{
	"id": "5e4f2a91-3a31-4456-af59-459c7be827e2",
	"created_at": "2026-04-06T00:07:38.329495Z",
	"updated_at": "2026-04-10T03:35:59.548562Z",
	"deleted_at": null,
	"sha1_hash": "77aa460870023e0a9894e96646cfe10f2f1711f1",
	"title": "Babadeda Crypter Targeting Crypto, NFT, and DeFi Communities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3472469,
	"plain_text": "Babadeda Crypter Targeting Crypto, NFT, and DeFi Communities\r\nBy Arnold Osipov \u0026 Hido Cohen\r\nArchived: 2026-04-05 20:48:49 UTC\r\nThe cryptocurrency market is now worth more than $2.5 trillion. Unfortunately, this fact is not lost on threat\r\nactors. As well as using cryptocurrency themselves to extract ransoms, cybercriminals are now also tailoring\r\nmalware to exploit the booming market for NFTs and crypto games. In a discovery of critical importance to\r\nanyone familiar with this space, Morphisec Labs has encountered a new campaign of malware targeting\r\ncryptocurrency enthusiasts through Discord. \r\nCrucially, the crypter that this campaign deploys, which we have termed Babadeda (a Russian language\r\nplaceholder used by the crypter itself which translates to “Grandma-Grandpa”), is able to bypass signature-based\r\nantivirus solutions. Although some variants of this crypter have been noted by other vendors, Morphisec is the\r\nfirst to fully disclose how it works.\r\nFor victims, this makes infections highly likely — and dangerous. We know that this malware installer has been\r\nused in a variety of recent campaigns to deliver information stealers, RATs, and even LockBit ransomware.\r\nFortunately, however, even as the threat level for cryptocurrency users rises, we also know that Morphisec’s\r\nAutomated Moving Target Defense technology is capable of both seeing and stopping Babadeda. \r\nIn this blog post, we will explore how Babadeda is being delivered, what an in-depth technical analysis of this\r\nmalware tells us about it, and how it can be stopped.\r\nCrypto and NFT Communities Are Prime Targets\r\nSince May 2021, we have observed several malware distribution campaigns. However, many of the recent\r\ninfections we have seen appear to be related to a sophisticated campaign that exclusively targets the Crypto, NFT,\r\nand DeFi communities. It is precisely for this reason, as well as the fact that NFTs are rising in popularity, that we\r\nhave decided to take a look at this particular campaign distribution in more detail. \r\nFor those who are not familiar with NFTs (Non-fungible tokens): the term refers to unique tokens that provide\r\nproof of ownership on data that is stored on the blockchain technology. In recent years, NFTs have exploded in\r\npopularity, and are now starting to enter the mainstream consciousness. Naturally, this growing trend in the crypto\r\nspace has opened up a new vector for threat actors to exploit.  \r\nThe Delivery Chain\r\nThe vast majority of today’s NFT and crypto communities are based on Discord (a group chatting platform)\r\nchannels. Discord channels are publicly accessible and allow users to send private messages to one another within\r\na channel. \r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 1 of 24\n\nIn the campaign that we observed, a threat actor took advantage of these features in order to phish victims. The\r\nthreat actor sent users a private message inviting them to download a related application that would\r\nsupposedly grant the user access to new features and/or additional benefits. Because the actor created a Discord\r\nbot account on the official company discord channel, they were able to successfully impersonate the channel’s\r\nofficial account.\r\nBelow is an example of a phishing message that targeted users of “Mines of Dalarna”, a PC game built on the\r\nblockchain.\r\nFigure 1: Fake message on the discord channel.\r\nIf a user clicks on the URL within the message, it will direct them to a decoy site. There, the user will be\r\nencouraged to download a malicious installer that embeds the Crypter with the payload.\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 2 of 24\n\nFigure 2: Original and decoy sites comparison\r\nAs you can see from the example above, the threat actor took extended measures to ensure that the delivery chain\r\nlooks legitimate even to technical users. Typically:\r\nCybersquatting – the domain names of the decoy sites look a lot like the domain names of the original\r\nsites  Threat actors will usually remove/add a letter from/to the domain name or change the top-level\r\ndomain.\r\nThe domains are signed with a certificate (via LetsEncrypt), which enables an HTTPS connection.\r\nThe UI of the decoy pages is very similar to the UI of the original pages.\r\nUpon clicking “Download APP”, the site will generally navigate to /downland.php, which will redirect the\r\ndownload request to a different domain (this makes it less likely that someone will detect a decoy site).\r\nInterestingly, on one of these decoy sites, we noticed an HTML object written in Russian. This suggests that the\r\nthreat actor’s origins may be in a Russian-speaking country since they most likely forgot to translate the HTML\r\nobject from their native language into English. \r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 3 of 24\n\nFigure 3: Lost in translation?\r\nDecoy Site Examples\r\nThe following table shows a few examples of the decoy sites used in the campaigns we have observed.\r\nOriginal Domain Decoy Domain Description IP Resolved\r\nInstaller\r\nName\r\nopensea.io\r\nopenseea[.]net\r\nopenseaio[.]net\r\nThe most\r\npopular NFT\r\nmarketplace\r\n185.117.2[.]82\r\nOpenSea-App_v2.1-\r\nsetup.exe\r\nlarvalabs.com\r\nlarvaslab[.]com\r\nlarva-labs[.]net\r\nThe creators of\r\nCryptoPunks –\r\nThe most\r\npopular PFP\r\nNFTs\r\n185.117.2[.]81\r\n185.117.2[.]82\r\n45.142.182[.]160\r\nLarvaLabs-App_v2.1.1-\r\nsetup.exe\r\nboredapeyachtclub.com boredpeyachtclub[.]com\r\nBAYC – one of\r\nthe most\r\npopular PFP\r\nNFTs\r\n185.117.2[.]4\r\n185.212.130[.]64\r\nBAYC-App-v2.1-\r\nrelease.exe\r\nWe have identified at least 82 domains created between July 24, 2021, and November 17, 2021, with the following\r\nregistration time distribution (credit to @msuiche).\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 4 of 24\n\nThe Payloads\r\nThe following table tracks the RATs used by this specific campaign’s threat actor:\r\nDates Observed RAT C2\r\n11 Nov 2021 – 22 Nov 2021 Remcos 65.21.127.164[:]4449\r\n14 Oct 2021 – 22 Oct 2021 BitRAT 135.181.6.215[:]7777\r\n09 Sep 2021 – 14 Oct 2021 BitRAT 135.181.140.153[:]7777\r\n24 Aug 2021 – 07 Sep 2021 BitRAT 135.181.140.182[:]7777\r\nTechnical Analysis of the Babadeda Crypter\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 5 of 24\n\nFigure 4: Execution flow diagram\r\nDuring our research, we found different variants of the same Crypter — all of which contain the same main\r\nexecution flow (denoted by the figure above). While investigating the Crypter, we saw how important it was for\r\nthe threat actor to hide its malicious intentions inside legitimate applications in order to avoid detection. The\r\nfollowing figure emphasizes the complexity of the evasive techniques that are implemented in the Crypter.\r\nFigure 5: Low detection rate on VT\r\nThe Installer\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 6 of 24\n\nOnce downloaded and executed, the malicious installer copies its compressed files into a newly created folder\r\nwith a legitimate-looking name  (i.e., IIS Application Health Monitor) in one of the following directory paths:\r\nC:Users\u003cuser\u003eAppDataRoaming\r\nC:Users\u003cuser\u003eAppDataLocal\r\nThe malicious files are copied along with many other open-source or free application-related files. At first glance,\r\nthe files within the directory may seem legitimate. However, looking at these files carefully it becomes apparent\r\nthat some of them are suspicious and should be inspected, as shown by the figure below. \r\n Figure 6: The\r\ncompressed files (malware files selected with stage numbers)\r\nCrypter Execution\r\nAfter dropping the mentioned files, the Installer starts execution via the main executable (number 1 in the figure\r\nabove). \r\nWe have noticed that at this point, some variants display a fake error message that stops the execution until the\r\nuser interacts with the message. This fake message might be used as a security solutions evasion technique.\r\nAlternatively, its role may be to deceive the user into thinking that the application has failed to execute, even as it\r\nsilently continues the malicious execution in the background.\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 7 of 24\n\nFigure 7: Fake error message\r\nBy analyzing the two different variants, we can see the implementation of this message box:\r\nFigure 8: Comparison between variants\r\nAs we can see in the figure below, the function’s code is much longer compared to the actual DLL loading code.\r\nThat’s because the actor has implanted its actions within a legitimate application code in order to confuse analysts,\r\nobfuscate its real intentions, and make it harder for antivirus solutions to detect.\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 8 of 24\n\nFigure 9: Left – the full function. Right – the DLL loading code\r\nThe Shellcode’s Loader DLL\r\nThe threat actor generally embeds the next stages of the execution inside an additional file, usually an XML or a\r\nPDF file. Nonetheless, we have also observed additional file types such as JavaScript, Text, and PNG.\r\nHere, just like before, the actor embeds the malicious code inside different legitimate codes. We have extracted the\r\nrelevant sections to clearly demonstrate the malware’s activity:\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 9 of 24\n\nFigure 10:\r\nExported function logic\r\nThe malicious logic starts by reading the additional file (in this case an XML file) and calling kernel32!Sleep for\r\n35 seconds (the duration changes between variants). Next, it loads this entire file to memory and starts its parsing\r\ntask. \r\nThe first piece that is parsed from the file is a shellcode located in a pre-calculated offset (in this case, 0x88D8C\r\nand overwrites the executable at offset 0x1600).\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 10 of 24\n\nFigure 11: The shellcode bytes inside the XML file\r\nThe executable .text section’s characteristics are configured to RWE (Read-Write-Execute) — that way the actor\r\ndoesn’t need to use VirtualAlloc or VirtualProtect in order to copy the shellcode and transfer the execution. This\r\nhelps with evasion since those functions are highly monitored by security solutions. Once the shellcode is copied\r\nto the executable, the DLL calls to the shellcode’s entry point (shellcode_address).\r\nPersistency Implementation\r\nIf the crypter is configured to install persistence, the loader DLL will execute a new thread that loads another DLL\r\n(from the compressed files) that will handle this task.\r\nFigure 12: New thread creation for calling the persistent mechanism\r\nThe newly loaded DLL will either use one of the following logics or both of them to implement the persistency:\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 11 of 24\n\nWrite a.lnk file in the startup folder that executes the Crypter’s main executable.\r\nFigure 13: .lnk file persistence implementation\r\nWrite a registry Run key that executes the Crypter’s main executable.\r\nFigure 14: registry run key persistence implementation\r\nThe Decryption Shellcode\r\nThe XML file (or any other file type used by the crypter) contains the following components:\r\n1. The first shellcode (referred to in this section).\r\n2. An encrypted additional shellcode (referred to in the next section, the Loader shellcode)\r\n3. An encrypted payload.\r\nThe Decryption shellcode has three main tasks: first, it extracts the Loader shellcode and the payload, then it\r\ndecrypts them, and finally, it transfers the execution to the decrypted Loader shellcode.\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 12 of 24\n\nFigure 15: Decryption shellcode execution flow\r\nThe Decryption shellcode begins with dynamically locating the configuration structure by searching for a\r\nsequence of six or more identical bytes. This configuration holds pointers to the loader shellcode and the final\r\npayload; these are encrypted and split inside the XML.\r\nFigure 16: Configuration and XML file’s structures\r\nBased on this, we can identify the configuration inside the XML file:\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 13 of 24\n\nFigure 17: Configuration structure\r\nUsing this configuration the malware iterates over each chunk copies it, and decrypts it using the denoted\r\ndecryption key (the configuration changes between samples).\r\nThen, the shellcode searches for two DWORD placeholders, 0xBABADEDA and 0xDEADBEAF. It replaces the\r\nfirst placeholder with the address of the decrypted payload and the latter with the size of the payload. This data is\r\nused in the next stage, the Loader shellcode.\r\nThe Loader Shellcode\r\nThe purpose of the Loader shellcode is to inject the decrypted payload within the currently running process\r\n(itself). \r\nWe can divide the loading mechanism into three stages: initialization, injection, and correction.\r\nInitialization\r\nThis stage is responsible for setting the relevant data that will be used during the injection and correction stages. \r\nFigure 18: Extracting the data for injection and correction stages\r\nTo start initializing, the Loader first saves the decrypted payload address and payload size according to the\r\nplaceholder’s addresses. Next, it parses the PE headers of the payload to extract the image size and the entry point\r\naccording to the current executable’s base address. The Loader parses the _PEB structure in order to find the base\r\naddress of the current executable and the LDR_DATA_TABLE_ENTRY which will be used later. Finally, it\r\ndynamically loads the VirtualProtect function using a pre-calculated hash value (0xF1C25B45 in our case).\r\nInjection\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 14 of 24\n\nThis stage is pretty straightforward. Within it, the Loader overwrites the current PE with the final payload’s PE. It\r\ndoes so by copying the PE headers and each section according to the current executable’s base address.\r\nFigure 19:\r\nChange headers protection and clear memory bytes for the new PE\r\nOnce previous bytes have been cleared, the Loader copies the new PE headers to the base address and each section\r\nto the relevant location according to the IMAGE_SECTION_HEADER.\r\nCorrection\r\nThe final stage is responsible for fixing the import address table and relocation table of the newly injected PE.\r\nFigure 20: Fix tables and remove altering evidence\r\nmw_construct_IAT\r\nLoad GetModuleHandleA, LoadLibraryA and GetProcAddress functions by hash (0x9FE4FCE1,\r\n0x85557334 and 0xF23B576D respectively).\r\nIterate over the IAT of the new PE.\r\nLoad each function and update its address.\r\nmw_construct_RELOC\r\nCalculate the delta between the previous image base and the current one.\r\nIterate over each entry in the relocation table.\r\nAdd the delta to the entry value.\r\nIn addition to fixing the import address and relocation tables, the Loader removes evidence of injection by using\r\nthe following methods:\r\n1. Update the LDR data table entry to match the injected PE.\r\n2. Remove the injected PE headers from memory.\r\nThese steps attempt to evade memory scanners that seek mismatching LDR data and in-memory PEs.\r\nFinally, the malware jumps to the entry point of the newly injected PE with the original command-line arguments.\r\nConclusion\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 15 of 24\n\nAs demonstrated above, Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted\r\nattack vectors gives its distributors a fast-growing selection of potential victims. Once on a victim’s machine,\r\nmasquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from\r\nexecuting.\r\nMitigating the threat posed by Babadeda requires securing the device memory it targets. Morphisec does this\r\nthrough Automated Moving Target Defense, a technology that morphs process memory trapping crypters like\r\nBabadeda before they are able to deploy. \r\nIOCs\r\nThe sample used in the blog post:\r\nFile SHA256\r\nInstaller 99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff\r\ndifserver.exe 358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1\r\nlibfont-0.6.dll ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c\r\nlibxml3.dll 0ceead2afcdee2a35dfa14e2054806231325dd291f9aa714af44a0495b677efc\r\nmenu.xml 080340cb4ced8a16cad2131dc2ac89e1516d0ebe5507d91b3e8fb341bfcfe7d8\r\nYARA Rule\r\nrule BABADEDA_Crypter\r\n{\r\n       meta:\r\n                description = “Detects BABADEDA Crypter”\r\n                author = “Morphisec labs”\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 16 of 24\n\nreference = “https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft–defi-communities”\r\n       strings:\r\n                $entry_shellcode = {55 8B EC 83 EC 58 53 E8 F8 03 00 00 89 45 FC 8B 45 FC 83 C0 11 89 45 CC 8B\r\n45 FC 8B 40 09 8B 4D CC 8D 04}\r\n          $placeholder_1 = {8138DADEBABA} \r\n          $placeholder_2 = {8138AFBEADDE}\r\n       condition:\r\n       $entry_shellcode and all of ($placeholder_*)\r\n}\r\nDecoy Domains\r\naave-v3[.]com\r\nabracodabra[.]net\r\nalchemixfi[.]com\r\napeswaps[.]net\r\napp.sushi-v3[.]com\r\narbitrums[.]com\r\nartblocks[.]us\r\nastar-network[.]com\r\navalanche-network[.]com\r\navax-bridge[.]com\r\navax-bridge[.]net\r\navax-network[.]net\r\navax.wallet-bridge[.]net\r\navax.wallet-network[.]net\r\navax.wallet-network[.]org\r\nbabydogescoin[.]com\r\nboredpeyachtclub[.]com\r\nbridge-avax[.]com\r\nbridge-avax[.]net\r\nbridge-avax[.]us\r\nc-nft[.]net\r\ncasper-network[.]com\r\ncompoundfinance[.]net\r\ncryptoblade[.]net\r\ndecentralands[.]net\r\ndiviprojects[.]com\r\ndydxexchange[.]net\r\ngalagamesapp[.]com\r\nhedera[.]run\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 17 of 24\n\nilluviums[.]com\r\nkeep-network[.]net\r\nklimadao[.]net\r\nlarva-labs[.]net\r\nlarvaslab[.]com\r\nlooprings[.]net\r\nluckybuddhaluckyclub[.]com\r\nmangomarkets[.]net\r\nmineofdalarnia[.]net\r\nmonstasinfinite[.]net\r\nmoonebeam[.]com\r\nnear-protocol[.]com\r\nnetwork-avax[.]net\r\nnetwork-avax[.]org\r\nnft-opensee[.]com\r\nolympusdao[.]fund\r\nopenseaio[.]net\r\nopenseea[.]net\r\noptinism[.]net\r\npolkadot-network[.]com\r\nprojectseeds[.]net\r\nprojectsserum[.]net\r\nrareble[.]net\r\nrocketspool[.]net\r\nsecretswaps[.]net\r\nsia-tech[.]net\r\nsolanarts[.]com\r\nsolsoulnft[.]com\r\nsushi-app[.]com\r\nsushi-v3[.]com\r\nsushi-v3app[.]com\r\nterra-money[.]net\r\nthetatokenfund[.]com\r\nwallet-avalanche[.]com\r\nwallet-avalanche[.]net\r\nwallet-avalanche[.]org\r\nwallet-avax[.]com\r\nwallet-avax[.]info\r\nwallet-avax[.]net\r\nwallet-bridge[.]net\r\nwallet-network[.]net\r\nwallet-network[.]org\r\nwa let.bridge-avax[.]us\r\nwallet.network-avax[.]org\r\nwonderlaned[.]com\r\nzed-run[.]net\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 18 of 24\n\nHashes\r\n0098b2c38a69132bfde02d329d6c1c6e2b529d32d7b775a2ac78a369c0d10853\r\n0115ba0f26a7b7ca3748699f782538fa761f7be4845a9dc56a679acea7b76cd3\r\n062f019515bff366fcbf49cca3f776c21e2beb81c043a45eea81044a9391fd97\r\n112282b873bdbeb5614fc8658934a99d666ba06c4e2840a21cd4458b426a4cad\r\n120213353ac7bd835086e081fb85dfa4959f11d20466fd05789ded3bff30bb11\r\n1252c9103805e02324d2aecb5219e6a071c77b72477eba961621cb09a2138972\r\n140d9a4a2ec5507edf7db37dcc58f2176a0e704e8f91c28a60a7f3773e85e1aa\r\n14da3566bc9f211528c1824330c46789396447c83c3c830bb91490d873025df8\r\n18c01e1f6e0185752dbf8c9352d74ade56ac40d25ae701d4a5954b74d0c7aeea\r\n196ec622eb7d9420b1c04b3856467abeb3ca565d841f34c3c9a628afc10775c8\r\n214d6681f5d82d4fa43e7a8676935ef01ddab8d0847eb3018530aedffe7ebb55\r\n2e5455e268cf12ebc0213aa5dacb2239358c316dda3ec0f99d0f36074f41fb09\r\n2fc8dedf82997894bb31a0eca96ae3c589863ec9bf4d1e2af0a84f2e9c3ef301\r\n3270599801099d3b5399eb898f79d7b7ec0d728c71d5177244b8110757365ade\r\n39b4dc69dd29011135732a881152f99dc19310cb906b7255a3e9ef367258094d\r\n3c844e66f0dafdced0861a8e2ff54fd762ba170bf5082fb2c38cdbbac5a7fecb\r\n3e52c251dc8683e0f374bcbea27b4b700c05dc39db13336859acbbd32590fe7c\r\n3e6a29c04270a4b62375946fdb4c392a1c9b3f64ef391f85bdd67cb78426889f\r\n44e00bef4b6d3f03a845208b925c129a5fe1b9ef6ed8cd27144c5e94176aaa6e\r\n462f7543326630d209b6433936f0c54f8920d6b5505e88d802ee060320ea8106\r\n4e6eed44594054ea42f9860c1e53744649a319788e2cb7f1f624e435cbdec43d\r\n54391ff27b632a36430889dda51cfa46b694badcae2f0ce952065642c94d89df\r\n6342d9c9e087945651b11cec4903f083a20d31182e0be5b2b6030df0a980ff68\r\n65363debbbb9a691838e823c34807a9770db30c2af616c5574231af2b16d6aef\r\n6e4d56a438062210ba8ca68dee690c1692960ff36936c96586f74ee194e1c821\r\n6f247a74aa62fea0577da869fda841170ce6f1fe0e1b9f3b0d8172d336bb7dc6\r\n71d0c5b5916cc5f91370f42fbfd249795e7c40526ae204becdd20fe453b53e8d\r\n72df0397893e1ac981063fbcc0ad048543ba7143ba824f2bb0aa5dfb61538ce6\r\n7c8242812137aad072fe1cb78d49d01187b869d43ebcfcd87eb590c1bc9f1246\r\n7e827e1981d2ccaec16a5b646976b0d492d555a20b9ba5dd4ba0d605dfcab2f7\r\n86b1cf4e6952db195842809ffd7e88e5fdaca8b2b2c0005e995d34cbe9d157ad\r\n8b9120fc400510de52fb5c6689f403e5c0aaba3ff58e2ee114286c2cf09615b5\r\n8ce8c448b5958da3c59874594de428b783116d8c1cf440ab804633799d88af8e\r\n90faf9b85d96a09cb689be3a52669a58df2e9ea53b150a97d05de641e624f634\r\n95d226710f37a870a338344afac6350b48c5d70c7ac8518c42f694eb0f6aa7c5\r\n9b132e1d883c4f513d4ac3a5735a28a1917cfde837ee4a4b632a66cce5aa8be2\r\na2545370b390e52376d12776152aff9285b9b3fe6610d2f8dd24b11ccb14c5b3\r\na2e090192bf0b3b00f5bbef0b81858bc17861fedd82e93f0ab6d60777ca6820e\r\naf0c213a2cfb62e6a9ce788c3860c627e035401b75df7f60eb64d4f4bc196aa2\r\nb5fe6db30b741f515df94238c8d1a3c51a84fe72f218751c86a254801c3233ee\r\nb6dc8341fd38dacb7a2a38a14a21afbab8e7e3f31f2fd29f0bcd7d4eb83e203c\r\nbcaaab0cd2178acdf025c7f23f10ab01906a99aca5d07e3a7e261928f8f91695\r\nc21e2be7324afb67f1e5cf9fbc95dc346db2ec62d9d8db7b0da9377a00346f41\r\nc97893d936b5e1203fb926e7ab612ffd488578e9791f07be4a6eabc83645fb5b\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 19 of 24\n\nca70f7b046f5909f0134a1c465fda3794344f45055ba2dfa802623bd326fe5b6\r\nd360daf106314561e9ec57075dd4f544ad52680678a644e186758650a405b765\r\nd548c2e3479c6c7a20ffa8a8402aa00c45aaef24102daf5c94c54a8a6013f370\r\nd76e7a14ab20d3f28de1ecef803d8b1629ed077495db5ec7b7f5828ed33c684e\r\nde644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4\r\ne5f55a5ecd7315c9e028738ced66d42852569dd061e15610a054c2121c9ed4d9\r\ne99d32952bda84f32425681229ec544849156e479b7247e3e480f3a23a39c915\r\nf24492ceab91f70c3dd3c5040184dae3bc38804c872ae948ed1ee6906a890b16\r\nfb04bc486bf7b6574b5b7caf1ed4f1a21e9e7463adf312219f767a58e8fb2be1\r\nfde7bd78e2085f364e0eb145c77b57b8bfa5bacf6a3e6eaed4b9e3a97c065a80\r\nfde8ca7c729a25e723a3738a1b5520f29ef2100ba2d9a2739aa30176b039f511\r\nCrypter hashes\r\namadey stealer\r\n4d02224a7dadfc2d8a1343fdc51e4634a98bd073f867bfd091e667efd112108a\r\n384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c\r\n5dd0e9ef811c199a06758d65b66d051d3b0057971b021df0928ede727fe17371\r\ne312af68203fd80a2dd86a69460941ce29709424310abffd66fd7323a2b8ef6e\r\nCryptbot\r\n83aa33a24f0751cae8342045071638739981304b37fc036da342f15ccebaf482\r\nc69fd2882bcda2ae6b24235babcc570f31774a45698edbaaea70e1b9d9fd315e\r\n58fba0f609b5363b1fbb792e0b2def924b770b2f57329f383cf691ef5988055e\r\n1a31f5a7bc1c5782ab9e7a401a2a474ee75e571adfa1f7685c13258653e8af7d\r\n2dc6785721bc9369090ce77d47b6b85eb4c9fba88d4c29675b5c98195c653f3c\r\n89d3acf2cfd33516f0aaaf901226c1c8936c33ded480115cbb56b4d11fc0d405\r\n3f3f0c883ada23e33685a015dbd59a08668fa80bf3248b4fbc3b00dac1fb4305\r\n66b5d71b2ae6f7569b050130ccb548785925d4ff14ccfd5fa9738e8b444cbd97\r\nd2fc2159debd0a2222673cdc028c5f88ca5cc6c72f5665d60c5d27806757cff2\r\n8e113203dd97f0f33562db9086b0eadeb5ea1242738abd80ae872ac3552a2599\r\n58b3a4ec25d09191c9f5cb064a4ac4ea35a51cf1dd5e26e5d5bc63662c49c2ce\r\n3fdd54336ae1400d16fd36013844953d8cbfa2982516f3d40ed2a18f58f82609\r\n2b7425ae37127535adf331bdba2e4b126dc7a67890f2974fa95624b06b3ff248\r\na49d63a099d6499875e6b46268054b63d582303c7eac93a65ff00537ab22f487\r\nd69e8d0678be5a8da741058f0ae2a6f99ffb8e3326ac50fda54336b23a546fc6\r\ne51597f0749cbb7b8b53795383f891158ab7a5af350d803f8bba787ba1d3af87\r\n240e6edb33f1d5578084bd8422792770d3bafea1581b58e45eb6f89a889f41bd\r\ndd5f6a8a3f255be6e5b8c7402be7059298bcfea15931752e10ea0be59ad08063\r\n3b0cf91645b6ac772fc518bd5d145db4e7750af4e8239cc46734350ddf4595bd\r\n85c2e909efb713bdb2fb402dd380ada3bcc5ff92776ab95cafaeda7e47ea6dc4\r\n94f8745d09bc73fa393b77c944bb7230fc68235fd5049c32c31612eb31747224\r\nfe828cf68e77f09d903d17e4318e585ca5753b5cc1a8e7fdb081244ee6e29464\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 20 of 24\n\n36cba5140248916ece6706fee52c892e7284b8c1dde007b273cf8adf1e2565ae\r\n979a0dd895e91925b1664d6e475f5046c1b0243a9999b6d15c96480437ddf931\r\n65a1fe7f19a41fbf7ac6196d5e54900558c948603a86de7e4920129556293723\r\n7c34b54d3dd6d4b36587667cb52201ca8412ec23e0a6d062cceddb703104d0c9\r\nca00f9b232a297b1896a96c01b4835cafa0b050d62b6b891b74d6c799e6e6d26\r\n3f6c89a650f439f01b2435425946f5b5eab475da42ee04088fd552bc59644613\r\nfd274f7faace98d5660ea1a13dd74cade60626bf10cc5e4a66c0c76d8e018ad8\r\n496e1715c87a07b92d9214810bcd3fc6880b88b93246e94ad9421f3434076660\r\n6ff84a220c1f0d6c078de2bc9961dcda11ea21eabebc86576798f5d1a0548e11\r\n3d59fa24db23fb548796b2632a3c94ea6be2c2a64236b470bcbcb5bfc6e1d915\r\n8a217e632ef9f099bae955699c9eb497c6227a642486f64c903a336fdd0f3ac5\r\n03b9c509e7ff704be0431c541a3571360b52edac361b3d9ce627b4e93c53be17\r\nbbe8ee94ed612d25d1378980dbe529ad018f1a2ed0521c0621f81ae54bc2d516\r\nc885a22bdd7d046c4a616e639cc91dc94cabb972108bdc2d9540fcbe393241d1\r\n1ef9df7881ad13c6865aa6161390df6580eb648c3c05a35db706c7b5d7a238f5\r\n6009bf01b6ede3fd35ef88aee476c1cb77ed32c54fd467b2d6173b59af8510c2\r\nd90f581c543cba58332c5c67e2a464387142e72bb9d6960bcc9dd52ef2a948f4\r\ndb9b014740b96a6b7e277cf456a19260533dadf8b36652d05e374b098c93f63c\r\ndf7f07f9b0c6ff27b0011f3a6daa5ca4b73f554b6a1ed319dce05919c3c4e18c\r\ndc5ffac866a06926359e00872ce7cc7b85d2ddf09abdc3371ac101be4e7ed46e\r\n98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c\r\n75837a43d3df5f8ec3117279edcfc255c69be9aaf2eed9d0d3cc98bf3b06ae01\r\nae0cd5b88a754affa47410a0fa9d9b38582c21b8e06c32273206fa15551efdb3\r\nbeb4c0c6486545826c2ec5fa5ba44d02abeb20558e55f47c51366523cacdde27\r\n50f424ee3a86842df558da44cc247fd7bd4d1d7bf5439b8732883aa840a9fceb\r\n0bf886695f19c711bd63d145518301270e247830259eb29c83bd0ee135f53ee7\r\naa2e234a48e1f19d8dfd1885aa7ea0c73b1d22faee0f3b208dc65762e6ba374d\r\n49caac5d027dadb4db266ac999842ed7ea10b245750f8b31af738b4bfdcc5ade\r\n464f8fc360e64cdf07c837d5911f93b60cb99ee0ff531ffb0422652c7d6124d6\r\n0ef94ff905ef764a4aab4cc90d657dd681b434e13df35c01c6473ee3813dd34e\r\n64b451280c906afb57198e787eaa18780abd3932bc7cf3742a5e58ccb1ccf204\r\nlockbit\r\n778eb09cac51aa75b6e3c32e78adfe0e9292af40d0f800fb3ae569198945a9ef\r\n5b9e6d9275e9523aa3945be891745442a07b936ee5236e23934250ba3844f65f\r\n17c6f4e45d44bd4c06212139f521976b87ed5a6ddcd0e4e5e978e64dabb3883f\r\n237bc833db8c72cedf0a09bd642567aa31cc74dd6bcfe5b67871f375d617ec85\r\n446736e381fa8942f8d32cb4f2ae8fb6a9245fa0e70b7f7298ee7a5cb6fe9f32\r\n668434940877f747a5d3adc745548bcfdcc881418f02e705204df2ad54a311cb\r\n74b4d14d2d1af6642d5867eb89c277aa02f5e4ac667d87b5aca380f40eabe1bf\r\nc920b2de025019e9a406e9b2f0ac2cbbfc18d65eac15f59ca8921c5fb4bfa240\r\nd25116f1fe5c9a22fcf73c4c7358f93f1ad445bb9a602d18ff69f8fa29d0be0f\r\ne80579baf175626787070bf61f75b4b810eb9d9bdb653972ad40797ee5ff82cc\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 21 of 24\n\n1ee311c3f24397de3f6671b67a263206e78f8040f5ac2fc0182d0ee171c53228\r\n4b3a396f8230fc87b7fc47aa1d7ed19c78867f3dd43fd570ea93748390be58d5\r\nursnif\r\n04595c3111276f02b6dc2ece0778cb5829c086484aeafa24e0aac3d8479deb4b\r\ne2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464\r\n676a540a91b9ffb4a18af0f4355561f3579ee4cbbf0740a80e482af92e8cdc07\r\n716ce7fe411f352686b4071074aa96e1456ab7a67445b3cf1c475e18a4e5ac25\r\nceba6a7f9a2c25a35090470c6209aefed808786c47194a18415a7898390c20cb\r\ne203345d8120bd6d29e667bbceb92083ebb55e36b21cd22d669aa2f91830a656\r\nsmokeloader\r\n79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10\r\n1ae5c809ea8fabce9c699c87416d73ba5ab619accef6deeb26c2c38f39323181\r\nee8f0ff6b0ee6072a30d45c135228108d4c032807810006ec77f2bf72856e04a\r\nfickerstealer\r\nbd8d1264a88d5cdd701a4ee909b70beaec39d216c988b33bfb30f25aee3540ee\r\n1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165\r\ncf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d\r\nMetasploit Reverse HTTP\r\nb8990f204ca595e23562aa8063fd163651771626ba4acf45890f25315616fc1e\r\nquasarrat\r\ne8a8581cd3594a3937762f90d20ab889e7868bb88e9249f96222bd48643d7dea\r\nAbout the author\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 22 of 24\n\nArnold Osipov\r\nMalware Researcher\r\nArnold Osipov is a Malware Researcher at Morphisec, who has spoken at BlackHat and and been recognized by\r\nMicrosoft Security for his contributions to malware research related to Microsoft Office. Prior to his arrival at\r\nMorphisec 6 years ago, Arnold was a Malware Analyst at Check Point.\r\nHido Cohen\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 23 of 24\n\nSource: https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nhttps://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities\r\nPage 24 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities"
	],
	"report_names": [
		"the-babadeda-crypter-targeting-crypto-nft-defi-communities"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775792159,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77aa460870023e0a9894e96646cfe10f2f1711f1.pdf",
		"text": "https://archive.orkl.eu/77aa460870023e0a9894e96646cfe10f2f1711f1.txt",
		"img": "https://archive.orkl.eu/77aa460870023e0a9894e96646cfe10f2f1711f1.jpg"
	}
}