Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

What Is the BabaDeda Loader? Analysis of a New ClickFix Malware Campaign.

0
Medium
Published: 07/03/2026 (07/03/2026, 13:02:04 UTC)
Source: AlienVault OTX General

Description

The BabaDeda loader is a malware family identified in April 2026 that uses a social engineering technique called ClickFix to trick users into executing commands via trusted OS utilities. It is a multi-stage loader that hides malicious payloads inside legitimate installer packages and uses advanced evasion techniques such as hidden PowerShell commands, in-memory shellcode execution, DLL sideloading, and external payload storage. This malware campaign enhances stealth and payload flexibility to avoid detection.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 10:21:21 UTC

Technical Analysis

BabaDeda loader is an evolved malware framework discovered in April 2026 that leverages a social engineering exploit named ClickFix to initiate infection. The attack starts by convincing users to run commands through trusted operating system utilities, then proceeds through multiple sophisticated stages including the use of hidden PowerShell commands, in-memory shellcode, DLL sideloading, and storing payloads externally. The loader conceals its malicious payloads within seemingly legitimate installer packages, improving stealth and evasion capabilities. No known exploits in the wild have been reported, and no patches or fixes are applicable as this is malware rather than a software vulnerability.

Potential Impact

The malware can bypass detection by hiding payloads in legitimate installers and using advanced evasion techniques, potentially allowing attackers to execute arbitrary code on compromised systems. This can lead to unauthorized access, persistence, and further payload deployment. The use of trusted OS utilities for execution increases the likelihood of successful infection by deceiving users and security controls.

Mitigation Recommendations

Since this is malware rather than a software vulnerability, no patch or official fix is available. Mitigation should focus on user awareness to prevent execution of untrusted commands, monitoring for suspicious use of PowerShell and DLL sideloading, and employing endpoint detection and response solutions capable of identifying multi-stage loaders and in-memory code execution. Regular updates to security tools and threat intelligence feeds are recommended to detect and block BabaDeda loader activity.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.morphisec.com/blog/what-is-the-babadeda-loader-analysis-of-a-new-clickfix-malware-campaign/"]
Adversary
null
Pulse Id
6a47b2cc64d3d9241377df01
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip91.92.243.161
CC=BG ASN=AS34368 zonata - natskovi & sie ltd.
ip158.94.208.104
CC=GB ASN=AS786 jisc services limited
ip77.238.248.158
CC=RU ASN=AS42429 tele.ru ltd.
ip89.124.81.216
CC=IE ASN=AS25441 imagine communications group limited
ip158.94.208.92
CC=GB ASN=AS786 jisc services limited
ip94.26.83.190
CC=BG ASN=AS48452 traffic broadband communications ltd.
ip95.163.152.190
CC=RU ASN=AS12695 llc digital network

Hash

ValueDescriptionCopy
hashb2e581c85432bd4df6a59a00cbda1cb3
hash2efaac26a7e8c4efaaf643f19cb8b978
MD5 of 2afa7b6f825ae82c0121117b2966c57d825e7f1cfecaef36e638f66a08060db6
hash3c32116f5e98f5920c2d9f2b19755077
MD5 of 1e1d25391cf825d9607f652249e33cf1d2b98f260b587a1b1b33710e2ea6b91f
hashbf43af6116053819ebd41ee1deb40f85446c774d
SHA1 of 1e1d25391cf825d9607f652249e33cf1d2b98f260b587a1b1b33710e2ea6b91f
hashc11d639851e27293cddac5eec891e909cc641821
SHA1 of 2afa7b6f825ae82c0121117b2966c57d825e7f1cfecaef36e638f66a08060db6
hash0c0dc13805564d986b5eac6c5e8c90d336256fbb7f8a0c52180f1f5c690fe203
hash1e1d25391cf825d9607f652249e33cf1d2b98f260b587a1b1b33710e2ea6b91f
hash2afa7b6f825ae82c0121117b2966c57d825e7f1cfecaef36e638f66a08060db6
hash3b4208ec304b60ba9d0ca74838ad7031224a32c36d6e1fa7c616a5ecf5074a5b
hash3e881c9663db5c80a0093f4b0f7008aa1e73866c57aa672e53b38274df4c2807
hash425501b6428e19536be925b4a286f73ae94270bc23ac516832ea27ba6c875998
hash5c6144b1bb4c195a4dcd7ebac8c427852c7e15cb5b4f5217dda0cfb39a90062a
hash71f19394bf15ae47b668fcbe13d0fe4d46d8c06ce004eeccf82c8d1770bba558
hash7eb345c26a1b827e7b2ef5b7881cb406b04b056ebc36cc92e3f7643decd2671f
hash809d030d1fd65c909260b4b33bff9c99f775aea332d944ad1f64b4e5e81a6d60
hash91255813151e6fb3d2a45e088490214c110ff035bbd1ee01ff430782868c77b3
hash9677584602ae15bdd20d91b9a14768a17c126107739e3853d969ff4e02e10e71
hash9a736f4812b485f9cf5b1332a791b205b5135a4b3a0c41f473ad9cc9fbe2d75c
hasha8a2148d6cf70d06a9c2ecded8b1a21f982cf11ffc9774442209f536a66a8630
hashc92950568a2b757d4ee0bad84b33f5b3414f0d5fdf3d3f5b06e7d304a7ccf1a1
hashd79a454beabcd59459c350c71598bffd6badb6a8905b0e9fa3c1ee22cbef7d7e
hashdcd612f1d86ff5c9b43f1a3d0baea16b9c08e4b844bcd82564c720ee1caafe3c
hashe38550a29e4ff48d8cd4df5ab34a88b9b28f23d50e66129c896689cd334849a9
hashfa25acfac32c557f809ab544764d4348f31cf9909ad9d512883d6cba8369ba88

Domain

ValueDescriptionCopy
domaincirealci.com
domainhumansbad2026.com

Url

ValueDescriptionCopy
urlhttp://91.92.243.161:3038
urlhttp://89.124.81.216:9000/wbinjget?q=B2E581C85432BD4DF6A59A00CBDA1CB3
urlhttp://94.26.83.190:6600/t36umsn9/DataRescueCommunity
urlhttp://95.163.152.190/linguist.zip
urlhttp://humansbad2026.com/track.php?d=

Threat ID: 6a4b7e2227e9c7971947a2de

Added to database: 07/06/2026, 10:06:26 UTC

Last enriched: 07/06/2026, 10:21:21 UTC

Last updated: 07/06/2026, 16:59:18 UTC

Views: 12

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses