Threat Summary
The OTX pulse reveals the BabaDeda loader, a sophisticated malware framework discovered in April 2026 that has significantly advanced its capabilities, particularly in stealth, evasion, and payload flexibility. This evolved framework continues to conceal malicious payloads within seemingly legitimate installer packages while expanding its functionality. The attack methodology begins with a social engineering exploit known as ClickFix, which tricks users into executing malicious code disguised as legitimate installation processes. The threat actor behind this campaign remains unidentified but demonstrates sophistication in evading detection through multi-layered obfuscation techniques. The objective appears to be establishing initial access on victim systems to deploy secondary payloads, potentially including information stealers, ransomware, or other malicious tools. The geographically diverse C2 infrastructure across Bulgaria, Great Britain, Russia, and Ireland suggests the threat actor is utilizing multiple hosting providers to maintain operational security and resilience against takedowns.
Threat Actor / Malware Profile
The BabaDeda loader represents an evolved malware framework with enhanced capabilities:
Distribution Method:
- Social engineering via ClickFix technique
- Concealed within seemingly legitimate installer packages
- Lures users into clicking through deceptive prompts that appear to be legitimate software installation steps
Payload Behavior:
- Conceals malicious payloads within legitimate-looking installers
- Flexible payload delivery system capable of deploying various malware types
- Likely downloads and executes secondary payloads from C2 servers
- Evolves rapidly to avoid detection signatures
C2 Communication:
- Uses diverse IP infrastructure across multiple countries
- Observed C2 servers include IPs in Bulgaria, Great Britain, Russia, and Ireland
- Specific URLs with custom ports (e.g., 91.92.243.161:3038)
- Domain-based C2 (cirealci.com)
- Likely uses custom communication protocols for evading network detection
Persistence Mechanism:
- Likely establishes persistence through various methods
- May use registry modifications, scheduled tasks, or service creation
- May install legitimate-looking components to blend in with system software
Anti-Analysis Techniques:
- Enhanced stealth capabilities to avoid detection by security solutions
- Payload obfuscation within installer packages
- Likely employs code encryption and anti-debugging techniques
- Possibly uses process hollowing or injection techniques
IOC Analysis
The provided IOCs include:
-
IPv4 Addresses (5 indicators):
- 91.92.243.161 (Bulgaria, AS34368 - zonata - natskovi & sie ltd.)
- 158.94.208.104 (Great Britain, AS786 - jisc services limited)
- 77.238.248.158 (Russia, AS42429 - tele.ru ltd.)
- 89.124.81.216 (Ireland, AS25441 - imagine communications group limited)
- 158.94.208.92 (Great Britain, AS786 - jisc services limited)
-
FileHash-MD5 (1 indicator):
- b2e581c85432bd4df6a59a00cbda1cb3
-
Domain (1 indicator):
- cirealci.com
-
URL (1 indicator):
SOC teams should operationalize these indicators by:
- Immediately blocking all listed IPs at network perimeter and firewalls
- Blocking the domain and URL at web proxy and DNS levels
- Scanning all endpoints for the MD5 hash: b2e581c85432bd4df6a59a00cbda1cb3
- Configuring EDR solutions to alert on connections to these indicators
- Implementing network monitoring for connections to these IPs/domains
- Using SIEM tools to correlate activities involving these IOCs
- Creating firewall rules to block traffic to and from the identified IPs
- Configuring IPS/IDS signatures to detect and block traffic to these indicators
Tooling that can decode and use these indicators includes:
- EDR solutions (CrowdStrike, Carbon Black, SentinelOne, etc.)
- SIEM platforms (Splunk, ELK, QRadar, etc.)
- Threat intelligence platforms (MISP, ThreatConnect, Anomali, etc.)
- Network monitoring tools (Zeek, Suricata, Snort, etc.)
- Endpoint scanning tools (Velociraptor, osquery, etc.)
- IOC scanning tools (THOR, HashMyFiles, etc.)
Detection Engineering
Sigma Rules
---
title: Potential BabaDeda Loader C2 Communication
id: b2e581c85432bd4df6a59a00cbda1cb3
description: Detects potential BabaDeda loader C2 communication to known infrastructure
status: experimental
author: Security Arsenal
date: 2026/07/06
references:
- https://otx.alienvault.com/pulse/619a1f7f1c2f3e4d5e6f7g8h9
tags:
- attack.command_and_control
- attack.exfiltration
logsource:
category: network_connection
detection:
selection:
destination.ip:
- '91.92.243.161'
- '158.94.208.104'
- '77.238.248.158'
- '89.124.81.216'
- '158.94.208.92'
destination.port:
- 3038
- 80
- 443
condition: selection
falsepositives:
- Legitimate connections to these IPs
level: high
---
title: BabaDeda Loader File Execution
description: Detects execution of known BabaDeda loader file hash
status: experimental
author: Security Arsenal
date: 2026/07/06
references:
- https://otx.alienvault.com/pulse/619a1f7f1c2f3e4d5e6f7g8h9
tags:
- attack.initial_access
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
md5|contains: 'b2e581c85432bd4df6a59a00cbda1cb3'
condition: selection
falsepositives:
- Legitimate file with matching hash (unlikely)
level: critical
---
title: DNS Query to BabaDeda C2 Domain
description: Detects DNS queries to known BabaDeda C2 domain
status: experimental
author: Security Arsenal
date: 2026/07/06
references:
- https://otx.alienvault.com/pulse/619a1f7f1c2f3e4d5e6f7g8h9
tags:
- attack.command_and_control
logsource:
category: dns
detection:
selection:
query|contains: 'cirealci.com'
condition: selection
falsepositives:
- Legitimate DNS queries to this domain (unlikely)
level: high
KQL Hunt Query
// Hunt for BabaDeda Loader Network Connections
let BabaDeda_IPs = dynamic(["91.92.243.161", "158.94.208.104", "77.238.248.158", "89.124.81.216", "158.94.208.92"]);
let BabaDeda_Domain = "cirealci.com";
let BabaDeda_Hash = "b2e581c85432bd4df6a59a00cbda1cb3";
// Network connections to C2 infrastructure
DeviceNetworkEvents
| where RemoteIP in (BabaDeda_IPs) or RemoteUrl has BabaDeda_Domain
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
// Hunt for BabaDeda file hash
DeviceProcessEvents
| where MD5 == BabaDeda_Hash or SHA256 == BabaDeda_Hash
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FileName, FolderPath, InitiatingProcessFileName
| order by Timestamp desc
PowerShell IOC Hunt Script
# BabaDeda Loader IOC Hunt Script
$BabaDeda_IPs = @("91.92.243.161", "158.94.208.104", "77.238.248.158", "89.124.81.216", "158.94.208.92")
$BabaDeda_Hash = "b2e581c85432bd4df6a59a00cbda1cb3"
$BabaDeda_Domain = "cirealci.com"
# Check network connections to C2 IPs
Write-Host "Checking for connections to BabaDeda C2 infrastructure..."
$connections = Get-NetTCPConnection -State Established | Select-Object LocalPort, RemoteAddress, RemotePort, OwningProcess
foreach ($conn in $connections) {
if ($BabaDeda_IPs -contains $conn.RemoteAddress) {
$process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
Write-Host "WARNING: Found connection to BabaDeda C2 IP $($conn.RemoteAddress):$($conn.RemotePort)"
Write-Host "Process: $($process.ProcessName) (PID: $($process.Id))"
Write-Host "Path: $($process.Path)"
Write-Host ""
}
}
# Check DNS cache for BabaDeda domain
Write-Host "Checking DNS cache for BabaDeda domain..."
$dnsCache = Get-DnsClientCache | Where-Object { $_.Entry -like "*$BabaDeda_Domain*" }
if ($dnsCache) {
Write-Host "WARNING: Found DNS cache entries for BabaDeda domain:"
$dnsCache | Format-Table
} else {
Write-Host "No DNS cache entries for BabaDeda domain detected."
}
# Check for file hashes
Write-Host "Scanning for known BabaDeda file hash..."
$commonPaths = @("C:\Windows\Temp", "C:\Users\Public", "$env:APPDATA", "$env:TEMP")
foreach ($path in $commonPaths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
if ($_ -is [System.IO.FileInfo]) {
$hash = Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction Stop
if ($hash.Hash -eq $BabaDeda_Hash) {
Write-Host "WARNING: Found file matching BabaDeda hash: $($_.FullName)"
}
}
} catch {
# Skip files that can't be accessed
}
}
}
}
Write-Host "File scan complete."
Response Priorities
Immediate:
- Block all identified C2 IP addresses at network perimeter and firewalls
- Block the domain "cirealci.com" at DNS and web proxy level
- Implement immediate network monitoring for connections to these indicators
- Scan all endpoints for the MD5 hash: b2e581c85432bd4df6a59a00cbda1cb3
- Activate threat hunting procedures for installer-based infections
- Alert security operations center (SOC) about potential infections
- Review firewall and proxy logs for historical connections to these indicators
- Isolate any systems showing indicators of compromise
24h:
- Conduct thorough analysis of any systems showing indicators of compromise
- Review logs for recent installer executions and potential social engineering attempts
- Identify and potentially quarantine affected systems
- Initiate credential reset for accounts on potentially compromised systems
- Review and update endpoint detection rules for BabaDeda behaviors
- Conduct malware analysis on any suspicious samples found
- Review user activity logs for potential social engineering targets
- Update threat intelligence feeds with new indicators as they emerge
1 week:
- Implement application whitelisting to prevent unauthorized installers
- Enhance user awareness training focused on social engineering and deceptive installers
- Review and strengthen security controls around software installation policies
- Implement network segmentation to limit potential lateral movement
- Update security policies to address ClickFix and similar social engineering techniques
- Develop custom detection rules for similar loader families
- Conduct post-incident review and update threat intelligence feeds
- Review and update email filtering to block potential ClickFix lures
- Implement behavior-based detection for unusual installer activities
- Review and enhance endpoint logging to capture potential loader activities
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.