New BiBi-Windows Wiper Targets Windows Systems in Pro-Hamas Attacks

Nov 13, 2023NewsroomCyber ​​War / Malware

BiBi-Windows Wiper

Cybersecurity researchers are warning about a Windows version of a wiper malware that has previously been observed targeting Linux systems in cyber attacks aimed at Israel.

Dubbed BiBi-Windows Wiper by BlackBerry, the wiper is the Windows counterpart of BiBi-Linux Wiper, which was used by a pro-Hamas hacktivist group in the wake of the Israel-Hamas war last month.

“The Windows variant (…) confirms that the threat actors who created the wiper continue to create malware, and indicates the expansion of the attack to target end user machines and application servers ,” the Canadian company. SAYS Friday.


The Slovak cybersecurity firm is Tracking the actor behind the wiper under the name BiBiGun, noting that the Windows variant (bibi.exe) is designed to overwrite data in the C:\Users directory recursively with junk data and appends .BiBi to the filename.

The BiBi-Windows Wiper artifact is said to have been compiled on October 21, 2023, two weeks after the start of the war. The exact way in which it is distributed is currently unknown.

Besides destroying all files except those with .exe, .dll, and .sys extensions, the wiper removes shadow copies from the system, effectively preventing victims from recovering their files .

Another striking similarity with its Linux variant is its multithreading capabilities.

“For the fastest possible destruction action, the malware runs 12 threads with eight processor cores,” Dmitry Bestuzhev, senior director of cyber threat intelligence at BlackBerry, SAYS.


It was not immediately clear whether the wiper had been deployed in real-world attacks, and if so, who the targets were.

The development comes as Security Joes, who first documented BiBi-Linux Wiper, SAYS The malware is part of a “larger campaign targeting Israeli companies with the deliberate intention of disrupting their daily operations using data destruction.”

The cybersecurity firm says it has identified tactical overlaps between the hacktivist group, which calls itself Karma, and another geopolitically motivated actor codenamed Moses Staff (aka Cobalt Sapling), which is suspected of from Iranian.

“Although the campaign has primarily centered around the Israeli IT and government sector up to this point, some of the participating groups, such as the Moses Staff, have a history of simultaneously targeting organizations in different business sectors and geographic locations,” Security Joes said.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment