What Is the BabaDeda Loader? Analysis of a New ClickFix Malware Campaign.
The BabaDeda loader is a malware family identified in April 2026 that uses a social engineering technique called ClickFix to trick users into executing commands via trusted OS utilities. It is a multi-stage loader that hides malicious payloads inside legitimate installer packages and uses advanced evasion techniques such as hidden PowerShell commands, in-memory shellcode execution, DLL sideloading, and external payload storage. This malware campaign enhances stealth and payload flexibility to avoid detection.
AI Analysis
Technical Summary
BabaDeda loader is an evolved malware framework discovered in April 2026 that leverages a social engineering exploit named ClickFix to initiate infection. The attack starts by convincing users to run commands through trusted operating system utilities, then proceeds through multiple sophisticated stages including the use of hidden PowerShell commands, in-memory shellcode, DLL sideloading, and storing payloads externally. The loader conceals its malicious payloads within seemingly legitimate installer packages, improving stealth and evasion capabilities. No known exploits in the wild have been reported, and no patches or fixes are applicable as this is malware rather than a software vulnerability.
Potential Impact
The malware can bypass detection by hiding payloads in legitimate installers and using advanced evasion techniques, potentially allowing attackers to execute arbitrary code on compromised systems. This can lead to unauthorized access, persistence, and further payload deployment. The use of trusted OS utilities for execution increases the likelihood of successful infection by deceiving users and security controls.
Mitigation Recommendations
Since this is malware rather than a software vulnerability, no patch or official fix is available. Mitigation should focus on user awareness to prevent execution of untrusted commands, monitoring for suspicious use of PowerShell and DLL sideloading, and employing endpoint detection and response solutions capable of identifying multi-stage loaders and in-memory code execution. Regular updates to security tools and threat intelligence feeds are recommended to detect and block BabaDeda loader activity.
Indicators of Compromise
- ip: 91.92.243.161
- hash: b2e581c85432bd4df6a59a00cbda1cb3
- ip: 158.94.208.104
- ip: 77.238.248.158
- domain: cirealci.com
- ip: 89.124.81.216
- ip: 158.94.208.92
- url: http://91.92.243.161:3038
- ip: 94.26.83.190
- ip: 95.163.152.190
- url: http://89.124.81.216:9000/wbinjget?q=B2E581C85432BD4DF6A59A00CBDA1CB3
- url: http://94.26.83.190:6600/t36umsn9/DataRescueCommunity
- url: http://95.163.152.190/linguist.zip
- url: http://humansbad2026.com/track.php?d=
- domain: humansbad2026.com
- hash: 2efaac26a7e8c4efaaf643f19cb8b978
- hash: 3c32116f5e98f5920c2d9f2b19755077
- hash: bf43af6116053819ebd41ee1deb40f85446c774d
- hash: c11d639851e27293cddac5eec891e909cc641821
- hash: 0c0dc13805564d986b5eac6c5e8c90d336256fbb7f8a0c52180f1f5c690fe203
- hash: 1e1d25391cf825d9607f652249e33cf1d2b98f260b587a1b1b33710e2ea6b91f
- hash: 2afa7b6f825ae82c0121117b2966c57d825e7f1cfecaef36e638f66a08060db6
- hash: 3b4208ec304b60ba9d0ca74838ad7031224a32c36d6e1fa7c616a5ecf5074a5b
- hash: 3e881c9663db5c80a0093f4b0f7008aa1e73866c57aa672e53b38274df4c2807
- hash: 425501b6428e19536be925b4a286f73ae94270bc23ac516832ea27ba6c875998
- hash: 5c6144b1bb4c195a4dcd7ebac8c427852c7e15cb5b4f5217dda0cfb39a90062a
- hash: 71f19394bf15ae47b668fcbe13d0fe4d46d8c06ce004eeccf82c8d1770bba558
- hash: 7eb345c26a1b827e7b2ef5b7881cb406b04b056ebc36cc92e3f7643decd2671f
- hash: 809d030d1fd65c909260b4b33bff9c99f775aea332d944ad1f64b4e5e81a6d60
- hash: 91255813151e6fb3d2a45e088490214c110ff035bbd1ee01ff430782868c77b3
- hash: 9677584602ae15bdd20d91b9a14768a17c126107739e3853d969ff4e02e10e71
- hash: 9a736f4812b485f9cf5b1332a791b205b5135a4b3a0c41f473ad9cc9fbe2d75c
- hash: a8a2148d6cf70d06a9c2ecded8b1a21f982cf11ffc9774442209f536a66a8630
- hash: c92950568a2b757d4ee0bad84b33f5b3414f0d5fdf3d3f5b06e7d304a7ccf1a1
- hash: d79a454beabcd59459c350c71598bffd6badb6a8905b0e9fa3c1ee22cbef7d7e
- hash: dcd612f1d86ff5c9b43f1a3d0baea16b9c08e4b844bcd82564c720ee1caafe3c
- hash: e38550a29e4ff48d8cd4df5ab34a88b9b28f23d50e66129c896689cd334849a9
- hash: fa25acfac32c557f809ab544764d4348f31cf9909ad9d512883d6cba8369ba88
What Is the BabaDeda Loader? Analysis of a New ClickFix Malware Campaign.
Description
The BabaDeda loader is a malware family identified in April 2026 that uses a social engineering technique called ClickFix to trick users into executing commands via trusted OS utilities. It is a multi-stage loader that hides malicious payloads inside legitimate installer packages and uses advanced evasion techniques such as hidden PowerShell commands, in-memory shellcode execution, DLL sideloading, and external payload storage. This malware campaign enhances stealth and payload flexibility to avoid detection.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
BabaDeda loader is an evolved malware framework discovered in April 2026 that leverages a social engineering exploit named ClickFix to initiate infection. The attack starts by convincing users to run commands through trusted operating system utilities, then proceeds through multiple sophisticated stages including the use of hidden PowerShell commands, in-memory shellcode, DLL sideloading, and storing payloads externally. The loader conceals its malicious payloads within seemingly legitimate installer packages, improving stealth and evasion capabilities. No known exploits in the wild have been reported, and no patches or fixes are applicable as this is malware rather than a software vulnerability.
Potential Impact
The malware can bypass detection by hiding payloads in legitimate installers and using advanced evasion techniques, potentially allowing attackers to execute arbitrary code on compromised systems. This can lead to unauthorized access, persistence, and further payload deployment. The use of trusted OS utilities for execution increases the likelihood of successful infection by deceiving users and security controls.
Mitigation Recommendations
Since this is malware rather than a software vulnerability, no patch or official fix is available. Mitigation should focus on user awareness to prevent execution of untrusted commands, monitoring for suspicious use of PowerShell and DLL sideloading, and employing endpoint detection and response solutions capable of identifying multi-stage loaders and in-memory code execution. Regular updates to security tools and threat intelligence feeds are recommended to detect and block BabaDeda loader activity.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.morphisec.com/blog/what-is-the-babadeda-loader-analysis-of-a-new-clickfix-malware-campaign/"]
- Adversary
- null
- Pulse Id
- 6a47b2cc64d3d9241377df01
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip91.92.243.161 | CC=BG ASN=AS34368 zonata - natskovi & sie ltd. | |
ip158.94.208.104 | CC=GB ASN=AS786 jisc services limited | |
ip77.238.248.158 | CC=RU ASN=AS42429 tele.ru ltd. | |
ip89.124.81.216 | CC=IE ASN=AS25441 imagine communications group limited | |
ip158.94.208.92 | CC=GB ASN=AS786 jisc services limited | |
ip94.26.83.190 | CC=BG ASN=AS48452 traffic broadband communications ltd. | |
ip95.163.152.190 | CC=RU ASN=AS12695 llc digital network |
Hash
| Value | Description | Copy |
|---|---|---|
hashb2e581c85432bd4df6a59a00cbda1cb3 | — | |
hash2efaac26a7e8c4efaaf643f19cb8b978 | MD5 of 2afa7b6f825ae82c0121117b2966c57d825e7f1cfecaef36e638f66a08060db6 | |
hash3c32116f5e98f5920c2d9f2b19755077 | MD5 of 1e1d25391cf825d9607f652249e33cf1d2b98f260b587a1b1b33710e2ea6b91f | |
hashbf43af6116053819ebd41ee1deb40f85446c774d | SHA1 of 1e1d25391cf825d9607f652249e33cf1d2b98f260b587a1b1b33710e2ea6b91f | |
hashc11d639851e27293cddac5eec891e909cc641821 | SHA1 of 2afa7b6f825ae82c0121117b2966c57d825e7f1cfecaef36e638f66a08060db6 | |
hash0c0dc13805564d986b5eac6c5e8c90d336256fbb7f8a0c52180f1f5c690fe203 | — | |
hash1e1d25391cf825d9607f652249e33cf1d2b98f260b587a1b1b33710e2ea6b91f | — | |
hash2afa7b6f825ae82c0121117b2966c57d825e7f1cfecaef36e638f66a08060db6 | — | |
hash3b4208ec304b60ba9d0ca74838ad7031224a32c36d6e1fa7c616a5ecf5074a5b | — | |
hash3e881c9663db5c80a0093f4b0f7008aa1e73866c57aa672e53b38274df4c2807 | — | |
hash425501b6428e19536be925b4a286f73ae94270bc23ac516832ea27ba6c875998 | — | |
hash5c6144b1bb4c195a4dcd7ebac8c427852c7e15cb5b4f5217dda0cfb39a90062a | — | |
hash71f19394bf15ae47b668fcbe13d0fe4d46d8c06ce004eeccf82c8d1770bba558 | — | |
hash7eb345c26a1b827e7b2ef5b7881cb406b04b056ebc36cc92e3f7643decd2671f | — | |
hash809d030d1fd65c909260b4b33bff9c99f775aea332d944ad1f64b4e5e81a6d60 | — | |
hash91255813151e6fb3d2a45e088490214c110ff035bbd1ee01ff430782868c77b3 | — | |
hash9677584602ae15bdd20d91b9a14768a17c126107739e3853d969ff4e02e10e71 | — | |
hash9a736f4812b485f9cf5b1332a791b205b5135a4b3a0c41f473ad9cc9fbe2d75c | — | |
hasha8a2148d6cf70d06a9c2ecded8b1a21f982cf11ffc9774442209f536a66a8630 | — | |
hashc92950568a2b757d4ee0bad84b33f5b3414f0d5fdf3d3f5b06e7d304a7ccf1a1 | — | |
hashd79a454beabcd59459c350c71598bffd6badb6a8905b0e9fa3c1ee22cbef7d7e | — | |
hashdcd612f1d86ff5c9b43f1a3d0baea16b9c08e4b844bcd82564c720ee1caafe3c | — | |
hashe38550a29e4ff48d8cd4df5ab34a88b9b28f23d50e66129c896689cd334849a9 | — | |
hashfa25acfac32c557f809ab544764d4348f31cf9909ad9d512883d6cba8369ba88 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincirealci.com | — | |
domainhumansbad2026.com | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://91.92.243.161:3038 | — | |
urlhttp://89.124.81.216:9000/wbinjget?q=B2E581C85432BD4DF6A59A00CBDA1CB3 | — | |
urlhttp://94.26.83.190:6600/t36umsn9/DataRescueCommunity | — | |
urlhttp://95.163.152.190/linguist.zip | — | |
urlhttp://humansbad2026.com/track.php?d= | — |
Threat ID: 6a4b7e2227e9c7971947a2de
Added to database: 07/06/2026, 10:06:26 UTC
Last enriched: 07/06/2026, 10:21:21 UTC
Last updated: 07/06/2026, 16:59:18 UTC
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.