Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 3 actors

BiBi

BiBi is a destructive wiper malware family observed in both Linux and Windows variants. Reporting cited in the source material describes it as a cross-platform wiper, with Linux-targeting variants implemented as Bash-based wipers and a Windows variant also observed in the wild. The malware has been associated with disruptive operations against Israeli targets and is described as having been named for political reasons referencing Benjamin “Bibi” Netanyahu. Source material attributes BiBi-related activity in one report to the Hamas-affiliated group Arid Viper, while other reporting links BiBi use to Iranian state-aligned or MOIS-linked activity, including Handala and incidents tied to UNC1860; these differing attributions are present in the provided content and should be treated accordingly.

Capabilities described in the content center on destructive impact rather than monetization. BiBi is characterized as a wiper used to disrupt victim environments, including healthcare, education, infrastructure, and other Israeli targets. The broader reporting on this generation of Iranian-aligned wipers states that BiBi, alongside Hatef and Hamsa, reflects an evolution toward cross-platform destructive capability. These wipers are described as favoring rapid recursive file destruction by overwriting files with 4096-byte blocks of random data, rather than relying on master boot record wiping. The Windows variant has also been reported using the Windows Restart Manager library (RstrtMgr.dll) to terminate security processes, a technique noted in the content as also seen in Conti and Cactus ransomware operations.

Operational context in the provided material includes use by Handala for combined information gathering and system disruption, particularly against healthcare, education, and infrastructure sectors, with accompanying public messaging for political influence. Additional reporting in the content states that BiBi was used in destructive campaigns affecting Albania and Israel, alongside other wipers such as No-Justice, and that subsequent intrusions tied to UNC1860/MOIS-linked activity leveraged BiBi, also referred to as BABYWIPER in one source. The content does not provide stable, malware-specific indicators of compromise such as hashes or domains.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Handala

Handala combines information gathering and system disruption to paralyze healthcare, education, and infrastructure with BiBi/Hatef wiper and expand political influence with public messaging.

via ahnlab asec blogasec.ahnlab.com
UNC1860

...new wipers dubbed No-Justice and BiBi (aka BABYWIPER).

via the hacker newsthehackernews.com
Arid

One wiper malware example was named BiBi for political reasons (to provoke the Israeli government and the man leading it, Benjamin “Bibi” Netanyahu.) The malware was discovered both for Linux and Windows systems, indicating sophisticated capabilities on the part of the originator.

via lieber westpointlieber.westpoint.edu
MITRE ATT&CK

Techniques & procedures

2 distinct techniques documented for this family, organized by ATT&CK tactic.

Impact

2 techniques
T1485Data DestructionEvidence2

Hackers have also used wiper malware, a more sophisticated approach that is designed to erase data from files by overwriting or renaming them, or by creating random strings. One wiper malware example was named BiBi...

T1561Disk WipeEvidence1

Handala combines information gathering and system disruption to paralyze healthcare, education, and infrastructure with BiBi/Hatef wiper

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
ahnlab asec blogNews
Apr 16, 2026
March 2026 Threat Trend Report on APT Groups - ASEC

A wiper used for system disruption against organizations in healthcare, education, and infrastructure.

Read more
palo alto networks unit 42 blogNews
Mar 16, 2026
Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization

A Bash-based Linux wiper used in cross-platform destructive operations, focused on rapid file-level destruction.

Read more
scworldNews
Jan 29, 2026
Silent gateway threat: ‘HEURRemoteAdmin.GoToResolve.gen’ poses security risk | SC Media

A wiper referenced as having used Windows Restart Manager (RstrtMgr.dll) to terminate security processes, facilitating destructive activity by disabling defenses.

Read more
the hacker newsNews
Sep 20, 2024
Iranian APT UNC1860 Linked to MOIS Facilitates Cyber Intrusions in Middle East

Destructive wiper (BABYWIPER) used in intrusions in Albania and Israel.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping2

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.