{ "id": "91360ef0-3cbe-496e-9a10-65fdfcf18385", "created_at": "2026-04-06T00:22:04.629232Z", "updated_at": "2026-04-10T03:37:41.190498Z", "deleted_at": null, "sha1_hash": "5ca2916b428ae5afa16a19c9bf451a3c2bbb2ce9", "title": "TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 657856, "plain_text": "TODDLERSHARK: ScreenConnect Vulnerability Exploited to\r\nDeploy BABYSHARK Variant\r\nBy Dave Truman\r\nPublished: 2024-03-05 · Archived: 2026-04-05 21:48:17 UTC\r\nThe Kroll CTI team observed a campaign using a new malware that appears to be very similar to BABYSHARK,\r\npreviously reported to have been developed and used by the APT group Kimsuky (KTA082).\r\nThe malware was deployed as part of an attempted compromise that was detected and stopped by the Kroll\r\nResponder team. The activity started with exploitation of a recently addressed authentication bypass in the remote\r\ndesktop software ScreenConnect, developed by ConnectWise.\r\nTwo critical vulnerabilities, tracked as CVE-2024-1708 and CVE-2024-1709, were recently addressed in\r\nConnectWise ScreenConnect and have been exploited by many threat actors due to its ease of exploitability.\r\nCVE-2024-1709 (CVSS:10) can allow for authentication bypass due to insufficient path filtering. This is possible\r\nbecause any string can be appended after the extension to allow for bypassing.\r\nCVE-2024-1708 (CVSS:8.4) is a path traversal vulnerability that can allow an attacker to execute code remotely\r\non the ScreenConnect server.\r\nTogether, CVE-2024-1709 and CVE-2024-1708 can allow a threat actor to perform remote code execution post\r\nauthentication.\r\nTechnical Details\r\nThe threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the\r\nScreenConnect application. They then leveraged their now “hands on keyboard” access to use cmd.exe to execute\r\nmshta.exe with a URL to the Visual Basic (VB) based malware.\r\nFigure 1: Infection instigating command (Source: Kroll)\r\nThe Kroll CTI team performed a Virus Total search for this domain, and we can see that other entities have been\r\naffected by campaigns using the same destination domain.\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 1 of 10\n\nFigure 2: Screenshot of Virus Total showing reported malicious domain activity (Source: Kroll)\r\nThe initial payload downloaded by MSHTA utility was a heavily obfuscated VB script, containing randomly\r\ngenerated functions and variable names along with large amounts of hexadecimal encoded code and additional\r\njunk code. The function names, variables names, junk code and hexadecimal change each time the initial payload\r\nis downloaded, meaning the hash of the file being downloaded will never be the same twice. The addition of a\r\nrandom number of lines of junk code containing randomized strings will also obfuscate the meaningful code\r\nwithin the malware.\r\nFigure 3: Malicious VB Hidden Amongst Junk Code (Source: Kroll)\r\nOnce de-obfuscated, the code was observed downloading and executing the next stage, the URL of which is\r\ncontained within the large hexadecimal string (along with more junk code). This second URL will also change\r\nwith every download of the initial payload. It is therefore likely that on the command and control (C2) server there\r\nis a web application that is generating a unique payload containing a unique second stage URL each time it is\r\ncalled.\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 2 of 10\n\nFigure 4: De-obfuscated initial payload (Source: Kroll)\r\nThe second stage download is a large hexadecimal string, which, when decoded, contains a set of functionalities\r\nmade up of three parts:\r\nSetting windows registry keys\r\nCapturing and exfiltrates system information\r\nSetting up a scheduled task\r\nRegistry Keys\r\nThe malware runs the following commands to modify the windows registry:\r\ncmd.exe /c reg add HKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security /v VBAWarnings /t REG_DWORD /d 1 /f\r\ncmd.exe /c reg add HKCU\\Software\\Microsoft\\Office\\15.0\\WORD\\Security /v VBAWarnings /t REG_DWORD /d 1 /f\r\ncmd.exe /c reg add HKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security /v VBAWarnings /t REG_DWORD /d 1 /f\r\ncmd.exe /c reg add HKCU\\Software\\Microsoft\\Office\\16.0\\WORD\\Security /v VBAWarnings /t REG_DWORD /d 1 /f\r\ncmd.exe /c reg add HKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security /v VBAWarnings /t REG_DWORD /d 1 /f\r\nThese keys set the VBAWarnings keys for Word and Excel to a value of “1” for Office 2010, Office 2013 and\r\nOffice 2016. The value of “1” means untrusted and trusted macros are allowed to run without notification, turning\r\noff some macro protections in those versions.\r\nThe reason for the script to set these registry keys is not immediately apparent since execution has already been\r\nachieved. One potential reason might be to make victims more susceptible to later phishing attacks, should the\r\ninitial infection fail to establish persistent access or be remediated. KTA082 (Kimsuky) is known to target\r\nindividuals using documents containing malicious macros as part of spear phishing campaigns for its\r\nRECONSHARK malware.\r\nInfostealer\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 3 of 10\n\nThe largest set of functionality revolves around the system information stealer. It spawns a succession of 16\r\ncmd.exe instances to redirect the output of the following commands to information capture file:\r\ncmd.exe /c hostname\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c systeminfo\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c net user\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c query user\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c REG QUERY\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ /v\r\nConsentPromptBehaviorAdmin\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c route print\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c ipconfig /all\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c arp -a\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c powershell get-ciminstance -namespace root/securitycenter2 -classname\r\nantivirusproduct\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c netstat -ano\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c tasklist\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c tasklist /svc\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c dir “C:\\Program Files”\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c dir “C:\\Program Files (x86)”\u003e\u003eC:\\ProgramData\\[RANDOM_STRING].acl\r\ncmd.exe /c dir “C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs”\u003e\u003eC:\\ProgramData\\\r\n[RANDOM_STRING].acl\r\ncmd.exe /c dir\r\n“C:\\Users\\REDACTED\\AppData\\Roaming\\Microsoft\\Windows\\Recent”\u003e\u003eC:\\ProgramData\\\r\n[RANDOM_STRING].acl\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 4 of 10\n\nFigure 5: Information stealer process chain (Source: Kroll)\r\nThe information stolen includes host, user, network and security software information along with installed\r\nsoftware and running processes. Commands 5 and 9 appear to be a functionality more recently added to the\r\nmalware. These are interesting additions as they are both related to security functionality in contrast to the\r\ngeneralized information gathered by the other commands.\r\nOnce the tool has gathered all this information, it uses the inbuilt Windows command certutil to encode the stolen\r\ninformation in a Privacy Enhanced Mail (PEM) certificate, which it then exfiltrates to the C2 web application. The\r\nuse of exfiltrating data hidden inside PEM files is a technique Kimsuky has used before.\r\nThe infostealer code finishes up by deleting both the capture and certificate file.\r\ncmd.exe /c certutil -encode C:\\ProgramData\\[RANDOM_STRING].acl\r\nC:\\ProgramData\\[RANDOM_STRING_2].acl\r\nScheduled Task\r\nThe final aspect to the malware is the initiation of a scheduled task. A script is written to an Alternate Data Stream\r\n(ADS) of a file located in a directory within ProgramData. The script contains a URL that will be requested every\r\nminute by the scheduled task. Any response from the URL is passed to the VB execute function to immediately\r\nrun. This URL is uniquely generated for each run of the initial payload, like the other URLs previously discussed.\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 5 of 10\n\nFigure 6: Scheduled tasks code hidden within alternate data stream (Source: Kroll)\r\nOnce the script has been created, the malware creates a scheduled task that runs every minute with the following\r\ncommand line:\r\nC:\\Windows\\System32\\cmd.exe /c schtasks /Create /SC minute /MO 1 /TN Uso1Cache /TR \"wscript //e:vbscript //b C\r\nDuring Kroll’s testing, the data returning from the URL in the scheduled task was not observed. Kroll assessed\r\nwith medium confidence that this occurred because the URL may only return code if the information gathered and\r\nsent back indicates a compromised host that meets the threat actors’ criteria. If this were the case, the scheduled\r\ntask would act as a rudimentary loader for a further stage of malware with the unique base64 string within the\r\nURL acting as unique host identifier of sorts.\r\nSimilarities with BABYSHARK\r\nThe Kroll CTI team assesses it is likely that this is a variant of the BABYSHARK malware due to code and\r\nbehavioral similarities between the malware described above and BABYSHARK, which was first discovered by\r\nUnit 42 in 2018.\r\nBelow are examples of code and functionality from Unit 42’s original BABYSHARK article that the Kroll CTI\r\nteam assesses are similar to the code and functionality described in this article:\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 6 of 10\n\nFigure 7: Original BABYSHARK Hex Decoding Function (Source: Unit 42).\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 7 of 10\n\nFigure 8: Screenshot from Unit 42, showing BABYSHARK setting the VBAWarnings registry key (Source: Unit\r\n42).\r\nFigure 9: Screenshot from Unit 42 showing BABYSHARK’s information gathering commands (Source: Unit 42).\r\nFigure 10: Screenshot showing original BABYSHARK’s certutil encoding (Source: Unit 42).\r\nAs demonstrated above, the two malwares appear strikingly similar, indicating the malware used in this recent\r\ncampaign is likely an iteration on the original BABYSHARK malware.\r\nAnalysis\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 8 of 10\n\nThe list of threat actors utilizing the ScreenConnect vulnerability CVE-2024-1709 for initial access is growing.\r\nThe malware being deployed in this case uses execution through a legitimate Microsoft binary, MSHTA, and\r\nexhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position\r\nof code via generated junk code and using uniquely generate C2 URLs, which could make this malware hard to\r\ndetect in some environments.\r\nPatching ScreenConnect applications is therefore imperative.\r\n \r\nDetection and Mitigation\r\nKroll Responder was able to detect and respond to this threat based on detections built covering the\r\nfollowing tactics, techniques and procedures (TTPs).\r\nBehavior Detection Method\r\nMITRE\r\nATT\u0026CK\r\ncertutil.exe encoding\r\nfiles\r\nDetect certutil.exe being used to encode/decode files by\r\nchecking for ‘-encode’ or ‘-decode’ stings passed to the program\r\nvia the command line\r\nT1132.001\r\nScheduled task creation\r\nDetect scheduled task creation with cmd.exe, PowerShell,\r\nwscript etc.\r\nDetect scheduled task creation containing Alternate Data\r\nStreams.\r\nT1053.005\r\nMSHTA Executing with\r\nURL\r\nDetect mshta.exe executing with URL parameters. E.g., ‘http://’,\r\n‘https://’ etc.\r\nT1218.005\r\nMSHTA Spawning\r\ncmd.exe\r\nDetect mshta.exe executing commands in cmd.exe or\r\nPowerShell\r\nT1218.005\r\nPowerShell executing\r\nan encoded command\r\nDetect PowerShell execution with encoded strings T1027.010\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 9 of 10\n\nBehavior Detection Method\r\nMITRE\r\nATT\u0026CK\r\nPowerShell spawning\r\nfrom cmd.exe\r\nDetect PowerShell execution from cmd.exe T1059.003\r\nSource: https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nhttps://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.kroll.com/en/insights/publications/cyber/screenconnect-vulnerability-exploited-to-deploy-babyshark" ], "report_names": [ "screenconnect-vulnerability-exploited-to-deploy-babyshark" ], "threat_actors": [ { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434924, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ca2916b428ae5afa16a19c9bf451a3c2bbb2ce9.pdf", "text": "https://archive.orkl.eu/5ca2916b428ae5afa16a19c9bf451a3c2bbb2ce9.txt", "img": "https://archive.orkl.eu/5ca2916b428ae5afa16a19c9bf451a3c2bbb2ce9.jpg" } }