HOMETHREATSBabyShark
APT / THREAT GROUP

BabyShark

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator

Threat Analysis

BabyShark is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases3

Also Known As

BabySharkwin.babysharkLATEOP

External Intelligence

Malpedia: win.babyshark

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
BabyShark — APT / Threat Group | Threat Intelligence | CTIWATCH.COM