APT / THREAT GROUP💰 FINANCIALHIGH

BiBiGun

🇵🇸PS-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems. The malware impersonates ransomware but operates solely to corrupt and delete files, indicating no data theft. A Windows variant, BiBi-Windows, was also discovered, sharing similarities with BiBi-Linux but targeting all files except executables. ESET researchers have named the group behind the wipers BiBiGun. The group's TTPs have shown overlaps with Moses Staff, which is believed to have an Iran nexus.

Threat Analysis

BiBiGun is a high-sophistication threat actor attributed to PS, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like BiBiGun prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, BiBiGun is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Known Campaigns

BiBiGun — Active Operations March 2026

BiBiGun is a financial threat actor attributed to PS. A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems. The malware impersonates ransomware but operates solely to corrupt and delete files, indicating no data theft. A Windows variant, BiBi-Windows, was also discovered, sha...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Origin🇵🇸 PS
Aliases1
SourceMalpedia

Also Known As

BiBiGun

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.