A full-featured backdoor with file encryption, drive wiping, and a C2 channel that looks like normal message broker traffic. Meet BLUERABBIT, this Golang-based backdoor, attributed to a likely Iran-nexus threat actor, routes its command-and-control through RabbitMQ (AMQP) for tasking, Redis for state management, and MinIO for S3-compatible data exfiltration. It is a full-spectrum intrusion tool: remote access, system profiling, file encryption with a .candy extension, and two distinct disk-wiping modules capable of rendering systems permanently unrecoverable.

First observed in mid-to-late March 2026, BLUERABBIT is suspected of targeting entities in Israel. According to the Google Threat Intelligence Group (GTIG), the malware is related to the same likely Iran-nexus activity cluster that previously leveraged BLUEWIPE and SEWERGOO in June 2025. Symbols were left intact in the analyzed sample, revealing that the binary was known internally as “Rabbit” and compiled as a developmental build.

The background material for this analysis is the GTIG report 26-10016354, available at VirusTotal.

Attack Flow

The following sequence represents BLUERABBIT’s operational kill chain as observed in analysis. Each stage maps to a dedicated section of this report.

Capability Matrix

BLUERABBIT operates on a modular tasking system. The C2 server sends a numeric task ID, and the malware maps it to one of over a dozen built-in modules. The table below summarizes the core capability categories.

The combination of exfiltration and encryption is consistent with a double extortion model: data is stolen before encryption occurs. This means data has already left the network before a victim even knows they are compromised, and paying a ransom does not guarantee the data will not be leaked or sold.

Initial Execution and Persistence

Upon execution, BLUERABBIT checks the registry key HKCU\Software\OneDrive\Environment to track its execution count. If this key does not exist, the malware assumes it is running for the first time and executes a PowerShell command to establish persistence as a scheduled task named “OneDrive Update,” deliberately impersonating a legitimate Microsoft service.

The task is configured with two triggers: one that fires five seconds after registration with a one-minute repeat interval, and one at system startup. It runs at the highest privilege level available to the compromised user, has no execution time limit, and restarts automatically up to three times on failure. The observed PowerShell persistence command is as follows:

The -ExecutionPolicy Bypass -WindowStyle Hidden arguments passed to the malware binary appear to be unused, as these are PowerShell flags that have no effect when passed directly to a non-PowerShell executable. The authors also did not strip symbols from the binary, which significantly aided analysis. Configuration parameters such as C2 server IPs, ports, and authentication credentials are, however, protected with AES encryption.

Because the task repeats every 60 seconds with automatic restart on failure, simply killing the BLUERABBIT process is insufficient. The scheduled task itself must be removed to break persistence.

Command-and-Control Infrastructure

BLUERABBIT’s main execution loop follows the sequence MessageReader, ProcessTask, UpdateRedis, relying on enterprise messaging and database protocols rather than conventional HTTP-based C2. This architecture uses three distinct channels, each serving a specific operational purpose:

When launching the VNC remote desktop module, BLUERABBIT creates a firewall rule under the deceptive name Microsoft.Windows.CloudExperienceHost to blend in with legitimate Windows components.

Temporary staging directories are generated using a GUID-like naming scheme where characters are drawn from the full alphanumeric range rather than hexadecimal only. This is a meaningful detection signal: legitimate Windows GUIDs are strictly hexadecimal (0–9, A–F), so the presence of characters G–Z in a GUID-formatted directory name is anomalous and huntable. The path for files staged for exfiltration is written to the registry key HKCU\Software\OneDrive\ProfileConfig.

Destructive Actions Preparation

Prior to executing destructive actions, BLUERABBIT uses takeown and icacls to take ownership of and grant full access to critical boot files, including bootmgr, ntoskrnl.exe, and winload. The following registry modifications are made to disable automatic reboot and system recovery:

The raw commands, preserved here for detection engineering purposes:

Collectively, these modifications ensure that once BLUERABBIT begins encryption or wiping, the system cannot automatically recover, reboot into repair mode, or interrupt the destructive process.

Detection Opportunities

Several characteristics of BLUERABBIT create reliable detection opportunities that defenders can operationalize:

• Non-hex GUID directories: BLUERABBIT’s staging directories use the full alphanumeric range (A–Z, 0–9) in a GUID-formatted path. Legitimate Windows GUIDs are strictly hexadecimal. Any GUID-formatted folder containing characters G–Z is anomalous and worth investigating.
• Scheduled task fingerprint: The combination of a task named “OneDrive Update,” created via New-ScheduledTaskAction with AllowStartIfOnBatteries, Hidden, and an immediate start trigger, is distinctive and unlikely to appear in legitimate enterprise tooling.
• AMQP/RabbitMQ traffic: On endpoint devices, externally routed AMQP traffic is a high-fidelity detection signal. However, in environments where RabbitMQ is part of the production stack, defenders should also baseline expected broker connections and alert on anomalous destinations or authentication patterns.
• MinIO command-line artifacts: The MinIO client (mc) executed with alias set --insecure or performing S3-style operations from non-server endpoints should be treated as suspicious. Defenders should also monitor for mc spawned by non-standard parent processes: if mc is being called by something other than a shell session, cron job, or known automation tooling (e.g., spawned by an application binary, a scripting engine like python or powershell, or an unusual service), that's a strong indicator of programmatic misuse consistent with automated exfiltration or staging.
• Boot file ownership changes: Any process running takeown or icacls against bootmgr, ntoskrnl.exe, or winload.efi/winload.exe outside of a sanctioned patching window should trigger an immediate alert.

Indicators of Compromise

BLUERABBIT represents a capable and operationally mature threat. Its use of enterprise protocols for C2, modular architecture, and dual-purpose destructive capability signal an adversary that is investing in tooling designed for high-impact operations. For organizations concerned about exposure to Iran-nexus threats, the detection opportunities and indicators above provide an immediate starting point for proactive hunting.

ARC Labs will continue to track this activity cluster and publish updates as the threat evolves.