{
	"id": "c3f79957-88a5-4b94-818d-d7889d66cc21",
	"created_at": "2026-04-06T00:08:45.717649Z",
	"updated_at": "2026-04-10T13:12:02.413684Z",
	"deleted_at": null,
	"sha1_hash": "b1e6388b190ce64c012a7bb7fb5f56f720c2c876",
	"title": "New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 287256,
	"plain_text": "New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks\r\nBy The Hacker News\r\nPublished: 2023-11-13 · Archived: 2026-04-02 11:26:56 UTC\r\nCybersecurity researchers have warned about a Windows version of a wiper malware that was previously\r\nobserved targeting Linux systems in cyber attacks aimed at Israel.\r\nDubbed BiBi-Windows Wiper by BlackBerry, the wiper is the Windows counterpart of BiBi-Linux Wiper, which\r\nhas been put to use by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month.\r\n\"The Windows variant [...] confirms that the threat actors who created the wiper are continuing to build out the\r\nmalware, and indicates an expansion of the attack to target end user machines and application servers,\" the\r\nCanadian company said Friday.\r\nSlovak cybersecurity firm ESET is tracking the actor behind the wiper under the name BiBiGun, noting that the\r\nWindows variant (bibi.exe) is designed to overwrite data in the C:\\Users directory recursively with junk data and\r\nappend \".BiBi\" to the filename.\r\nhttps://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html\r\nPage 1 of 2\n\nThe BiBi-Windows Wiper artifact is said to have been compiled on October 21, 2023, two weeks after the onset of\r\nthe war. The exact method by which it is distributed is currently unknown.\r\nBesides corrupting all files with the exception of those with .exe, .dll, and .sys extensions, the wiper deletes\r\nshadow copies from the system, effectively preventing the victims from recovering their files.\r\nAnother notable similarity with its Linux variant is its multithreading capability.\r\n\"For the fastest possible destruction action, the malware runs 12 threads with eight processor cores,\" Dmitry\r\nBestuzhev, senior director of cyber threat intelligence at BlackBerry, said.\r\nIt's not immediately clear if the wiper has been deployed in real-world attacks, and if so, who the targets are.\r\nThe development comes as Security Joes, which first documented BiBi-Linux Wiper, said the malware is part of a\r\n\"larger campaign targeting Israeli companies with the deliberate intent to disrupt their day-to-day operations using\r\ndata destruction.\"\r\nThe cybersecurity firm said it identified tactical overlaps between the hacktivist group, who call themselves\r\nKarma, and another geopolitically motivated actor codenamed Moses Staff (aka Cobalt Sapling), which is\r\nsuspected to be of Iranian origin.\r\n\"Although the campaign has primarily centered around Israeli IT and government sectors up to this point, some of\r\nthe participating groups, such as Moses Staff, have a history of simultaneously targeting organizations across\r\nvarious business sectors and geographical locations,\" Security Joes said.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html\r\nhttps://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html"
	],
	"report_names": [
		"new-bibi-windows-wiper-targets-windows.html"
	],
	"threat_actors": [
		{
			"id": "1da809aa-9ae8-4641-807c-032ac827711d",
			"created_at": "2023-12-21T02:00:06.081556Z",
			"updated_at": "2026-04-10T02:00:03.499192Z",
			"deleted_at": null,
			"main_name": "BiBiGun",
			"aliases": [],
			"source_name": "MISPGALAXY:BiBiGun",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "527e04ee-7f5f-49aa-8653-f893b43730bd",
			"created_at": "2022-10-25T16:07:24.512541Z",
			"updated_at": "2026-04-10T02:00:05.017592Z",
			"deleted_at": null,
			"main_name": "Moses Staff",
			"aliases": [
				"Abraham's Ax",
				"Cobalt Sapling",
				"DEV-0500",
				"G1009",
				"Marigold Sandstorm",
				"Vengeful Kitten",
				"White Dev 95"
			],
			"source_name": "ETDA:Moses Staff",
			"tools": [
				"DCSrv",
				"DCrSrv",
				"PyDCrypt",
				"StrifeWater",
				"StrifeWater RAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bef06c82-0f51-44ba-8451-049cd4ad8a52",
			"created_at": "2023-01-06T13:46:39.325635Z",
			"updated_at": "2026-04-10T02:00:03.288171Z",
			"deleted_at": null,
			"main_name": "MosesStaff",
			"aliases": [
				"Moses Staff",
				"Marigold Sandstorm",
				"DEV-0500",
				"VENGEFUL KITTEN"
			],
			"source_name": "MISPGALAXY:MosesStaff",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46",
			"created_at": "2022-10-27T08:27:13.055675Z",
			"updated_at": "2026-04-10T02:00:05.323068Z",
			"deleted_at": null,
			"main_name": "Moses Staff",
			"aliases": [
				"Moses Staff",
				"DEV-0500",
				"Marigold Sandstorm"
			],
			"source_name": "MITRE:Moses Staff",
			"tools": [
				"PyDCrypt",
				"PsExec",
				"DCSrv",
				"StrifeWater"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-10T02:00:04.721082Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6a5293c8-2a88-4a33-927a-4a0c946dc867",
			"created_at": "2025-08-07T02:03:24.778647Z",
			"updated_at": "2026-04-10T02:00:03.647413Z",
			"deleted_at": null,
			"main_name": "COBALT SAPLING",
			"aliases": [
				"Abraham's Ax ",
				"DEV-0500",
				"Marigold Sandstorm ",
				"Moses Staff ",
				"Vengeful Kitten "
			],
			"source_name": "Secureworks:COBALT SAPLING",
			"tools": [
				"DCSrv",
				"PyDcrypt",
				"StrifeWater RAT"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434125,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1e6388b190ce64c012a7bb7fb5f56f720c2c876.pdf",
		"text": "https://archive.orkl.eu/b1e6388b190ce64c012a7bb7fb5f56f720c2c876.txt",
		"img": "https://archive.orkl.eu/b1e6388b190ce64c012a7bb7fb5f56f720c2c876.jpg"
	}
}