Technical Analysis: BLUERABBIT – A Modular Golang Backdoor with Destructive Payload Capabilities

Security researchers have identified a sophisticated new Golang-based backdoor, dubbed BLUERABBIT, designed to execute a multi-stage attack lifecycle on Windows environments. This malware is not a simple trojan; it is a full-spectrum intrusion framework capable of simultaneous data exfiltration, file encryption, and irreversible disk wiping.

First observed in mid-to-late March 2026, current intelligence suggests the campaign specifically targets Israeli entities. According to analysis by the Google Threat Intelligence Group (GTIG), the tool is linked to an Iran-nexus threat cluster previously associated with the BLUEWIPE and SEWERGOO operations.

Architectural Overview: Abusing Enterprise Infrastructure

What distinguishes BLUERABBIT from standard malware is its “living-off-the-infrastructure” approach. Rather than utilizing traditional, easily detectable HTTP/S callbacks for command-and-control (C2), the developers have opted to abuse legitimate enterprise-grade components to blend into network noise:

• Command & Control (C2): Uses RabbitMQ (AMQP) as the primary tasking channel. Upon execution, the binary creates an AMQP queue named after the victim’s device and consumes numeric task IDs encoded in JSON.
• State Management: Leverages Redis to manage session states and task results.
• Data Exfiltration: Utilizes MinIO (an S3-compatible object storage) to facilitate bulk transfers of stolen data to attacker-controlled cloud repositories.

The malware’s modularity is driven by these JSON-encoded task IDs, which map to a suite of over a dozen internal functions, including VNC-style remote desktop control, screenshot capture, and shell execution.

Persistence and Execution Flow

BLUERABBIT achieves persistence through a deceptive scheduled task masquerading as a legitimate “OneDrive Update.” The malware maintains a footprint by checking the registry key HKCU\Software\OneDrive\Environment to detect prior infections. Upon its first run, it executes a PowerShell command to install a scheduled task that runs with highest available privileges, triggering every 60 seconds and at every system startup.

Interestingly, the threat actors failed to strip symbols from the Go binary. This oversight left the internal name “Rabbit” and various developmental build markers intact, providing high-fidelity forensic breadcrumbs for analysts. While the code is readable, critical configuration data—including C2 IP addresses, ports, and credentials—remains protected via AES encryption.

The Kill Chain: From Reconnaissance to Destruction

Once persistence is established and C2 registration via RabbitMQ is complete, BLUERABBIT moves through a systematic operational kill chain:

1. Reconnaissance and Staging

The malware performs deep system profiling, collecting data on OS versions, hardware specifications, network topology, installed software, security products, BitLocker status, and domain membership. Stolen files are staged in local directories using GUID-formatted names. Notably, these “GUIDs” use a non-standard character set (A–Z, 0–9), which serves as a high-fidelity detection signal, as legitimate Windows GUIDs are strictly hexadecimal.

2. Ransomware and Destructive Payloads

The final phase is dual-pronged. First, it acts as ransomware, encrypting files across all logical drives and appending a .candy extension. To maximize psychological impact, it replaces the user’s desktop wallpaper with an AI-generated “High-Alert” image.

Second, it executes devastating wiping routines. To ensure maximum data loss, the malware uses takeown and icacls to seize ownership of critical boot files and modifies registry keys to disable system recovery and automatic reboots. It then performs either a single-pass random overwrite or a multi-pass sequence (zeros, random, and 0xFF) to ensure the disk is unrecoverable.

Defensive Strategies and Detection

Defenders should prioritize the following high-fidelity signals in their EDR and network telemetry:

• Host-Based: Monitor for scheduled tasks named “OneDrive Update” with aggressive repeat triggers; detect unauthorized use of takeown.exe or icacls.exe on system/boot files; and alert on non-hexadecimal GUID-like directory structures.
• Network-Based: Identify anomalous AMQP (RabbitMQ) traffic originating from non-server endpoints; monitor for MinIO client usage by unusual processes; and flag outbound connections to known malicious IPs.

Indicators of Compromise (IoCs)

Note: IP addresses are intentionally defanged. Please re-fang these indicators only within controlled environments.