{
	"id": "a5848746-797b-4488-8243-cd7b2971224c",
	"created_at": "2026-04-06T00:11:17.011067Z",
	"updated_at": "2026-04-10T03:21:41.788574Z",
	"deleted_at": null,
	"sha1_hash": "9def8803a59a168981fb6a113a083212cdec5ffe",
	"title": "BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 922849,
	"plain_text": "BabyShark Malware Part Two – Attacks Continue Using\r\nKimJongRAT and PCRat\r\nBy Mark Lim\r\nPublished: 2019-04-26 · Archived: 2026-04-05 20:55:22 UTC\r\nExecutive Summary\r\nIn February 2019, Unit 42 published a blog about the BabyShark malware family and the associated spear\r\nphishing campaigns targeting U.S. national think tanks. Since that publication, malicious attacks leveraging\r\nBabyShark have continued through March and April 2019. The attackers expanded targeting to the cryptocurrency\r\nindustry, showing that those behind these attacks also have interests in financial gain.\r\nWhile tracking the latest activities of the threat group, Unit 42 researchers were able to collect both the BabyShark\r\nmalware’s server-side and client-side files, as well as two encoded secondary PE payload files that the malware\r\ninstalls on the victim hosts upon receiving an operator’s command. By analyzing the files, we were able to further\r\nunderstand the overall multi-staging structure of the BabyShark malware and features, such as how it attempts to\r\nmaintain operational security and supported remote administration commands. Based on our research, it appears\r\nthe malware author calls the encoded secondary payload “Cowboy” regardless of what malware family is\r\ndelivered.\r\nOur research shows the most recent malicious activities involving BabyShark malware appear to be carried out for\r\ntwo purposes:\r\nEspionage on nuclear security and the Korean peninsula’s national security issues\r\nFinancial gain with focus on the cryptocurrency industry based on the decoy contents used in the samples,\r\nshown in Figure 1. Xcryptocrash is an online cryptocurrency gambling game.\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 1 of 12\n\nFigure 1. Cryptocurrency related BabyShark malicious document decoy\r\nWe presume that the BabyShark malware toolset is shared among actors under the same umbrella or the same\r\ngroup has been assigned an additional mission.\r\nIn our analysis, we found BabyShark attacks were using KimJongRAT and PCRat as the encoded secondary\r\npayload and thus were the “Cowboys”.\r\nSuspicious Access Logging\r\nBabyShark has a multi-stage infection chain with checks between each stage, as shown in Figure 2, to ensure only\r\ntargeted hosts are advanced to the next stage before it finally beacons backs to the attacker.\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 2 of 12\n\nFigure 2. BabyShark malware overall structure\r\nThis is done by maintaining a list of denylisted IP addresses and computer names for those who have made\r\nsuspicious access attempts, such as access with invalid parameters, to the server as a possible technique meant to\r\nmake analysis harder. The IP addresses and computer names in the denylist are written in base64 encoded format\r\nat [BASE_URI]/blackip.txt, shown in Figure 3.\r\nFigure 3. Denylisted IP addresses and computer names in blacktip.txt\r\nWhen a new access attempt is made with data matching the denylist, the server will not proceed to the next stage\r\nand alerts the operator via a separate log file shown in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 3 of 12\n\nFigure 4. Suspicious activity log report to operator\r\nBabyShark’s C2 server also logs access to its base URI and redirects to http://go.microsoft[.]com/. The purpose of\r\nthis is likely to avoid its files being seen due to potential mis-configurations of the hosting web server.\r\nif($ff=fopen(\"resp_suspect\",\"a\"))\r\n{\r\nfwrite($ff, $date . \"  \" . $ip . \" suspected access \" . $useragent .\"\\r\\n\");\r\n     fclose($ff);\r\n}\r\nheader('Location: http://go.microsoft[.]com/');\r\nexit;\r\nRemote Commands\r\nThe operator can issue VBS and PowerShell based commands to victim systems infected with BabyShark. The\r\nremote commands we found from the C2 are in the below table, but BabyShark is not limited to these as the\r\nattacker can create more VBS or PowerShell command files.\r\nVBS based remote commands:\r\nCommand\r\nName\r\nDescription\r\ngetfiles Archive all files in the BabyShark base path as a ZIP archive, then upload to the C2\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 4 of 12\n\nexe_down\r\nDownload files for secondary payload:\r\n- a Cowboy, a custom encoded PE payload\r\n- an EXE type loader which decodes and loads Cowboy in memory\r\n- a DLL type loader which decodes and loads Cowboy in memory\r\nredirect_vbs\r\nPurpose of this command is not clear as key file is missing, but it is likely for changing\r\nC2 path\r\nTable 1. VBS based remote commands for BabyShark\r\nPowerShell based remote administration commands:\r\nCommand\r\nName\r\nDescription\r\nkeyhook\r\nTwo types of key loggers implemented using PowerShell and C#\r\n- PowerShell based key logger which is openly available on GitHub. Result is saved in\r\n%APPDATA%\\Microsoft\\ttmp.log\r\n- C# based key logger saves result in %APPDATA%\\Microsoft\\ttmp.log\r\ndir list Collect host information and save the result in %APPDATA%\\Microsoft\\ttmp.log. The\r\ncommands issued to collect host information include:\r\n- whoami\r\n- hostname\r\n- ipconfig\r\n- net user\r\n- arp -a\r\n- dir \"%appdata%\\Microsoft\"\r\n- dir \"%systemroot%\\SysWOW64\\WindowsPowerShell\\\"\r\n- vol c: d: e: f: g: h: i: j: k: l: m: n: o: p: q: r: s: t: u: v: w: x: y: z:\r\n- dir \"%userprofile%\\Downloads\"\r\n- dir \"%userprofile%\\Documents\"\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 5 of 12\n\n- dir \"%userprofile%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\"\r\n- tasklist\r\nAlso, a test result for UAC accessibility, and Microsoft Office security setting from registry\r\nkey values\r\npower com\r\nCopy %APPDATA%\\Microsoft\\delemd.tmp0 to %APPDATA%\\Microsoft\\XXYYZZ.tmp,\r\nand load as DLL\r\nexe del\r\nClean up all files associated with secondary payload execution.\r\n- %APPDATA%\\Microsoft\\desktop.r3u, encoded Cowboy payload\r\n- %APPDATA%\\Microsoft\\fstnur, file used to check for first time execution\r\n- %APPDATA%\\Microsoft\\*.tmp\r\nexecute\r\nCopy %APPDATA%\\Microsoft\\deleme.tmp0 to %APPDATA%\\Microsoft\\deleme.tmp, and\r\nexecute it\r\nTable 2. PowerShell based remote commands for BabyShark\r\nKimJongRAT and PCRat are the Cowboys!\r\nThe secondary malware is delivered as a set:\r\none EXE loader\r\none DLL loader\r\none encoded payload\r\nThe functionality of the EXE and DLL loaders is the same: the only difference is the file type. These loaders are\r\nlater run upon receiving an execution command: “execute” to invoke the EXE type loader or “power com” to\r\nlaunch the DLL type loader. We theorize the reason for having two different type loaders is to have redundancy for\r\nloading the payload in case of anti-virus software’s disruption. Either loader will load the custom encoded\r\nsecondary payload, the Cowboy, in memory, decode it, and execute it.\r\nIn our previous research, we wrote about possible links between BabyShark and the KimJongRAT malware\r\nfamily. We based these possible links on the similarity of malware behavior, similar interests in the targets, and a\r\nfreshly compiled KimJongRAT malware sample being seen from the same threat actor. In our latest analysis, we\r\ncollected two secondary payload files, cow_pass.gif and cow.gif, from BabyShark’s C2 server. After decoding, we\r\nfound these samples were KimJongRAT and PCRat respectively. Their metadata are in Tables 3 and 4.\r\nSHA256 f86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8\r\ntimestamp 2010-07-14 08:47:40\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 6 of 12\n\nsize 124,928\r\nImport hash d742aa65c4880f85ae43feebb0781b67\r\nC2 173.248.170[.]149:80\r\nTable 3. Decoded PCRat payload metadata\r\nSHA256 d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712\r\ntimestamp 2018-12-25 11:11:47\r\nsize 787,968\r\nImport hash daab894b81cc375f0684ae66981b357d\r\nTable 4. Decoded KimJongRAT payload metadata\r\nPCRat is an infamous remote administration trojan with its source code openly available on the public internet.\r\nThe malware is a variant of the Gh0st RAT malware family and it shares many similarities with Gh0st including\r\nits network beacon structure as shown in the Figure 5.\r\nFigure 5. PCRat communication with the C2 at 173.248.170[.]149:80\r\nInitially, we were curious about the sample’s old timestamp and it being hardly modified from the original PCRat\r\nbinary which had been publicly available for many years. However, the operator seemed to be actively operating\r\nthe malware when we observed the communication between it and the C2 server at the time of our analysis.\r\nThe decoded KimJongRAT sample seems to exhibit a few changes in the code from the variants reported in the\r\npast. This sample added a substitution cipher to obfuscate API strings, as shown in Figure 5, to hide its intentions\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 7 of 12\n\nand removed its networking feature for C2 data exfiltration, possibly in favor of the password gathering discussed\r\nbelow.\r\nFigure 6. Encrypted API strings in KimJongRAT\r\nAs the original filename “cow_pass.fig” suggests, KimJongRAT seems to be wholly used as a password extraction\r\nand information stealer tool by the threat actor, and the collected data are exfiltrated to C2 with support from other\r\nmalware such as BabyShark or PCRat. The information that the KimJongRAT malware steals from victim\r\nmachines include email credentials from Microsoft Outlook and Mozilla Thunderbird, login credentials for\r\nGoogle, Facebook, and Yahoo accounts from browsers Internet Explorer, Chrome, Mozilla Firefox, and Yandex\r\nBrowser. All this information together with the victims machines' OS version are stored into the file\r\n\"%APPDATA%\\Microsoft\\ttmp.log\". The contents in \"ttmp.log\" always begin with the string\r\n\"AAAAFFFF0000CCCC\" and then appended with base64 encoded stolen credentials.\r\nCVE-2018-8174\r\nWe have not observed an in-the-wild case yet, but we did find a PHP sample exploiting CVE-2018-8174\r\n(Windows VBScript Engine Remote Code Execution Vulnerability) on the BabyShark C2 server, and this suggests\r\nthat the threat actor may be leveraging this vulnerability to make a target load BabyShark’s first stage HTA via a\r\nwatering hole attack or a malicious URL in a spearphishing email.\r\nThe attacker’s exploit script logs the victim’s remote IP address and redirects to http://google[.]com if the access is\r\nmade more than one time from the same IP. This again is perhaps a tactic meant to thwart researchers.\r\nif(file_exists($filename))\r\n{\r\n     if($ff=fopen(\"resp\",\"a\"))\r\n     {\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 8 of 12\n\nfwrite($ff, $date . \"  \" . $ip .  \"    \".$useragent.\"     reopen document.\" .\"\\r\\n\");\r\n          fclose($ff);\r\n     }\r\n     header(\"location: http://google[.]com\");\r\n     exit;\r\n}\r\nif($ff=fopen(\"resp\",\"a\"))\r\n{\r\n     fwrite($ff, $date . \"  \" . $ip .  \"    \".$useragent.\"            open document.\" .\"\\r\\n\");\r\n     fclose($ff);\r\n}\r\nCowboy Converter\r\nDuring our research, we discovered a Graphical User Interface (GUI)  based program likely created by the\r\nBabyShark malware author from a public malware repository. The file is to use as a file encoder tool to convert a\r\nPE file into a payload format loadable by the previously described Cowboy EXE and DLL loaders. We believe\r\nthis tool is used by the BabyShark author to create their attack. Its metadata is in Table 5, below.\r\nSHA256 bd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1\r\ntimestamp 2019-01-30 18:22:51\r\nsize 24,576\r\nImport hash bde663d08d4e2e17940d890ccf2e6e74\r\nTable 5. Cowboy converter metadata\r\nThis tool simply opens a file with the name of “cowboy” in the current working directory and encodes it into the\r\nCowboy encoding format as detailed below. If a file with the name of “cowboy” is not found, it pops up a message\r\nbox notifying “The file cowboy isn’t there!” shown in Figure 7.\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 9 of 12\n\nFigure 7. Cowboy converter and cowboy file not found pop up message\r\nThe encoding is done via the following three steps:\r\n1. Reverse the original byte content read from the file with the name of “cowboy”\r\n2. Take the reversed bytes and Base64 encode them\r\n3. Take the base64 encoded string and chop it into 10 blocks and reverse the blocks' order\r\nWe have written a decoder script in Python and it is available in the appendix section of this blog.\r\nConclusion\r\nSince releasing our previous research, malicious attacks leveraging the BabyShark malware have continued. In\r\nfact, they have widened their operation to target the cryptocurrency industry. The malware’s server-side\r\nimplementation showed that the malware author has made certain efforts to maintain the operational security for\r\noperating the malware and C2 infrastructures. The threat actor leverages other commodity and custom developed\r\ntools in their campaigns. In this case, they were PCRat and KimJongRAT, but these may be changed to other\r\nmalware families in the future. Malicious attacks using the BabyShark malware also seem likely to continue based\r\non our observations and may continue expanding into new industries.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 10 of 12\n\nWildFire and Traps detect all malware families and vulnerability exploits mentioned in this report as\r\nmalicious\r\nC2 domains used by the threat actors are blocked via Threat Prevention\r\nPre and post infection network communications by the BabyShark and PCRat malware families are\r\nblocked by our IPS engine\r\nCVE-2018-8174 exploit is blocked by our IPS engine\r\nAutoFocus customers can monitor ongoing activity from the threats discussed in this report by looking at the\r\nfollowing tags:\r\nBabyShark\r\nCowboyLoader\r\nCowboyConverter\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nMalicious Word Macro Document\r\n75917cc1bd9ecd7ef57b7ef428107778b19f46e8c38c00f1c70efc118cb8aab5,\r\nPCRat\r\nf86d05c1d7853c06fc5561f8df19b53506b724a83bb29c69b39f004a0f7f82d8,\r\nKimJongRAT\r\nd50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712,\r\nCowboy Loader\r\n4b3416fb6d1ed1f762772b4dd4f4f652e63ba41f7809b25c5fa0ee9010f7dae7\r\n33ce9bcaeb0733a77ff0d85263ce03502ac20873bf58a118d1810861caced254\r\nCowboy Converter\r\nbd6efb16527b025a5fd256bb357a91b4ff92aff599105252e50b87f1335db9e1,\r\nAppendix - Python Script for Decoding Cowboy\r\nimport base64\r\nwith open('cowboy', 'r') as file_in, open('cowboy_clear.bin', 'wb') as file_out:\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 11 of 12\n\nEncStr = file_in.read()\r\n    BlkSz = 10\r\n    len_EncStr = len(EncStr)\r\n    NonBlk10_ptr = len_EncStr - (BlkSz -1) * (len_EncStr // BlkSz)\r\n    NonBlk10 = EncStr [:NonBlk10_ptr]\r\n    result = ''\r\n    EncStr = EncStr [NonBlk10_ptr::]\r\n    #print EncStr\r\n    x = range (-1,BlkSz-1)\r\n    Blksize1 = len_EncStr // BlkSz\r\n    for n in x:\r\n        loop_buff1_ptr = n * (len_EncStr // BlkSz)\r\n        loop_buff1 = EncStr [loop_buff1_ptr:loop_buff1_ptr+Blksize1]\r\n        #print loop_buff1\r\n        result = loop_buff1 + result\r\n    result = result + NonBlk10\r\n    clear = base64.b64decode(result)[::-1]\r\n    print clear\r\nfile_out.write(clear)\r\nSource: https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nhttps://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/"
	],
	"report_names": [
		"babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434277,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9def8803a59a168981fb6a113a083212cdec5ffe.pdf",
		"text": "https://archive.orkl.eu/9def8803a59a168981fb6a113a083212cdec5ffe.txt",
		"img": "https://archive.orkl.eu/9def8803a59a168981fb6a113a083212cdec5ffe.jpg"
	}
}