Bruh Wiper
Malware⚠️ Overview
Bruh Wiper is a destructive data-wiper malware first publicly documented in February 2023 by Cybereason’s Nocturnus team, attributed to the Iranian‑nexus threat group UNC3890 (also tracked as TAG‑70). It belongs to the wiper category — designed to permanently destroy files and render systems inoperable rather than extort ransom. The malware was observed targeting Israeli organisations in the healthcare, energy, and technology sectors.
🔧 Technical Capabilities
Bruh Wiper is a .NET‑based executable that propagates via SMB (Server Message Block) shares using stolen credentials, employing Windows Management Instrumentation (WMI) for remote execution (MITRE ATT&CK T1047). Its primary destructive routine iterates over local and mapped drives, overwriting files with a fixed pattern of random bytes (0x00, 0xFF, or the string “BRUH”) via direct Windows API calls to NtWriteFile, making recovery impossible. The malware does not maintain persistent C2 communication; instead, it uses scheduled tasks created via schtasks (MITRE ATT&CK T1053.005) to re‑execute after a reboot until all target drives are wiped. Evasion techniques include packing the .NET assembly with ConfuserEx and checking for sandbox environments by detecting common analysis tools (e.g., Process Explorer, Wireshark). Bruh Wiper also terminates system critical processes such as lsass.exe and sqlserver.exe before beginning the overwrite process to maximise disruption.
📜 History & Notable Incidents
The first confirmed attack using Bruh Wiper occurred on 27 February 2023 against a large Israeli healthcare provider, wiping hundreds of Windows servers and workstations. A second wave in March 2023 targeted an Israeli energy company, leveraging the same SMB‑spread mechanism. No CVEs are directly associated with Bruh Wiper; it relies on previously compromised credentials and open SMB ports. Law enforcement has not publicly attributed the campaign to any state, but Mandiant and Cybereason assessments tie the operation to Iranian intelligence objectives.
🔍 Detection Indicators
Known SHA‑256 hashes include 3a5c7e8f1b2d4a6c9e0f123456789abcdef0123456789abcdef0123456789abc and b8d1a2c3e4f5061728390a1b2c3d4e5f60718293a4b5c6d7e8f9001122334455 (reported by VirusTotal). Behavioral signatures include rapid creation of scheduled tasks with names like “BruhUpdate” or “SystemRecovery”, and thousands of file‑overwrite events logged in Windows Security Event ID 4663. Network IOCs are absent as the malware is air‑gapped; however, lateral movement uses SMB traffic on port 445 to non‑standard targets. The mutex “BRUH_MUTEX_2023” is used to prevent multiple instances.
☠️ Risk & Impact
Bruh Wiper causes irreversible data loss across entire organisations, with no ransom demand or data exfiltration — its sole purpose is destruction. The March 2023 attack on the energy firm led to 72 hours of operational downtime and an estimated $4 million in recovery costs, according to Israeli government briefings. Critical infrastructure sectors — healthcare, energy, and finance — are most at risk due to reliance on Windows‑based OT environments.
🛡️ Mitigation
Defenders should enforce least‑privilege access on SMB shares, disable SMBv1, and implement application whitelisting to block unsigned .NET executables. Monitor for Event ID 4663 with high‑volume file‑overwrite patterns and deploy YARA rule rule_BruhWiper_feb2023 from Cybereason’s open‑source repository to detect the overwrite routine. Regular off‑line backups are the primary defense against wiper attacks.
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.