{
	"id": "5db6b814-c616-4ea9-9617-7169ad147e9c",
	"created_at": "2026-04-06T01:32:35.366959Z",
	"updated_at": "2026-04-10T13:12:32.309586Z",
	"deleted_at": null,
	"sha1_hash": "c537c05541132fd6d7df1450f22ab6fe98b141ae",
	"title": "Babylon RAT Campaign Targets Malaysian Politicians",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1433550,
	"plain_text": "Babylon RAT Campaign Targets Malaysian Politicians\r\nBy cybleinc\r\nPublished: 2024-09-04 · Archived: 2026-04-06 00:07:28 UTC\r\nRead Cyble's Analysis Uncovering the Babylon RAT Campaign Aimed at Inadvertent Users in Malaysia\r\nKey takeaways \r\nCyble Research and Intelligence Lab (CRIL) has identified a highly targeted cyber-attack aimed at political figures\r\nand government officials, in Malaysia.  \r\nThe attack showcases the advanced tactics employed by Threat Actor (TA) in targeting high-profile individuals and\r\ninstitutions. \r\nThe campaign active since July, has employed at least three distinct malicious ISO files specifically designed to\r\ncompromise Malaysian entities. \r\nThe malicious ISO files contain multiple components, including a shortcut (LNK) file, a hidden PowerShell script, a\r\nmalicious executable, and a decoy PDF file.  \r\nThe campaign delivers Babylon RAT as a final payload.  \r\nBabylon RAT, an open-source Remote Access Trojan (RAT), provides unauthorized access to the victim’s machine. It\r\nallows the TA to execute commands remotely, control the system, and exfiltrate sensitive data.  \r\nIntelligence from Cyble Vision’s platform indicates that the TA behind this campaign has previously targeted\r\nMalaysian entities using Quasar RAT, another open-source RAT. \r\nOverview \r\nCyble Research and Intelligence Lab (CRIL) has recently discovered a campaign involving malicious ISO files, targeting\r\npolitical figures and government officials within Malaysia. The initial infection vector for this campaign is unclear. The ISO\r\nfile is crafted with deceptive elements to trick users into thinking they are interacting with legitimate files.  \r\nIt contains a visible shortcut file that mimics a PDF document, alongside a hidden malicious executable, a lure PDF\r\ndocument, and a concealed PowerShell script. \r\nUpon opening the shortcut file, the PowerShell script executes sneakily in the background, which then launches the decoy\r\nPDF and copies the malicious executable to the %appdata% directory. The script also creates a registry entry to ensure the\r\nexecutable runs on system startup and then executes the malicious file. \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nThe final payload in this campaign is Babylon RAT, an open-source Remote Access Trojan (RAT) designed for\r\ncomprehensive surveillance and data theft. Babylon RAT offers a wide range of malicious functionalities, including\r\ncapturing keystrokes, clipboard monitoring, password extraction, and remote command execution.  \r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 1 of 10\n\nIt enables TAs to covertly monitor user activity and steal sensitive information. The RAT maintains persistence on infected\r\nsystems through registry modifications, ensuring it can survive reboots and continue operations.  \r\nAdditionally, Babylon RAT includes a sophisticated control panel, allowing TAs to efficiently manage compromised\r\nsystems, execute commands remotely, and access stolen data, making it a powerful tool for cyber espionage and data\r\nexfiltration. The below Figure shows the Infection chain \r\nFigure 1 –  infection chain \r\nTechnical Analysis \r\nThis campaign has been active since last July, with three distinct malicious ISO files observed targeting Malaysian entities.\r\nThe use of three different lure documents suggests an attempt to reach a broader audience.  \r\nAt the end of July, we observed two ISO files: one containing a lure document addressing political concerns in Malaysia,\r\nsuggesting the campaign targets politically engaged individuals in the country. The other ISO file included a lure related to\r\nMajlis Amanah Rakyat (MARA), indicating that the TA is targeting Malaysian government officials. The below figure\r\nshows the lure documents observed in July. \r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 2 of 10\n\nFigure 2 – Lure Document \r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 3 of 10\n\nFigure 3 – Lure Document \r\nAt the end of August, we identified another malicious ISO file with a lure document related to the MyKHAS system,\r\nindicating that the TA is targeting Malaysian government officials who use the MyKHAS platform as shown below.  \r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 4 of 10\n\nFigure 4 – Lure Document \r\nIn all three ISO files, a similar approach is used: each contains a visible shortcut file that resembles a PDF document, as well\r\nas a hidden malicious executable, a lure PDF document, and a concealed PowerShell script as shown in the below figure.  \r\nFigure 5 – inside iso file once mounted \r\nFor analysis, we are examining the ISO sample identified in August named “PANDUAN_PENGGUNA_MyKHAS.iso” with\r\nthe sha256 value “d9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f”. When the user opens the\r\n[.]lnk file, it silently executes the hidden PowerShell script in the background. This execution is triggered by a command\r\nline embedded in the shortcut file, as mentioned below. \r\n“%windir%/System32/cmd.exe /c powershell -WindowStyle hidden -nologo -executionpolicy bypass -File\r\n“PANDUAN_PENGGUNA_MyKHAS.ps1” \r\nFollowing this, the PowerShell script (.ps1) opens a decoy PDF file using the “Invoke-Item” command. It then copies the\r\nmalicious executable, ‘controller.exe,’ into the Windows “%appdata%” directory via the “Copy-Item” command.  \r\nTo ensure the executable runs automatically at system startup, the script adds a startup entry in the registry under\r\n“HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” with the name “USBController.” Lastly, the script\r\nlaunches “controller.exe” from the current directory using the “Invoke-Expression” command. \r\nLater, the PowerShell script (.ps1) opens the decoy PDF file using the “Invoke-Item” command. It then copies the malicious\r\nexecutable, ‘controller.exe,’ to the “%appdata%” directory using “Copy-Item”. The script creates a startup entry in the\r\nregistry under “HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” with the name “USBController” ensuring\r\n“controller.exe” is executed automatically on system startup.  \r\nFinally, the script starts “controller.exe” from the %appdata% directory using Invoke-Expression. The below figure shows\r\nthe content of the malicious PowerShell script. The executable “controller.exe” has been identified as wrapper for Babylon\r\nRAT, an open-source remote access tool (RAT) commonly used by TAs for cyber espionage and data exfiltration. \r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 5 of 10\n\nFigure 6 – PowerShell script \r\nPayload analysis \r\nDuring our analysis, we discovered that the file “Controller.exe” contains a significant data overlay, approximately 300MB\r\nin size, which appears to be intentionally designed to evade detection by security products. This file employs “Dynamic API\r\nResolution” using “GetModuleHandle” and “GetProcAddress”. This technique allows the wrapper to dynamically call\r\nWin32 cryptographic APIs to decrypt its embedded encrypted content. Specifically, it uses the below shown base data value\r\nto generate a 256-bit key via the “CryptDeriveKey” function, which is subsequently used with the AES-256 algorithm in the\r\n“CryptDecrypt” API to decrypt the payload. \r\nFigure 7 – BaseData Value for CryptDeriveKey to create key for AES_256 \r\n \r\nFigure 8 – Decrypted payload \r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 6 of 10\n\nThe decrypted payload, is again packed with an UPX packer, further the execution is transferred to the decrypted payload\r\nusing the “CreateThread” windows API as shown in below figure  \r\nFigure 9 – Thread Creation \r\nThe decrypted payload is a Babylon RAT, which is an open-source remote access tool (RAT) widely used by cybercriminals\r\nfor espionage and data theft. It allows TAs to take full control of a victim’s machine remotely, enabling actions like file\r\nmanipulation, process management, and command execution. The RAT includes keylogging features, capturing user\r\nkeystrokes to steal sensitive information like passwords. It also supports clipboard monitoring and can take screenshots of\r\nthe victim’s desktop. Persistence mechanisms allow it to survive reboots by modifying system settings or registry keys.  \r\nBabylon RAT communicates with a command-and-control (C2) server for further instructions, data exfiltration, and payload\r\ndelivery. It is often used for long-term surveillance and data harvesting in targeted cyberattacks. The below Figure shows the\r\nBabylon RAT string present in the process memory. \r\nFigure 10 – Babylon Rat \r\nC\u0026C Communication: \r\nThe Babylon RAT samples observed in this campaign connect to command-and-control (C\u0026C) servers at 149.28.19[.]207\r\nand 64.176.65[.]152 over port 443, enabling TAs to gain control of the infected machine and exfiltrate sensitive data. While\r\nthe identity of the TA behind this campaign remains unknown, intelligence from the Cyble Vision Platform indicates that\r\nthese Malaysian entities were also targeted using Quasar RAT in the past. \r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 7 of 10\n\nFigure 11 –IP Address 64.176.65[.]152 Details in Cyble Vision  \r\nConclusion \r\nThe sophisticated cyber-attack targeting political figures and government officials in Malaysia showcases the heightened\r\ninterest and advanced techniques of the TAs. The ongoing campaign, involving malicious ISO files, highlights the severity\r\nof the threat and the persistent nature of such attacks. The use of Babylon RAT, an open-source Remote Access Trojan,\r\nillustrates the capability of these TAs to gain unauthorized control and exfiltrate sensitive data. Additionally, the recurrence\r\nof targeting Malaysian entities with similar tools, such as Quasar RAT, emphasizes the need for enhanced security measures\r\nand vigilance to defend against these evolving cyber threats. \r\nRecommendations \r\nImplement advanced email filtering solutions to detect and block malicious attachments, such as ISO files, and\r\nprevent them from reaching end users. \r\nDeploy and regularly update endpoint security solutions, including antivirus and anti-malware software, to detect and\r\nmitigate threats like Babylon RAT. \r\nImplement continuous network monitoring and anomaly detection to identify and respond to unusual activities or\r\nunauthorized connections, especially those involving command-and-control servers. \r\nConduct comprehensive security awareness training for political figures, and government officials to recognize and\r\navoid phishing attempts and malicious files. \r\nEnsure that all systems and software are kept up to date with the latest security patches to reduce vulnerabilities that\r\ncould be exploited by threat actors. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic  Technique  Procedure \r\nExecution (TA0002) \r\nUser Execution: Malicious File\r\n(T1204.002) \r\nThe ISO file contains an LNK file\r\ndisguised as a PDF. When executed, it\r\nruns a PowerShell script to initiate the\r\nattack. \r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 8 of 10\n\nExecution (TA0002) \r\nCommand and Scripting\r\nInterpreter: PowerShell\r\n(T1059.001) \r\nThe LNK file triggers a PowerShell\r\nscript to execute the payload and create\r\npersistence. \r\nPersistence (TA0003) \r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys/Startup Folder (T1547.001) \r\nThe PowerShell script creates a startup\r\nentry in the registry \r\nDefense Evasion\r\n(TA0005) \r\nDynamic API Resolution\r\n(T1027.007) \r\nCryptographic APIs resolved during\r\nruntime to evade IAT based detection  \r\nDefense Evasion\r\n(TA0005) \r\nLNK Icon Smuggling\r\n(T1027.012) \r\nLNK file disguised with a PDF icon \r\nDefense\r\nEvasion (TA0005)  \r\nEncrypted/Encoded File\r\n(T1027.013) \r\nThe Babylon is encrypted with AES-256 encryption to evade detection by\r\nsecurity tools. \r\nCredential\r\nAccess (TA0006) \r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers (T1555.003) \r\nBabylon RAT can extract passwords\r\nfrom web browsers \r\nDiscovery (TA0007) \r\nSystem Information Discovery\r\n(T1082) \r\nBabylon RAT collects system\r\ninformation from the victim’s\r\nmachine. \r\nCollection (TA0009)  Clipboard Data (T1115) \r\nBabylon RAT monitors and logs\r\nclipboard data, storing it for later\r\nexfiltration. \r\nCollection (TA0009) \r\nInput Capture: Keylogging\r\n(T1056.001) \r\nThe RAT captures keystrokes using the\r\nSetWindowsHookEx win32 API \r\nCommand and\r\nControl  (TA0011)  \r\nApplication Layer Protocol: Web\r\nProtocols (T1071.001) \r\nBabylonRAT communicates with the\r\nTAs C2 server over web protocols. \r\nExfiltration (TA0010) \r\nExfiltration Over C2 Channel\r\n(T1041) \r\nThe TA exfiltrates collected data\r\nthrough the established C2 channel. \r\nIndicators Of Compromise \r\nIndicators  \r\nIndicator\r\nType \r\nDescription \r\n54a52310ade00eca0abb8ba32f4cacc42deb69b6e1f07309e44df2213bf2569c \r\nSHA-256 \r\nSalahLaku_MARA.iso \r\nd9f0268cbaa1ae45dfa755adab9dda2d8bdff3c8bf8a00d23bbc6894c28e225f \r\nSHA-256 \r\nPANDUAN_PENGGUNA_MyKHA\r\n8e6717e88ab6bb4a96e465dc0e9db3cf371e8e75af29e4c3ebc175707702b3b6 \r\nSHA-256 \r\nLimKitSiang_teks_penuh.iso \r\ncf2b8c735f6acc0310ec76607b5c37ef994c96c74442373686e1f3a141c7a892 \r\nSHA-256 \r\nSalahlaku_Sektor_Keusahawanan_M\r\nb9dddf801db527b3895409443fadeeced176b3ccac220395f700e91b151076b0 \r\nSHA-256 \r\nPANDUAN_PENGGUNA_MyKHA\r\n401a524c5a446107547475d27f9acd548182eac06294245dc43313b47ffa0e5c \r\nSHA-256 \r\nSalahlaku_Sektor_Keusahawanan_M\r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 9 of 10\n\nf21ae37cb39658a62c9aaa945eb4dc2b33aebe4afeb5374d36328589a53e0982 \r\nSHA-256 \r\ncontroller.exe \r\n77e22b511cd236cae46f55e50858aea174021a1cd431beaa5e7839a9d062e4c7 \r\nSHA-256 \r\nPDFview.exe \r\nb348935e378b57001e6b41d96ae498ca00dd9fb296115a4e036dad8ccc7155d3 \r\nSHA-256 \r\nPANDUAN_PENGGUNA_MyKHA\r\n2a5a1ae773c59f18cceada37c4d78427ff18bd9a8c0ceb584c0cf997f6ac36b0 \r\nSHA-256 \r\nKit_Siang_Bimbang_Gelombang_H\r\nf30901bd966b8c4803ffd517347167b4bba2c1b85cc7b5bcbe08791e249eb86b \r\nSHA-256 \r\nKit_Siang_Bimbang_Gelombang_H\r\n64.176.65.152  IP  C\u0026C \r\nworkhub-microsoft-team.com  domain  C\u0026C \r\n149.28.19.207   IP  C\u0026C \r\nfund.sekretariatparti.org  domain  C\u0026C \r\nSource: https://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nhttps://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/\r\nPage 10 of 10\n\n https://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/     \nFigure 3-Lure Document     \nAt the end of August, we identified another malicious ISO file with a lure document related to the MyKHAS system,\nindicating that the TA is targeting Malaysian government officials who use the MyKHAS platform as shown below.\n   Page 4 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyble.com/blog/the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government/"
	],
	"report_names": [
		"the-intricate-babylon-rat-campaign-targets-malaysian-politicians-government"
	],
	"threat_actors": [],
	"ts_created_at": 1775439155,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c537c05541132fd6d7df1450f22ab6fe98b141ae.pdf",
		"text": "https://archive.orkl.eu/c537c05541132fd6d7df1450f22ab6fe98b141ae.txt",
		"img": "https://archive.orkl.eu/c537c05541132fd6d7df1450f22ab6fe98b141ae.jpg"
	}
}