Binary Defense disclosed a newly identified Go-based Windows backdoor, BLUERABBIT, that provides attackers with persistent access, reconnaissance, screenshot and screen-recording capture, shell execution, and data theft before escalating to file encryption and destructive wiping. The malware is assessed as likely tied to an Iran-nexus activity cluster and appears primarily aimed at organizations in Israel. Researchers said BLUERABBIT was first observed in mid-to-late March 2026 and linked it to activity associated with BLUEWIPE and SEWERGOO.
BLUERABBIT blends into enterprise environments by using RabbitMQ over AMQP for command-and-control, Redis for task state management, and MinIO for S3-compatible exfiltration. It persists through a scheduled task named "OneDrive Update", stores staging data under HKCU\Software\OneDrive, can encrypt files with the .candy extension, and includes two wiping routines that disable Windows recovery mechanisms and alter boot-file permissions to make systems unrecoverable. Detection opportunities include anomalous AMQP traffic from workstations, suspicious MinIO client execution, unusual GUID-like staging folders, the fake OneDrive task, and unauthorized use of tools such as takeown or icacls against critical boot files.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Binary Defense published a report detailing BLUERABBIT's use of RabbitMQ, Redis, and MinIO, along with its persistence, encryption, and disk-wiping capabilities. The report also released detection opportunities, file hashes, IP addresses, and TLS fingerprints as indicators of compromise.
Binary Defense said the BLUERABBIT Golang backdoor and destructive intrusion tool was first observed in mid-to-late March 2026. The activity was assessed as primarily targeting entities in Israel.
Binary Defense reported that Google Threat Intelligence Group had previously linked the BLUEWIPE and SEWERGOO activity from June 2025 to a likely Iran-nexus activity cluster later associated with BLUERABBIT.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcebinarydefense.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.