Threat actors target crypto and NFT communities with Babadeda crypter

Pierluigi Paganini November 26, 2021

Morphisec researchers spread cryptocurrency malware dubbed Babadeda in attacks aimed at crypto and NFT communities.

Morphisec researchers spotted a new crypto-malware strain, tracked as Babadeda, targeting cryptocurrency, non-fungible token (NFT), and DeFi passionates through Discord channels.

Threat actors are attempting to exploit the booming market for NFTs and crypto games. Babadeda is able to bypass antivirus solutions. According to the researchers, this crypto-malware was recently employed in several campaigns to deliver information stealers, RATs, and ransomware like LockBit.

Most of the attacks observed by the researchers that targeted crypto communities are based on the Discord platform, threat actors shared download links via Discord channels 

“In the campaign that we observed, a threat actor took advantage of these features in order to phish victims. The threat actor sent users a private message inviting them to download a related application that would supposedly grant the user access to new features and/or additional benefits. Because the actor created a Discord bot account on the official company discord channel, they were able to successfully impersonate the channel’s official account.” reads the report published by Morphisec.


In one of the attacks analyzed by Morphisec, threat actor sent decoy messages to potential victims via Discord channels related to games such as Mines of Dalarnia. The messages urge the recipients to download an application. The link included in the message redirects users to a phishing domain that contains a download link for the Babadeda installer.

One of the decoy sites used in this campaign includes an HTML object written in Russian, a circumstance that suggests that the threat actors may have a Russian origin. The list of RATs used by this campaign includes BitRAT and Remcos.

“As demonstrated above, Babadeda is a highly dangerous crypter. Targeting cryptocurrency users through trusted attack vectors gives its distributors a fast-growing selection of potential victims. Once on a victim’s machine, masquerading as a known application with a complex obfuscation also means that anyone relying on signature-based malware effectively has no way of knowing Babadeda is on their machine — or of stopping it from executing.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, babadeda)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment