The sub-techniques beta is now live! Read the release blog post for more info.


BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. [1]

ID: S0414
Platforms: Windows
Version: 1.0
Created: 07 October 2019
Last Modified: 14 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

BabyShark has used cmd.exe to execute commands. [1]

Enterprise T1132 Data Encoding

BabyShark has encoded data using certutil.[1]

Enterprise T1083 File and Directory Discovery

BabyShark has used dir to search for "programfiles" and "appdata". [1]

Enterprise T1107 File Deletion

BabyShark has cleaned up all files associated with the secondary payload execution.[2]

Enterprise T1056 Input Capture

BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.[2]

Enterprise T1057 Process Discovery

BabyShark has executed the tasklist command. [1]

Enterprise T1012 Query Registry

BabyShark has executed the reg query command for HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default. [1]

Enterprise T1060 Registry Run Keys / Startup Folder

BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.[1]

Enterprise T1105 Remote File Copy

BabyShark has downloaded additional files from the C2.[2]

Enterprise T1082 System Information Discovery

BabyShark has executed the ver command. [1]

Enterprise T1016 System Network Configuration Discovery

BabyShark has executed the ipconfig /all command. [1]

Enterprise T1033 System Owner/User Discovery

BabyShark has executed the whoami command.[1]