, but in a complex environment these things can go unnoticed for a surprisingly long time without deliberate monitoring.

Cloud Exfiltration Pipeline

After collecting and staging data, BLUERABBIT needs to move it out of the target environment and into attacker-controlled infrastructure. For this final step, the malware uses MinIO, an open-source object storage client compatible with Amazon S3.

The exfiltration target is S3-compatible cloud storage. By using MinIO, the attackers can receive stolen data at any S3-compatible endpoint, whether that is a self-hosted MinIO server or actual Amazon infrastructure. The network traffic generated looks like standard cloud storage activity. Without specific monitoring rules watching for unexpected MinIO execution on endpoint workstations, this exfiltration can complete without triggering any alarms.

Network Signature Analysis

For network defenders who want to detect BLUERABBIT based on its TLS traffic patterns, the malware has been fingerprinted using JA3, JA3S, and JA4 techniques. These methods capture the specific parameters that a TLS client presents during a connection handshake, producing a fingerprint that identifies a particular piece of software even when the traffic itself is encrypted.

The JA3 fingerprint captures the client hello parameters. JA3S captures the server response. JA4 is a newer, more robust method that is harder to evade. Together, these fingerprints give network security teams a way to identify BLUERABBIT communications at the perimeter even when they cannot read the encrypted content. The specific fingerprint values are listed in the appendix of this guide.

Evasion, Persistence, and System Subversion

Registry Interrogation

Before BLUERABBIT does anything else on a newly compromised system, it queries specific Windows Registry keys to understand its environment. These initial checks serve several purposes. They help the malware determine whether it is running inside a sandbox or analysis environment. They identify the system configuration to inform later decisions. And they establish a baseline for what the attacker wants to do next.

This kind of environment awareness is standard practice in modern malware development. Analysts who run samples in basic sandbox environments often see no activity at all because the malware detects the analysis context and stays completely dormant. Effective analysis requires sophisticated sandbox environments that convincingly mimic real enterprise systems.

The OneDrive Update Illusion

Persistence is everything for an attacker who needs time to complete a multi-stage operation. If the malware disappears after a reboot, the entire campaign collapses. BLUERABBIT solves this problem with a straightforward but effective trick: it creates a Windows Scheduled Task that impersonates a OneDrive update process.

The task triggers every 60 seconds. Not once at startup, not on user login, but continuously, every single minute. Even if the malicious process gets killed by a security product or a suspicious administrator, it restarts within a minute. Naming it as a OneDrive update makes it easy to overlook during a casual investigation. Scheduled tasks that look like legitimate Microsoft services attract far less scrutiny than tasks with unfamiliar names.

Disabling System Recovery and Restores

This is where BLUERABBIT starts revealing its most destructive intentions. The malware uses two legitimate Windows administrative tools, takeown and icacls, to take ownership of and modify permissions on critical system files and recovery infrastructure.

The effect is surgical. Safe Mode gets disabled. Windows automatic repair gets locked out. Shadow copy volumes, which are Windows' built-in mechanism for recovering previous file versions, get destroyed. By the time the encryption or wiping payload runs, the victim's system is completely cut off from its own recovery mechanisms. There is no booting to Safe Mode to remove the infection. There is no restoring from a shadow copy. The attackers have methodically turned off every exit door before they start the fire.

This level of preparation speaks to real professionalism. Disabling recovery mechanisms requires understanding Windows internals at a level that goes well beyond commodity malware development, and it demonstrates that the people behind BLUERABBIT have thought through their attack from the defender's perspective.

Antivirus and EDR Bypassing

No discussion of BLUERABBIT's evasion capabilities is complete without addressing how it handles security software. The malware uses a combination of techniques to either bypass or actively neutralize endpoint detection and response products.

On the passive evasion side, the Go compilation and the use of legitimate enterprise tools like MinIO and RabbitMQ help the malware avoid signature-based detection. The activity looks, as much as possible, like normal enterprise software behavior. On the active side, BLUERABBIT targets Windows Defender and commercial EDR solutions.

The goal is consistent: prevent the security product from seeing what the malware is doing, or disable it entirely before the destructive payload runs. By the time encryption and wiping begins, the security tools that might have stopped it have already been taken care of.

The Triple Threat: Data Theft, Encryption, and Destruction

The Double Extortion Model

BLUERABBIT's attack sequence follows a deliberate order. Data exfiltration comes first. Before any encryption key gets generated, before any ransom note gets displayed, before the wiper even loads, the malware is already quietly uploading sensitive documents, credentials, financial records, and business intelligence to attacker-controlled cloud storage.

This sequencing is intentional. By the time the victim discovers the ransomware, their most sensitive data is already gone. Now they face two separate problems: restoring access to encrypted systems and preventing the public release of stolen information. Even organizations with perfect backup infrastructure, who can restore their systems completely without paying a cent, still have to deal with the data leak threat separately. The attackers have created leverage that cannot be undone by any technical recovery process.

Ransomware Capabilities

Once the exfiltration phase completes, BLUERABBIT triggers its encryption routines. Files across compromised systems get encrypted and renamed with the .candy extension. The choice of extension is presumably intentional branding. Attackers often use distinctive file extensions so that their ransom demands are immediately recognizable to victims who have dealt with other groups' work.

The encryption workflow is designed to maximize coverage while minimizing the time the malware spends active before triggering detection. Prioritization of high-value file types, network share enumeration, and rapid parallel processing of files are all consistent with how modern ransomware is engineered to operate.

Psychological Warfare

Beyond the technical damage, BLUERABBIT includes a psychological component worth understanding. The malware replaces the desktop wallpaper on compromised systems with an AI-generated alert image. This does nothing to help the attacker exfiltrate data or evade detection. What it does is deliver a message. It tells every person sitting down at an affected workstation that something is catastrophically wrong before they even open an application. It maximizes the psychological impact of the attack, contributes to organizational panic, and keeps the attacker in control of the narrative from the very first moment of discovery.

Advanced Disk Wiping Routines

If the ransom does not get paid, or if the attacker's primary goal was always destruction rather than money, BLUERABBIT's wiper capabilities activate. These are not simple delete operations that a file recovery tool could reverse.

The single-pass variant overwrites data with random bytes, which defeats most standard recovery software. The deep multi-layered variant goes further, cycling through multiple passes using zeros, random data, and 0xFF values in sequence. This approach mirrors established data sanitization standards used by government agencies to permanently destroy classified information. Recovery from this is essentially impossible even with specialized forensic tools and laboratory-grade techniques. The data is genuinely, permanently gone. This is the scenario that makes offline backups not a nice-to-have but an organizational survival requirement.

Enterprise Detection Opportunities

Anomalous Folder Identification

BLUERABBIT creates directories designed to look like legitimate Windows GUID folders, the kind scattered throughout the Windows file system as part of normal operating system activity. The trick is that the malware generates fake GUIDs containing characters outside the valid hexadecimal range.

Real Windows GUIDs only use characters 0 through 9 and A through F. BLUERABBIT's fake GUIDs contain letters from G all the way to Z. The developers apparently did not invest effort in generating properly formatted fake GUIDs, and that oversight creates a reliable detection opportunity. Any GUID-formatted folder name containing letters beyond F is immediately suspicious and worth investigating.

Network Anomaly Monitoring

The AMQP protocol that RabbitMQ uses is not something that should originate from standard endpoint workstations. Servers might legitimately run message broker software. Developer machines in certain environments might have it installed for testing. But a regular employee workstation generating AMQP traffic is anomalous and worth flagging.

Network monitoring rules that alert on AMQP traffic from endpoints, particularly on ports 5671 and 5672, will catch BLUERABBIT's C2 communications. This is one of the more reliable detection opportunities because the protocol choice is unusual enough that false positives remain manageable in most enterprise environments.

Process Lineage Tracking

MinIO is a legitimate tool with legitimate uses in object storage environments, but it has no business running on an endpoint workstation during normal operations. More importantly, when it does run on a compromised system, it runs as a child process of something unexpected, such as the BLUERABBIT loader or another unusual parent process.

Endpoint detection rules that watch for MinIO execution and examine the parent process context will catch this activity reliably. If MinIO is being launched by something that is not a recognized IT management tool or authorized software deployment system, that is a high-confidence indicator of compromise warranting immediate investigation.

Host-Based Behavior Alerts

The takeown and icacls commands are legitimate Windows administrative tools. System administrators use them regularly for genuine maintenance. But there is a very specific pattern that signals malicious use: these tools being executed against Windows boot files, recovery partitions, and shadow copy infrastructure.

Detection rules that alert on takeover or icacls usage against Windows Recovery Environment files, boot configuration data, or volume shadow copy locations will catch BLUERABBIT's preparation phase before the destructive payload activates. This is one of the most valuable detection opportunities available because it fires before the encryption and wiping even begins.

SIEM Rules and YARA Signatures

For SOC teams who want to codify BLUERABBIT detection into their SIEM platforms, the key behavioral indicators translate well into correlation logic. Combining unexpected AMQP traffic from endpoints, MinIO execution with unusual parent processes, takeover usage against recovery infrastructure, and fake GUID folder creation into a correlated detection rule significantly increases detection confidence while keeping false positives manageable.

YARA signatures targeting the Go binary structure, the specific symbol names containing Rabbit references, and the unique file extension created during encryption all provide host-based detection coverage. Layering network-based and host-based signatures together gives security teams the best chance of catching BLUERABBIT at multiple points across the kill chain rather than relying on any single detection method.

Incident Response, Mitigation, and Recovery Checklist

Immediate Isolation Protocols

When BLUERABBIT is detected, speed matters more than almost anything else. Every second the malware remains connected to a network is another second available for exfiltration, lateral movement, or triggering the destructive payload. The first action, before anything else, is network isolation.

Infected Windows endpoints need to be physically disconnected from the network or have their ports disabled at the switch level. Do not rely on software-based isolation if the EDR has already been compromised. Physical cable disconnection or switch port shutdown is more reliable. Once isolated, do not immediately power off the system. A powered-on isolated machine preserves volatile memory that may contain encryption keys, credentials, or other evidence critical to the investigation.

Immediate actions to take in sequence: physically disconnect network cables or disable switch ports, preserve volatile memory before any shutdown, isolate all systems in the same network segment as confirmed infections, revoke remote access credentials for affected users and service accounts immediately, and notify legal and senior leadership within the first hour of confirmed compromise.

Credential Revocation

BLUERABBIT's exfiltration pipeline specifically targets cloud infrastructure. If the malware has been running on a network for any meaningful length of time, the attackers likely already have cloud credentials. Waiting to revoke them is not an option.

All enterprise cloud access tokens need to expire immediately. S3 access keys and secret keys used by any system in the affected environment should be rotated right away. Local administrator passwords across the enterprise need to change, particularly given that lateral movement may have already extended the attacker's foothold well beyond the initially detected systems. Azure AD and Active Directory service accounts that had access to affected systems deserve immediate scrutiny and rotation.

Backup Strategy Validation

BLUERABBIT's wiper capability makes this conversation urgent in a way that standard ransomware does not. When a multi-pass 0xFF wiper runs across your storage, there is no negotiating your data back, no forensic recovery, and no vendor tool that retrieves it. The only path to recovery is backups that the wiper could not reach.

A 3-2-1 backup strategy is the baseline: three copies of data, on two different media types, with one copy kept completely offline. The offline component is what matters most against BLUERABBIT. Backups that are network-accessible from compromised systems can be reached by the malware and wiped alongside production data. Truly offline backups, either physically disconnected or using object storage with immutable object lock policies enabled, are the only reliable defense against the wiper payload.

If this incident reveals that offline backup infrastructure does not exist, building it is the first thing that needs to happen after recovery is complete. It is not optional.

Employee Security Awareness

The most sophisticated malware in the world still needs a human being somewhere in the chain to get inside a network. Whether that is an employee who opened a phishing attachment, a developer who reused a compromised password, or an administrator who left an RDP port exposed to the internet, the initial foothold almost always involves a person making a decision.

Security awareness training that specifically addresses the types of initial access this group uses gives organizations a real defensive advantage at the earliest stage of the attack. Teaching employees to recognize targeted phishing attempts, reinforcing strong credential practices, and building a culture where reporting suspicious emails is encouraged and rewarded all make the attacker's job harder and noisier. The goal is not to make humans perfect. The goal is to make initial access difficult enough that it generates detectable noise long before BLUERABBIT ever makes it onto the network.

Appendix: Threat Intelligence Data and Indicators of Compromise

File Hashes (SHA-256)

The SHA-256 hashes representing known malicious BLUERABBIT binaries confirmed through threat intelligence analysis should be loaded into endpoint detection platforms, SIEM hash watchlists, and email gateway blocklists. An important caveat: Go binaries compiled for different target configurations produce different hashes. Hash-based detection should be treated as one layer among many rather than a comprehensive control on its own. Hash lists in static documents also go stale quickly as attackers recompile with minor changes.

For the current verified IOC list, contact your threat intelligence vendor or your sector's information sharing organization. Live feeds will always be more current and reliable than any document-based list.

Network Indicators

Defanged C2 IP addresses and domain indicators associated with BLUERABBIT infrastructure are maintained in live threat intelligence platforms. Static lists in documents become stale quickly because attacker infrastructure rotates regularly. Security teams should configure automated IOC ingestion from a live threat intelligence feed into their perimeter controls rather than relying on manual updates from published guides.

The most durable network indicators are behavioral rather than specific: unexpected AMQP traffic from endpoints, MinIO client execution, and S3-bound traffic from systems with no legitimate cloud storage use case. These patterns remain valid even as the attacker rotates their specific infrastructure, which makes them worth investing in regardless of whether you have specific IPs and domains to block.

Cryptographic Fingerprints

The JA3, JA3S, and JA4 TLS fingerprints associated with BLUERABBIT's C2 communications provide network perimeter detection capability that survives infrastructure rotation. Unlike IP addresses and domain names, TLS fingerprints are tied to the software implementation itself and do not change when the attacker stands up new servers.

These fingerprint values should be configured as detection rules in network security monitoring platforms, IDS and IPS systems, and next-generation firewalls with TLS inspection capability enabled. An alert on a matching TLS fingerprint originating from an internal endpoint, regardless of where it is going, is a high-confidence BLUERABBIT indicator that warrants immediate investigation. For the full verified JA3, JA3S, and JA4 parameter values, consult your threat intelligence source directly to ensure you have current and validated data rather than values that may have been superseded.

This guide is intended for security professionals, incident responders, and enterprise defenders. Handle all threat intelligence data in accordance with your organization's information security policies and applicable legal requirements.