{
	"id": "b0617b57-3eaa-4a2a-a030-2243ae0c6d88",
	"created_at": "2026-04-06T00:12:00.282694Z",
	"updated_at": "2026-04-10T03:21:35.059622Z",
	"deleted_at": null,
	"sha1_hash": "1b590b208261f1984d5bbaff6a6d56df2eaf15ef",
	"title": "Babar: Suspected Nation State Spyware In The Spotlight - Cyphort",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 715273,
	"plain_text": "Babar: Suspected Nation State Spyware In The Spotlight - Cyphort\r\nPublished: 2015-02-18 · Archived: 2026-04-05 18:06:09 UTC\r\nCyphort Labs has collected and analyzed a highly advanced piece of malware, which for all intents and purposes\r\nseems to be a full blown cyber espionage tool of the kind a nation state would be behind. This malware invades\r\nWindows desktop machines and aims at exfiltrating almost anything of value: it steals data from instant\r\nmessengers, softphones, browsers and office applications.\r\nThe analyzed malware consists of two pieces: a dropper and an implant. The implant is able to hook APIs of\r\ninterest in dedicated remote processes to steal data on the fly.\r\nThe internal project name of the analyzed malware is ‘Babar64’, which rings a bell when thinking back of\r\ndocuments leaked through Der Spiegel back in January (http://www.spiegel.de/media/media-35683.pdf). There, a\r\nslide deck originating from Communications Security Establishment Canada (CSEC) describes an alleged nation\r\nstate malware named Babar. The samples at hand fit well with what is described in the CSEC document; and, as\r\nCSEC states they are suspected to originate from French intelligence.\r\nAs it is with binary attribution, these allegations are impossible to prove without the shadow of a doubt. What we\r\ncan say with certainty though is that Babar strikes the analyst with sophistication not typically seen in common\r\nmalware. Furthermore, the binaries come with the same handwriting as the malware dubbed ‘Bunny’ which we\r\nhave blogged about before (http://www.cyphort.com/evilbunny-malware-instrumented-lua/). We assume the same\r\nauthor is behind both families.\r\nNote: I will be hosting a webinar on the topic of Evil Bunny malware next week. You can register here to attend.\r\nDROPPER\r\nMD5                9fff114f15b86896d8d4978c0ad2813d\r\nSHA-1             27a0a98053f3eed82a51cdefbdfec7bb948e1f36\r\nFile Size          693.4 KB (710075 bytes)\r\nhttps://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/\r\nPage 1 of 4\n\nIMPLANT\r\nMD5                4525141d9e6e7b5a7f4e8c3db3f0c24c\r\nSHA-1             efbe18eb8a66e4b6289a5c53f22254f76e3a29bd\r\nFile Size          585.4 KB (599438 bytes)\r\nA BABAR(ian) BINARY\r\nA target machine is infected possibly through a drive-by or malicious e-mail attachments. Babar is deployed\r\nthrough a malware dropper, which installs the malware.\r\nBabar essentially is an implant, a malicious Windows DLL. Babar’s implant is a 32-bit DLL written in C++,\r\nwhich upon start injects itself to running processes and invades desktop applications by applying a global\r\nWindows hook. The original filename of the sample at hand is ‘perf585.dll’. The implant is capable of logging\r\nkeystrokes, capturing screen shots, eavesdropping on installed softphones and spying on instant messengers in\r\naddition to a list of simpler espionage tricks. Babar is a full blown espionage tool, built to excessively spy on the\r\nactivity on an infected machine’s user.\r\nThe DLL dropped by Babar is placed into the application data folder, along with a directory named ‘MSI’ where\r\nthe runtime data will be stored. Babar operates through multiple instances, by injecting its DLL to a maximum of\r\nthree desktop processes. This is achieved by loading the Babar DLL to remote processes through a mapped\r\nmemory object.\r\nApart from that, Babar comes with a userland rootkit component which applies global Windows hooks to invade\r\nall processes on its desktop. This way Babar can install API hooks for various APIs via Windows Detours\r\ntechnique to actively steal data from arbitrary processes.\r\nThe spying activities are performed either through the Babar instance locally or through processes invaded via\r\nhooking. Instance-local capabilities are basic spying on window names or snooping on the clipboard data, while\r\nthe global hooks manage to steal information directly from Windows API calls.\r\nA summary of the capabilities would be as follows:\r\nLogging keystrokes\r\nTaking screenshots\r\nCapture of audio streams from softphone applications\r\nStealing of clipboard data\r\nhttps://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/\r\nPage 2 of 4\n\nSystem and user default language, keyboard layout\r\nNames of desktop windows\r\nThe keylogger module is based on Windows RAWINPUT. The malware creates an invisible window, with no\r\nother purpose than to receive window messages. By processing the window message queue it filters out input\r\nevents and dispatches them to a raw input device object. Said object is configured to grab keyboard events through\r\nGetRawInputData.\r\nThe interest of Babar’s process hooking module is focused on the following applications, parted in the categories\r\ninternet communication, file processing and media:\r\nInternet communication\r\niexplore.exe,firefox.exe,opera.exe,chrome.exe,Safari.exe,msnmsgr.exe\r\nFile processing\r\nexe, winword.exe, powerpnt.exe, visio.exe, acrord32.exe, notepad.exe, wordpad.exe.txt\r\nMedia\r\nskype.exe, msnmsgr.exe, oovoo.exe, nimbuzz.exe, googletalk.exe, yahoomessenger.exe, x-lite.exe\r\nThe malicious implant can steal input coming from the keyboard, information on which files are edited, it can\r\nintercept chat messages and record calls established by one of the listed softphones. The stolen information is\r\nencrypted and dumped to a file on disk, which will be located in the working directory under %APPDATA%\\MSI.\r\nCOMMAND AND CONTROL SERVERS\r\nThe analyzed sample of Babar has two hard coded C\u0026C server addresses which are included in its configuration\r\ndata:\r\nhttp://www.horizons-tourisme.com/_vti_bin/_vti_msc/bb/index.php\r\nhttp://www.gezelimmi.com/wp-includes/misc/bb/index.php\r\nThe domain horizons-tourisme.com is a legitimate website, operated by an Algerian travel agency, located in\r\nAlgiers, Algeria. The website is in French and still online today. Gezelimmi.com is a Turkish domain, currently\r\nresponding with an HTTP error message 403, access not permitted. Both domains appear to be of legitimate use,\r\nbut compromised and abused to host Babar’s server side infrastructure.\r\nhttps://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/\r\nPage 3 of 4\n\nSource: https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/\r\nhttps://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/"
	],
	"report_names": [
		"babar-suspected-nation-state-spyware-spotlight"
	],
	"threat_actors": [],
	"ts_created_at": 1775434320,
	"ts_updated_at": 1775791295,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b590b208261f1984d5bbaff6a6d56df2eaf15ef.pdf",
		"text": "https://archive.orkl.eu/1b590b208261f1984d5bbaff6a6d56df2eaf15ef.txt",
		"img": "https://archive.orkl.eu/1b590b208261f1984d5bbaff6a6d56df2eaf15ef.jpg"
	}
}