{
	"id": "612f88b3-ee0a-42d4-a467-e498a5bb523f",
	"created_at": "2026-04-06T00:22:18.200272Z",
	"updated_at": "2026-04-10T03:29:07.49389Z",
	"deleted_at": null,
	"sha1_hash": "be583bf774e8b06acd0e104a90bebc03119315a9",
	"title": "Babar: espionage software finally found and put under the microscope",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1175931,
	"plain_text": "Babar: espionage software finally found and put under the\r\nmicroscope\r\nBy Paul Rascagnères\r\nPublished: 2020-02-10 · Archived: 2026-04-05 18:00:45 UTC\r\nAlmost a year after Operation SNOWGLOBE was publicly mentioned for the first time by the famous French\r\nnewspaper Le Monde, security experts have now laid hands on malware samples that match the descriptions made\r\nby the Communication Security Establishment Canada (CSEC). The following analysis is the first report about the\r\nespionage malware dubbed Babar, which the whole computer security community searched for. After the\r\ndisclosure about EvilBunny [1], Babar is now a second component identified to be related to Operation\r\nSNOWGLOBE and is believed to be coded by the same developers. Babar’s feature set includes keystroke\r\nlogging, clipboard logging and, most interesting, the possibility to log audio conversations – the elephant has big\r\nears!\r\nBackground\r\nThe revelation about the existence of yet another potentially nation-state driven spyware occurred in March 2014\r\nwhen Le Monde first published information about top secret slides originating from 2011 and part of their content\r\n. But the slides Le Monde published revealed only a small part of the picture – several slides were cut out, some\r\ninformation was redacted. Germany’s Der Spiegel re-published the slide set with far less deletions recently, in\r\nJanuary 2015, and therefore gave a deeper insight about what CSEC actually says they have tracked down.\r\nThe newly published documents reveal: the so called operation SNOWGLOBE, was discovered in 2009 (slide 9)\r\nand consists of three different “implants”, two were dubbed snowballs and one “more sophisticated implant,\r\ndiscovered in mid-2010” is tagged as snowman (slide 7). According to slide 22, “CSEC assesses, with moderate\r\ncertainty, SNOWGLOBE to be a state-sponsored CNO [Cyber Network Operation] effort, put forth by a French\r\nintelligence agency.” The information given dates back to 2011 and nothing else has been published since. Now\r\nthat specific Babar samples have been identified and analyzed, there might be new information, also with regards\r\nto similarities or differences between the two Remote Administration Tools (RATs) EvilBunny and Babar.\r\nWe’d like to express special thanks to Marion Marschalek, Joan Calvet and the CIRCL Luxemburg team for their\r\ncontributions for this report! We recommend reading Marion’s report “Shooting Elephants”, a complementary\r\npiece of work regarding the Babar malware.\r\nThe samples\r\nEvilBunny-Samples (SHA256)\r\nc6a182f410b4cda0665cd792f00177c56338018fbc31bb34e41b72f8195c20cc  \r\n7d1e5c4afb1682087d86e793b3fc5a8371dc7c28e27e7196e3b258934f6bafb5  \r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 1 of 18\n\n7bfc135194d3e5b85cbe46ed1c6f5e21dbe8f62c0a3ef56245b2d6500fc3a618  \r\nbe14d781b85125a6074724964622ab05f89f41e6bacbda398bc7709d1d98a2ef\r\nBabar-Samples (SHA256, Dropper and Payload)\r\nc72a055b677cd9e5e2b2dcbba520425d023d906e6ee609b79c643d9034938ebf: Dropper  \r\n82e6f9c10c7ba737f8c79deae4132b9ff82090ccd220eb3d3739365b5276c3c8: Dropper\r\naa73634ca325022dd6daff2df30484ec9031939044cf4c2a004cbdb66108281d: Payload (perf_585.dll)\r\n57437a675cae8e71ac33cd2e001ca7ef1b206b028f3c810e884223a0369d2f8a: Payload: (dump21cb.dll)\r\nG DATA’s security solutions detect all analyzed samples.\r\nThe malware names: are the coders cartoonists?\r\nLooking at the compilation path stored in the binary, we can identify the internal name of the projects:\r\nC:\\Users\\user\\Desktop\\bunny 2.3.2\\Release\\Transporter2.pdb\r\nC:\\Documents and Settings\\admin\\Desktop\\Babar64\\Babar64\\obj\\DllWrapper Release\\Release.pdb\r\nFurthermore, a command and control server of an EvilBunny sample also mentioned the sample project name:\r\nhxxp://1.9.32.11/bunny/test.php?rec=nvista.\r\nIdentifying the malware described in CSEC slides\r\nThe following indicators underline the assumption that the EvilBunny and Babar samples analyzed match the ones\r\ndescribed in the leaked Snowden documents, in the order of the slides. Nevertheless, some differences are listed at\r\nthe end:\r\nMatch: Typographical error – slide 8\r\nCSEC mentioned a typo, committed by the malware authors. In the user agent, instead of using the string MSIE\r\n(MicroSoft Internet Explorer), the malware uses the string MSI. The malware does not use the browser to\r\ncommunicate; the request was inserted manually by the developer who made a mistake. We found this exact same\r\nmistake in EvilBunny and Babar samples:\r\npaul@gdata:~/babar$ strings -a perf_585.dll | grep \"MSI \"\r\nUser-Agent: Mozilla/4.0 (compatible; MSI 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)\r\nUser-Agent: Mozilla/4.0 (compatible; MSI 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)\r\n \r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 2 of 18\n\nCSEC Operation SNOWGLOBE, slide #8, discovered by Edward Snowden - Click to enlarge\r\nMatch: Internal name: Babar – slide 18\r\nWithin the documents leaked by Snowden, the CSEC mentioned the internal name of the malware: Babar. In the\r\nmalware samples analyzed the internal name is the same, as mentioned before.\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 3 of 18\n\nCSEC Operation SNOWGLOBE, slide #18, discovered by Edward Snowden - Click to enlarge\r\nMatch: Locale option – slide 19\r\nThe CSEC mentioned the locale option “fr_FR” during the spear-phishing attack. In the EvilBunny samples,\r\nduring the HTTP queries to the command and control servers the Accept-Language parameter is set to “fr”.\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 4 of 18\n\nCSEC Operation SNOWGLOBE, slide #19, discovered by Edward Snowden - Click to enlarge\r\nMatch: English language – slide 19\r\nAlso on the slide 19, the CSEC mentioned that the command and control interface is in English but the choice of\r\nwords is not typical for a native English speaker.  We found English mistakes in EvilBunny and Babar samples,\r\nsuch as this example from Babar: \r\n!!!EXTRACT ERROR!!!File Does Not Exists--\u003e[%s]\r\nDifference: Infrastructure – slide 10\r\nThe CSEC documents reveal that scripts called “outbase.php“ and “register.php” were found on infrastructure\r\ndomains, “in a directory under root domain”. The scripts found in the samples analyzed were named “index.php”\r\nin a deeper directory.\r\nDifference: Developer username: titi – slide 18\r\nThe developer’s username in the Babar samples analyzed is admin instead of titi as mentioned in the Snowden\r\ndocuments. The Bunny samples reveal user as the developer’s username.\r\nComparing EvilBunny to Babar\r\nWe believe that both malware species belong to the mentioned operation SNOWGLOBE and the following\r\nchapter will describe similarities and differences:\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 5 of 18\n\nTyping error\r\nAs mentioned previously, a typo has been found within EvilBunny and Babar, within the user agent string. This\r\nmistake can be the result of a copy/paste error or due to the use of the same library inside the two samples. \r\nAntivirus detection\r\nThe first task for both, EvilBunny and Babar, is to list the installed antivirus software. They use the exact same\r\ntechnique to fulfill this task: WMI, the Windows Management Instrumentation.\r\nWMI is an interface provided by Microsoft to get information about and notifications from the system. The users\r\ncan use WMI by using VBScript, PowerShell or C++ language. To detect the name of the antivirus solution\r\ninstalled and registered, the malware opens one of the following Windows Security Center WMI providers: \r\nROOT\\SecurityCenter (for operating systems before Windows Vista)\r\nROOT\\SecurityCenter2 (Windows Vista and newer OS)\r\nThe analyzed malware includes the two providers and the two versions of operating system (pre-Vista and post-Vista). Microsoft provides an SQL-like system to perform queries using the WMI. This system is called WMI\r\nQuery Language (short WQL). The malware performs the following query:\r\nSELECT * FROM AntiVirusProduct\r\nHere is the description of the antivirus object:\r\nclass AntiVirusProduct\r\n{\r\nstring companyName; // Vendor name\r\nstring displayNam; // Application name\r\nstring instanceGuid; // Unique identifier\r\nboolean onAccessScanningEnabled; // Real-time protection\r\nboolean productUptoDate; // Definition state\r\nstring versionNumber; // Application version\r\n}\r\nThe malware checks the following entries: productUpToDate, versionNumber and the displayName. The\r\nmalware checks whether the SHA-256 of the first word of the displayName is equal to a predefined list. Looking\r\nat several samples, the content of this list varies. Here is one example of a list [Updated on February 19, 2015):\r\nab6ed3db3c243254294cfe431a8aeada28e5741dfa3b9c8aeb54291fddc4f8c3 (AhnLab)\r\nb3fe0e3a3e3befa152c4237b0f3a96ffaa44a2d7e1aa6d379d3a1ab4659e1676 (AntiVir)\r\nc0ffcaf63c2ca2974f44138b0956fed657073fde0adeb0b1c940b5c45e8a5cab (avast!)\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 6 of 18\n\n249a90b07ed10bd0cd2bcc9819827267428261fb08e181f43e90807c63c65e80 (AVG)\r\n4b650e5c4785025dee7bd65e3c5c527356717d7a1c0bfef5b4ada8ca1e9cbe17 (CA)\r\nc8e8248940830e9f1dc600c189640e91c40f95caae4f3187fb04427980cdc479 (DoctorWeb)\r\n97010f4c9ec0c01b8048dbad5f0c382a9269e22080ccd6f3f1d07e4909fac1a5 (F-PROT)\r\naa0ad154f949a518cc2be8a588d5e3523488c20c23b8eb8fafb7d8c34fa87145 (F-Secure)\r\n333e0a1e27815d0ceee55c473fe3dc93d56c63e3bee2b3b4aee8eed6d70191a3 (G)\r\nd4634c9d57c06983e1d2d6dc92e74e6103c132a97f8dc3e7158fa89420647ec3 (InternetSecurity)\r\n977781971f7998ff4dbe47f3e1d679f1941b3237d0ba0fdca90178a15aec1f52 (Jiangmin)\r\nf1761a5e3856dceb3e14d4555af92d3d1ac47604841f69fc72328b53ab45ca56 (Kaspersky)\r\na48be88bed64eff941be52590c07045b896bc3e87e7cf62985651bbc8484f945 (McAfee)\r\n2bc42b202817bdab7d49506d291e3d9624ae0069087a8949c8fcb583c73772b1 (Norton)\r\n0d21bd52022ca7f7e97109d28d327da1e68cc0bedd9713b2dc2b49d3aa104392 (Online)\r\n0d21bd52022ca7f7e97109d28d327da1e68cc0bedd9713b2dc2b49d3aa104392 (Online)\r\nf7d9ea7f3980635237d6ea58048057c33a218f2670e0ff45af5f4f670e9aa6f4 (Panda)\r\n522e5549af01c747329d923110c058b7bb7e112816de64bd7919d7b9194fba5b (Rising)\r\n4db3801a45802041baa44334303e0498c2640cd5dfd6892545487bf7c8c9219f (ThreatFire)\r\n9e217716c4e03eee7a7e44590344d37252b0ae75966a7f8c34531cd7bed1aca7 (Trend)\r\ne1625a7f2f6947ea8e9328e66562a8b255bc4d5721d427f943002bb2b9fc5645 (VirusBuster)\r\n588730213eb6ace35caadcb651217bfbde3f615d94a9cca41a31ee9fa09b186c (ZoneAlarm)\r\nb39be67ae54b99c5b05fa82a9313606c75bfc8b5c64f29c6037a32bf900926dd ()\r\na7f9b61169b52926bb364e557a52c07b34c9fbdcd692f249cd27de5f4169e700 ()\r\n1ba035db418ad6acc8e0c173a49d124f3fcc89d0637496954a70e28ec6983ad7 ()\r\nThe identified hashes correspond to the strings of well-known commercial antivirus products. The hash (G) stands\r\nfor G DATA software solutions. The hashes mentioned before the empty brackets have not yet been identified.\r\nAPI obfuscation\r\nBoth cases:\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 7 of 18\n\nThe two malicious programs both use API obfuscation in order to make the analysis more complicated. The\r\npurpose is to execute a Microsoft Windows API without naming it. On our cases, the approach is the same in both\r\nmalware families: when the malware needs to execute an external function (from a dynamic library), it uses a kind\r\nof “hash” instead of using the function name. The “hash” is provided to an internal function, this function\r\nestablishes the relation between the “hash” and the address of the function. At the end, the address is executed.\r\nThe only difference between EvilBunny and Babar, when it comes to API obfuscation, is the internal function\r\nused to establish the relation. An example below (where the “hash” is 0x46318AD1):\r\nEvilBunny case:\r\nOn EvilBunny samples, the malware realized a kind of Cyclic Redundancy Check (short CRC) of every exported\r\nfunction name of the desired dynamic library. If the “CRC” of a function’s name matches the value of the “hash”,\r\nthe malware knows that it is the function to be executed. Here is the “CRC” loop:\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 8 of 18\n\nThis loop can be represented by the following python script:\r\n#!/usr/bin/python\r\nCRC = 0\r\nfunction = “CreateProcessW”\r\nfor i in list(function)\r\nkey = rol32 (CRC, 7)\r\nCRC = ord(i)^key\r\nprint function+”: 0x%08x” % (CRC)\r\nHere is the output of the script:\r\nCreateProcessW: 0x46318ad1\r\nThe hexadecimal value is the same as the value in our screenshot, so the executed function will be\r\nCreateProcessW(). With this script, we can easily create a correlation table to generate the hexadecimal value for\r\neach and every function available in the library kernel32.dll:\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 9 of 18\n\npaul@gdata:~/$ cat API.py\r\n#!/usr/bin/python\r\nimport sys\r\nimport pefile\r\ndef rol32 (num, count):\r\n num1 = (num \u003c\u003c count) \u0026 0xFFFFFFFF\r\n num2 = (num \u003e\u003e (0x20 - count)) \u0026 0xFFFFFFFF\r\n return num1 | num2\r\npe = pefile.PE(sys.argv[1])\r\nfor exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:\r\n cpt = 0\r\n for i in list(exp.name):\r\n key = rol32(cpt,7)\r\n cpt=ord(i)^key\r\n print exp.name+\": 0x%08x\" % (cpt)\r\npaul@gdata:~/babar$ ./API.py kernel32.dll\r\nActivateActCtx: 0x5147f60f\r\nAddAtomA: 0x1e1865e5\r\nAddAtomW: 0x1e1865f3\r\nAddConsoleAliasA: 0x06dc97e5\r\nAddConsoleAliasW: 0x06dc97f3\r\nAddLocalAlternateComputerNameA: 0xedbafee8\r\nAddLocalAlternateComputerNameW: 0xedbafefe\r\n...\r\nBabar case:\r\nThe Babar malware does not perform a kind of “CRC” regarding the function name. The algorithm is more\r\ncomplex. However, the philosophy is the same: for each exported function name, the malware applies an\r\nalgorithm in order to verify if the calculated “hash” matches the wanted “hash”.\r\nTo create the correlation table in this case, our approach was to instrument the debugger using Python. On our\r\nsamples, the instruction at 0x10040930 (CMP ECX, [EAX]) is really interesting because ECXcontains the\r\ndesired “hash”, [EAX] contains the calculated “hash” of the current exported function and finally [EBX] contains\r\nthe current exported function name. So we can create a short Immunity Debugger Python script to calculate these\r\nvalues for each exported function name and create the table:\r\nfrom immlib import *\r\nfrom immutils import *\r\ndef main(args):\r\n imm = Debugger()\r\n imm.setBreakpoint(0x10040930)\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 10 of 18\n\nimm.run()\r\n while True:\r\n regs=imm.getRegs()\r\n fct = imm.readString(regs['EBX'])\r\n value = imm.readMemory(regs['EAX'], 4)[::-1]\r\n imm.log(fct+\":\"+value.encode('hex'))\r\n imm.run()\r\nAnd the output:\r\nAcquireSRWLockExclusive:333bab35\r\nAcquireSRWLockShared:567cb604\r\nActivateActCtx:4e17a661\r\nAddAtomA:3b9ce8fb\r\nAddAtomW:236e73a4\r\nAddConsoleAliasA:42b5c543\r\nAddConsoleAliasW:e566de2b\r\nAddDllDirectory:94debd22\r\nAddIntegrityLabelToBoundaryDescriptor:b4107a12\r\nAddLocalAlternateComputerNameA:1f6ed911\r\n…\r\nBabar configuration extraction and analysis\r\nThe configuration of the malware is encrypted with the AES algorithm. The key and the offset where the\r\nconfiguration is stored are located at the end of the Babar payloads (the .dll files). Once decrypted, we can identify\r\nthe following content, which reveals information about command and control servers as well as certain process\r\nnames and file name extensions the malware will keep an eye on:\r\nSample: 5da5079754d975d5b04342abf9d60bd0bae181a0\r\nexcel.exe, winword.exe, powerpnt.exe, visio.exe, acrord32.exe, notepad.exe, wordpad.exe\r\ntxt, rtf, xls, xlsx, ppt, ppts, doc, docx, pdf, vsd\r\nskype.exe, msnmsgr.exe, oovoo.exe, nimbuzz.exe, googletalk.exe, yahoomessenger.exe, x-lite.exe\r\nhxxp://www.alexpetro.com/images/training/courses/bb212/index.php\r\nhxxp://www.etehadyie.ir/images/public/bb212/index.php\r\nSample: efbe18eb8a66e4b6289a5c53f22254f76e3a29db:\r\nexcel.exe, winword.exe, powerpnt.exe, visio.exe, acrord32.exe, notepad.exe, wordpad.exe\r\ntxt, rtf, xls, xlsx, ppt, ppts, doc, docx, pdf, vsd\r\nskype.exe, msnmsgr.exe, oovoo.exe, nimbuzz.exe, googletalk.exe, yahoomessenger.exe, x-lite.exe\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 11 of 18\n\nhxxp://www.horizons-tourisme.com/_vti_bin/_vti_msc/bb/index.php\r\nhxxp://www.gezelimmi.com/wp-includes/misc/bb/index.php\r\nThe first line contains document viewer processes, the second line contains media document extensions and the\r\nthird line contains instant messaging processes. The use of this information will be described below in the chapter\r\nBabar’s spy features.\r\nFinally, the last line contains the URLs of the command and control servers. The following information is\r\navailable at the time of writing this article: \r\nwww.alexpetro.com\r\nWebsite topic: Service company for drilling equipment (oil and gas), located in Egypt\r\nDomain registrant's origin: -\r\nWebsite hosted in: Texas, USA\r\nwww.etehadyie.ir (not available during investigation)\r\nWebsite topic: Home appliances (according to Google translator)\r\nDomain registrant's origin: Tehran, Iran\r\nWebsite hosted in: -\r\nwww.horizons-tourisme.com\r\nWebsite topic: travel agency, located in Algeria\r\nDomain registrant's origin: Algiers, Algeria\r\nWebsite hosted in: Ohio, USA\r\nwww.gezelimmi.com (not available during investigation)\r\nWebsite topic: Turkish website to promote tourism in Turkey\r\nDomain registrant's origin: Merkez, Turkey\r\nWebsite hosted in: New York, USA\r\nWe do not know whether the command and controls were compromised legitimate websites, during the campaign,\r\nor servers dedicated to the attacks. Slide 23 mentions that C\u0026C nodes were found “worldwide (including Canada,\r\nUS, UK)”.\r\nBabar’s espionage features\r\nThe RAT has common features such as code execution, code injection into running processes, file stealing (the\r\nextensions listed in the configuration file come into play at this pint). However, Babar has additional features such\r\nas being a key logger in order to record key strokes and it also has the possibility to steal the clipboard content\r\n(frequently used to store passwords in case the user uses password storage application such as KeePass). The data\r\nis stored in the file %COMMON_APPDATA%\\MSI\\update.msi. Here are two screenshots of the key logger\r\nAPI:\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 12 of 18\n\nAnd the following is a snippet of the clipboard stealer API:\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 13 of 18\n\nBabar is also able to take screenshots of the infected desktop (thanks to the GdiPlus API). Here is a snippet of the\r\nGdiPlus API:\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 14 of 18\n\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 15 of 18\n\nAnd finally, as every elephant, Babar has big ears and the malware is able to listen to conversations and log them\r\nby using the dsound and winmm libraries. We assume that the process list of the instant messaging services, seen\r\nin the configuration, is used to identify when the malware should enable this feature. The following screenshot\r\nshows the use of the wave* API to record the audio flow:\r\nLooking at the feature list, we can identify that this malware is meant to be a pure espionage tool. It is, regarding\r\nthe current information, not harming the computer system itself but represents an elaborate instrument to function\r\nas wiretap and to exfiltrated data from computers infected. This leads to the assumption that the number of\r\ninfected machines is rather small and chosen.\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 16 of 18\n\nConclusion\r\nAfter having more information about the malware attributed to operation SNOWGLOBE, taken from the re-published slides, the G DATA experts are sure to have found samples which match the descriptions. EvilBunny\r\nand Babar might correspond to two of the three “implants” mentioned as Snowballs and Snowman.\r\nThe G DATA SecurityLabs are convinced that the number of similarities identified between EvilBunny and Babar\r\nshow that both malware families originate from the same developers. The evil cartoon malware families share part\r\nof their code. The analyses suggest that the samples identified are newer versions of the malware CSEC described\r\nin the slides. This may be one reason for the absence of certain indications CSEC has mentioned.\r\nNevertheless, unfortunately, the experts cannot contribute further information with regards to the malware’s origin\r\nnor the list of victims. The information CSEC provided was partly supported by indications found in the code, but\r\nno clue has been identified. The assertion of a “French intelligence community” being responsible remains\r\nunchanged.  Attributing malware to any origin, especially when dealing with specialized and professional\r\nmalware, has always been difficult. \r\nWith a possible nation-state background, this espionage software would not be spread as mass malware but\r\nactivated against specific and chosen targets only. The main functions of this malware are data exfiltration and\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 17 of 18\n\nwiretapping.\r\nEven if many questions still remain unanswered, the analyses present mark an important step towards the\r\nvalidation of the slides leaked. \r\nSource: https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nhttps://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope\r\nPage 18 of 18\n\nmistake in paul@gdata:~/babar$ EvilBunny and Babar strings samples: -a perf_585.dll | grep \"MSI \"  \nUser-Agent: Mozilla/4.0 (compatible; MSI 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)\nUser-Agent: Mozilla/4.0 (compatible; MSI 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)\n   Page 2 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope"
	],
	"report_names": [
		"24270-babar-espionage-software-finally-found-and-put-under-the-microscope"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e09a7338-fb16-4e39-b579-c3bfc3140c47",
			"created_at": "2022-10-25T16:07:24.207294Z",
			"updated_at": "2026-04-10T02:00:04.899166Z",
			"deleted_at": null,
			"main_name": "Snowglobe",
			"aliases": [
				"ATK 8",
				"Animal Farm",
				"SIG20",
				"Snowglobe"
			],
			"source_name": "ETDA:Snowglobe",
			"tools": [
				"Babar",
				"Casper",
				"Chocopop",
				"Dino",
				"EvilBunny",
				"Nbot",
				"TFC",
				"Tafacalou"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f",
			"created_at": "2023-01-06T13:46:38.443779Z",
			"updated_at": "2026-04-10T02:00:02.977564Z",
			"deleted_at": null,
			"main_name": "SNOWGLOBE",
			"aliases": [
				"Animal Farm",
				"Snowglobe",
				"ATK8"
			],
			"source_name": "MISPGALAXY:SNOWGLOBE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434938,
	"ts_updated_at": 1775791747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be583bf774e8b06acd0e104a90bebc03119315a9.pdf",
		"text": "https://archive.orkl.eu/be583bf774e8b06acd0e104a90bebc03119315a9.txt",
		"img": "https://archive.orkl.eu/be583bf774e8b06acd0e104a90bebc03119315a9.jpg"
	}
}