Skip to main content
Mallory
Back to malware
MalwareRansomware

BLUERABBIT

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques
T1053.005Scheduled TaskEvidence2

BLUERABBIT checks the registry key HKCU\Software\OneDrive\Environment to track its execution count. If this key does not exist, the malware assumes it is running for the first time and executes a PowerShell command to establish persistence as a scheduled task named “OneDrive Update,” deliberately impersonating a legitimate Microsoft service.

T1059.001PowerShellEvidence1

If this key does not exist, the malware assumes it is running for the first time and executes a PowerShell command to establish persistence as a scheduled task named “OneDrive Update.”

T1059.003Windows Command ShellEvidence1

Remote Access Full remote desktop-style control with keyboard and mouse input via VNC; shell command execution

Persistence

2 techniques
T1053.005Scheduled TaskEvidence2

BLUERABBIT checks the registry key HKCU\Software\OneDrive\Environment to track its execution count. If this key does not exist, the malware assumes it is running for the first time and executes a PowerShell command to establish persistence as a scheduled task named “OneDrive Update,” deliberately impersonating a legitimate Microsoft service.

T1112Modify RegistryEvidence2

The following registry modifications are made to disable automatic reboot and system recovery | Upon execution, BLUERABBIT checks the registry key HKCU\Software\OneDrive\Environment to track its execution count... The path for files staged for exfiltration is written to the registry key HKCU\Software\OneDrive\ProfileConfig.

Privilege Escalation

1 technique
T1053.005Scheduled TaskEvidence2

BLUERABBIT checks the registry key HKCU\Software\OneDrive\Environment to track its execution count. If this key does not exist, the malware assumes it is running for the first time and executes a PowerShell command to establish persistence as a scheduled task named “OneDrive Update,” deliberately impersonating a legitimate Microsoft service.

Stealth

1 technique
T1036MasqueradingEvidence1

Creates “OneDrive Update” scheduled task... deliberately impersonating a legitimate Microsoft service. When launching the VNC remote desktop module, BLUERABBIT creates a firewall rule under the deceptive name Microsoft.Windows.CloudExperienceHost to blend in with legitimate Windows components.

Defense Impairment

1 technique
T1112Modify RegistryEvidence2

The following registry modifications are made to disable automatic reboot and system recovery | Upon execution, BLUERABBIT checks the registry key HKCU\Software\OneDrive\Environment to track its execution count... The path for files staged for exfiltration is written to the registry key HKCU\Software\OneDrive\ProfileConfig.

Discovery

4 techniques
T1007System Service DiscoveryEvidence1

Surveillance Screenshot capture, screen recording, process and Windows service enumeration and management

T1057Process DiscoveryEvidence1

Surveillance Screenshot capture, screen recording, process and Windows service enumeration and management

T1082System Information DiscoveryEvidence1

Profiles OS, hardware, network, installed software, security products, BitLocker status, drivers, domain

T1083File and Directory DiscoveryEvidence1

It can encrypt files across every drive on a system using a “.candy” extension.

Collection

3 techniques
T1074Data StagedEvidence2

Files staged in GUID-named directories and exfiltrated to attacker-controlled MinIO infrastructure

T1113Screen CaptureEvidence1

Surveillance Screenshot capture, screen recording, process and Windows service enumeration and management

T1125Video CaptureEvidence1

Surveillance Screenshot capture, screen recording, process and Windows service enumeration and management

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence2

AMQP RabbitMQ Primary tasking channel. Malware declares a queue named after the victim device; consumer tag is the full path to the malicious executable. Task IDs received as JSON. | BLUERABBIT’s main execution loop follows the sequence MessageReader, ProcessTask, UpdateRedis, relying on enterprise messaging and database protocols rather than conventional HTTP-based C2.

T1219Remote Access ToolsEvidence1

Remote Access Full remote desktop-style control with keyboard and mouse input via VNC; shell command execution

Exfiltration

1 technique
T1567.002Exfiltration to Cloud StorageEvidence2

Files staged in GUID-named directories and exfiltrated to attacker-controlled MinIO (S3-compatible) cloud storage

Impact

3 techniques
T1486Data Encrypted for ImpactEvidence2

File Encryption Encrypts files across all logical drives with .candy extension; replaces desktop wallpaper with AI-generated “High-Alert” image

T1490Inhibit System RecoveryEvidence2

Prior to executing destructive actions, BLUERABBIT uses takeown and icacls to take ownership of and grant full access to critical boot files... The following registry modifications are made to disable automatic reboot and system recovery

T1561Disk WipeEvidence2

Disk Wiping (Single-Pass) Overwrites all drives with random data in a single pass; Disk Wiping (Multi-Pass) Writes zeros, random data, and 0xFF in sequence across all drives, rendering systems permanently unrecoverable

INDICATORS OF COMPROMISE

IOCs tracked for this family

10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
8 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.md5●●●●●●●●●●●●View more in apptoday
hash.md5●●●●●●●●●●●●View more in apptoday
hash.sha1●●●●●●●●●●●●View more in apptoday
ip.v4●●●●●●●●●●●●View more in apptoday
hash.md5●●●●●●●●●●●●View more in apptoday
ip.v4●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
cyber security newsNews
Jun 11, 2026
Hackers Use BLUERABBIT Backdoor to Encrypt Files and Wipe Disks Across Windows Systems - Cyber Security News

Go-based Windows backdoor that provides persistent access, disguises C2 via RabbitMQ, stores task results in Redis, exfiltrates stolen data through MinIO, can encrypt files with a .candy extension, and includes multiple disk-wiping capabilities designed to prevent recovery.

Read more
binarydefenseNews
Jan 1, 2026
BLUERABBIT: A Golang-Based Backdoor with Ransomware… | Binary Defense

A Golang-based full-featured backdoor that provides remote access, system profiling, VNC-based control, file exfiltration, file encryption using the .candy extension, and two disk-wiping modules capable of permanently rendering systems unrecoverable. It uses RabbitMQ for tasking, Redis for state management, and MinIO for exfiltration.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching10

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.