Recent OTX pulses indicate two distinct, high-velocity threats targeting enterprise infrastructure. First, a "China-nexus" actor (dubbed "The Crown Prince") is actively exploiting misconfigured phpMyAdmin instances via log poisoning to establish persistence. This campaign utilizes the China Chopper web shell for initial access, managed via AntSword, before deploying the legitimate Nezha monitoring tool as a covert C2 channel for remote execution.
Simultaneously, the BabaDeda loader family has resurfaced with enhanced evasion capabilities. This campaign leverages the ClickFix attack vector—a social engineering technique where users are tricked into copying and executing malicious PowerShell commands from fake browser error messages. The loader conceals payloads within fraudulent installer packages, communicating with a distributed C2 infrastructure across Bulgaria, the UK, Russia, and Ireland.
Threat Actor / Malware Profile
The Crown Prince (Nezha / China Chopper)
- Distribution: Web compromise via log poisoning on vulnerable
phpMyAdminpanels. - Payload Chain: China Chopper (Web Shell) $ ightarrow$ AntSword (Management) $ ightarrow$ Nezha (Monitoring Tool/C2).
- Behavior:
- China Chopper: Small, obfuscated ASP/PHP web shell providing remote code execution.
- Nezha: Legitimate open-source server monitoring tool abused by attackers to maintain reverse-shell access and command execution over a web socket. It is often difficult to detect due to its legitimate use case.
- RATs: Ghost RAT (gh0st) variants have been observed in conjunction with this campaign.
- Persistence: Installation of web shells on web roots and registration of the Nezha agent as a system service or daemon.
BabaDeda Loader
- Distribution: ClickFix (Social Engineering). Victims encounter fake error popups on websites instructing them to run specific PowerShell commands.
- Payload Behavior: Acts as a stealthy loader; decrypts and executes secondary payloads hidden within legitimate-looking installer files.
- C2 Communication: Connects to hard-coded IPs (e.g.,
91.92.243.161,158.94.208.104) often over non-standard ports (e.g., 3038). - Evasion: Uses code signing (potentially fake or stolen) and hides within installer traffic to blend in with administrative activity.
IOC Analysis
The provided IOCs include infrastructure and file artifacts critical for detection:
- Network Infrastructure (Pulse 1):
45.207.220.12andgd.bj2.xyzare associated with the Nezha C2. Blocking these at the perimeter and firewall is mandatory to prevent callback. - Network Infrastructure (Pulse 2): A set of IPs including
91.92.243.161(BG),158.94.208.104(GB), and77.238.248.158(RU) serve as C2 for the BabaDeda loader. - File Hashes:
- Nezha/Pulse 1: SHA256
7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958. - BabaDeda/Pulse 2: MD5
b2e581c85432bd4df6a59a00cbda1cb3.
- Nezha/Pulse 1: SHA256
- Operationalization: SOC teams should immediately load these IPs into firewall blocklists and SIEM correlation engines. File hashes should be used to scan EDR historical data for execution attempts within the last 30 days.
Detection Engineering
Sigma Rules
---
title: Potential Nezha C2 Connection - Crown Prince Campaign
id: 3c9a9f1c-8b5a-4a2d-9b1c-1a2b3c4d5e6f
status: experimental
description: Detects outbound network connections to known Nezha C2 infrastructure associated with the "Crown Prince" phpMyAdmin campaign.
references:
- https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/06
modified: 2026/07/06
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|startswith:
- '45.207.220.12'
condition: selection
falsepositives:
- Unknown
level: high
---
title: BabaDeda Loader C2 Infrastructure Connection
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects outbound network connections to known BabaDeda Loader infrastructure associated with ClickFix campaigns.
references:
- https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/06
modified: 2026/07/06
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|startswith:
- '91.92.243.161'
- '158.94.208.104'
- '77.238.248.158'
- '89.124.81.216'
- '158.94.208.92'
condition: selection
falsepositives:
- Unknown
level: high
---
title: Suspicious PowerShell ClickFix Pattern
id: 4d5e6f7a-8b9c-0d1e-2f3a-4b5c6d7e8f9a
status: experimental
description: Detects suspicious PowerShell execution patterns often associated with ClickFix social engineering attacks (Clipboard manipulation + EncodedCommand).
references:
- https://otx.alienvault.com/
author: Security Arsenal
date: 2026/07/06
modified: 2026/07/06
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'FromClipboard'
- 'Get-Clipboard'
CommandLine|contains:
- 'EncodedCommand'
- '-enc'
- '-e'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: medium
KQL (Microsoft Sentinel)
Hunt for Nezha/BabaDeda Network Connections:
DeviceNetworkEvents
| where RemoteIP in ("45.207.220.12", "91.92.243.161", "158.94.208.104", "77.238.248.158", "89.124.81.216", "158.94.208.92")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl
**Hunt for Malicious File Hash Execution:**
kql
DeviceProcessEvents
| where SHA256 in ("7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958", "35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3", "9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6", "f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16") or MD5 in ("b2e581c85432bd4df6a59a00cbda1cb3", "d757ec4d5350843c44dd34a95dcb3a50")
| project Timestamp, DeviceName, FolderPath, FileName, AccountName, SHA256, MD5
PowerShell Hunt Script
IOC Hunter:
# Define IOCs from Pulse Data
$MaliciousHashes = @(
"7b2599ed54b72daec0acfd32744c7a9a77b19e6cf4e1651837175e4606dbc958",
"35e0b22139fb27d2c9721aedf5770d893423bf029e1f56be92485ff8fce210f3",
"9f33095a24471bed55ce11803e4ebbed5118bfb5d3861baf1c8214efcd9e7de6",
"f3570bb6e0f9c695d48f89f043380b43831dd0f6fe79b16eda2a3ffd9fd7ad16",
"b2e581c85432bd4df6a59a00cbda1cb3",
"d757ec4d5350843c44dd34a95dcb3a50"
)
$C2_IPs = @(
"45.207.220.12",
"91.92.243.161",
"158.94.208.104",
"77.238.248.158",
"89.124.81.216",
"158.94.208.92"
)
Write-Host "[+] Scanning for established connections to C2 IPs..."
Get-NetTCPConnection | Where-Object {
$C2_IPs -contains $_.RemoteAddress
} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
Write-Host "[+] Scanning for process executables matching known malicious hashes..."
$Processes = Get-Process
foreach ($Proc in $Processes) {
try {
$FilePath = $Proc.Path
if ($FilePath -and (Test-Path $FilePath)) {
$Hash = (Get-FileHash -Path $FilePath -Algorithm SHA256).Hash.ToLower()
if ($MaliciousHashes -contains $Hash) {
Write-Host "[!] ALERT: Malicious process detected - PID: $($Proc.Id), Path: $FilePath" -ForegroundColor Red
}
}
} catch {
# Ignore access errors
}
}
# Response Priorities
* **Immediate:** Block all identified IP addresses and domains (`gd.bj2.xyz`, `cirealci.com`) at network edge and proxy levels. Initiate a hunt for the file hashes provided in the pulses across all endpoints.
* **24h:** Conduct forensic analysis on any `phpMyAdmin` instances for signs of log poisoning or China Chopper web shells. Review logs for "ClickFix" related user support tickets or PowerShell events involving clipboard access.
* **1 Week:** Patch and harden `phpMyAdmin` configurations (disable log access or restrict error reporting). Conduct security awareness training specifically regarding "ClickFix" social engineering tactics (fake browser errors).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.