Back to Intelligence

Nezha Web Shell Campaign & BabaDeda ClickFix Loader: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
July 6, 2026
5 min read

Recent OTX pulses indicate two distinct, high-velocity threats targeting enterprise infrastructure. First, a "China-nexus" actor (dubbed "The Crown Prince") is actively exploiting misconfigured phpMyAdmin instances via log poisoning to establish persistence. This campaign utilizes the China Chopper web shell for initial access, managed via AntSword, before deploying the legitimate Nezha monitoring tool as a covert C2 channel for remote execution.

Simultaneously, the BabaDeda loader family has resurfaced with enhanced evasion capabilities. This campaign leverages the ClickFix attack vector—a social engineering technique where users are tricked into copying and executing malicious PowerShell commands from fake browser error messages. The loader conceals payloads within fraudulent installer packages, communicating with a distributed C2 infrastructure across Bulgaria, the UK, Russia, and Ireland.

Threat Actor / Malware Profile

The Crown Prince (Nezha / China Chopper)

  • Distribution: Web compromise via log poisoning on vulnerable phpMyAdmin panels.
  • Payload Chain: China Chopper (Web Shell) $ ightarrow$ AntSword (Management) $ ightarrow$ Nezha (Monitoring Tool/C2).
  • Behavior:
    • China Chopper: Small, obfuscated ASP/PHP web shell providing remote code execution.
    • Nezha: Legitimate open-source server monitoring tool abused by attackers to maintain reverse-shell access and command execution over a web socket. It is often difficult to detect due to its legitimate use case.
    • RATs: Ghost RAT (gh0st) variants have been observed in conjunction with this campaign.
  • Persistence: Installation of web shells on web roots and registration of the Nezha agent as a system service or daemon.

BabaDeda Loader

  • Distribution: ClickFix (Social Engineering). Victims encounter fake error popups on websites instructing them to run specific PowerShell commands.
  • Payload Behavior: Acts as a stealthy loader; decrypts and executes secondary payloads hidden within legitimate-looking installer files.
  • C2 Communication: Connects to hard-coded IPs (e.g., 91.92.243.161, 158.94.208.104) often over non-standard ports (e.g., 3038).
  • Evasion: Uses code signing (potentially fake or stolen) and hides within installer traffic to blend in with administrative activity.

IOC Analysis

The provided IOCs include infrastructure and file artifacts critical for detection:

  • Network Infrastructure (Pulse 1): 45.207.220.12 and gd.bj2.xyz are associated with the Nezha C2. Blocking these at the perimeter and firewall is mandatory to prevent callback.
  • Network Infrastructure (Pulse 2): A set of IPs including 91.92.243.161 (BG), 158.94.208.104 (GB), and 77.238.248.158 (RU) serve as C2 for the BabaDeda loader.
  • File Hashes:
    • Nezha/Pulse 1: SHA256 7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958.
    • BabaDeda/Pulse 2: MD5 b2e581c85432bd4df6a59a00cbda1cb3.
  • Operationalization: SOC teams should immediately load these IPs into firewall blocklists and SIEM correlation engines. File hashes should be used to scan EDR historical data for execution attempts within the last 30 days.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Nezha C2 Connection - Crown Prince Campaign
id: 3c9a9f1c-8b5a-4a2d-9b1c-1a2b3c4d5e6f
status: experimental
description: Detects outbound network connections to known Nezha C2 infrastructure associated with the "Crown Prince" phpMyAdmin campaign.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/06
modified: 2026/07/06
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|startswith:
            - '45.207.220.12'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: BabaDeda Loader C2 Infrastructure Connection
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects outbound network connections to known BabaDeda Loader infrastructure associated with ClickFix campaigns.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/06
modified: 2026/07/06
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|startswith:
            - '91.92.243.161'
            - '158.94.208.104'
            - '77.238.248.158'
            - '89.124.81.216'
            - '158.94.208.92'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Suspicious PowerShell ClickFix Pattern
id: 4d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9a
status: experimental
description: Detects suspicious PowerShell execution patterns often associated with ClickFix social engineering attacks (Clipboard manipulation + EncodedCommand).
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/06
modified: 2026/07/06
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'FromClipboard'
            - 'Get-Clipboard'
        CommandLine|contains:
            - 'EncodedCommand'
            - '-enc'
            - '-e'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: medium

KQL (Microsoft Sentinel)

Hunt for Nezha/BabaDeda Network Connections:

KQL — Microsoft Sentinel / Defender
DeviceNetworkEvents
| where RemoteIP in ("45.207.220.12", "91.92.243.161", "158.94.208.104", "77.238.248.158", "89.124.81.216", "158.94.208.92")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl


**Hunt for Malicious File Hash Execution:**
kql
DeviceProcessEvents
| where SHA256 in ("7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958", "35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3", "9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6", "f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16") or MD5 in ("b2e581c85432bd4df6a59a00cbda1cb3", "d757ec4d5350843c44dd34a95dcb3a50")
| project Timestamp, DeviceName, FolderPath, FileName, AccountName, SHA256, MD5

PowerShell Hunt Script

IOC Hunter:

PowerShell
# Define IOCs from Pulse Data
$MaliciousHashes = @(
    "7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958",
    "35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3",
    "9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6",
    "f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16",
    "b2e581c85432bd4df6a59a00cbda1cb3",
    "d757ec4d5350843c44dd34a95dcb3a50"
)

$C2_IPs = @(
    "45.207.220.12",
    "91.92.243.161",
    "158.94.208.104",
    "77.238.248.158",
    "89.124.81.216",
    "158.94.208.92"
)

Write-Host "[+] Scanning for established connections to C2 IPs..."
Get-NetTCPConnection | Where-Object {
    $C2_IPs -contains $_.RemoteAddress
} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess

Write-Host "[+] Scanning for process executables matching known malicious hashes..."
$Processes = Get-Process
foreach ($Proc in $Processes) {
    try {
        $FilePath = $Proc.Path
        if ($FilePath -and (Test-Path $FilePath)) {
            $Hash = (Get-FileHash -Path $FilePath -Algorithm SHA256).Hash.ToLower()
            if ($MaliciousHashes -contains $Hash) {
                Write-Host "[!] ALERT: Malicious process detected - PID: $($Proc.Id), Path: $FilePath" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access errors
    }
}


# Response Priorities

*   **Immediate:** Block all identified IP addresses and domains (`gd.bj2.xyz`, `cirealci.com`) at network edge and proxy levels. Initiate a hunt for the file hashes provided in the pulses across all endpoints.
*   **24h:** Conduct forensic analysis on any `phpMyAdmin` instances for signs of log poisoning or China Chopper web shells. Review logs for "ClickFix" related user support tickets or PowerShell events involving clipboard access.
*   **1 Week:** Patch and harden `phpMyAdmin` configurations (disable log access or restrict error reporting). Conduct security awareness training specifically regarding "ClickFix" social engineering tactics (fake browser errors).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarenezhababadedaweb-shellchina-nexusclickfix

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.