Skip to content

Malaysian politicians, officials targeted in Babylon RAT campaign

  • by
  • 3 min read

Threat actors have been targeting political figures and government officials in Malaysia since July, deploying three malicious ISO files to distribute Babylon RAT malware. This cyber espionage operation utilises deceptive tactics to trick users into executing the malware.

The campaign’s entry vector revolves around ISO files, a disk image format commonly used for software distribution. In this case, researchers found that these ISO files are crafted to contain a combination of malicious executables and lure documents designed to mislead the target into believing they are interacting with legitimate content.

Researchers found that one ISO file features content addressing political issues in Malaysia, indicating a clear intent to target politically engaged individuals. Another lure document references Majlis Amanah Rakyat (MARA), hinting that Malaysian government officials were also under attack.

“At the end of July, we observed two ISO files: one containing a lure document addressing political concerns in Malaysia, suggesting the campaign targets politically engaged individuals in the country,” explained researchers.

The third ISO file was discovered in August, containing a lure related to the MyKHAS system — a government platform.

The lure document targeting MyKHAS. | Source: Cyble

Upon closer inspection, these files reveal their sinister purpose — containing hidden PowerShell scripts and a Remote Access Trojan (RAT) known as Babylon RAT.

When the ISO file is opened, a visible shortcut file mimicking a PDF document immediately draws the user’s attention. Unbeknownst to the victim, this shortcut triggers a concealed PowerShell script running in the background, which activates the malicious executable.

The executable is then copied into the system’s %appdata% directory, and a registry entry is created to ensure the malware persists through reboots. The malicious payload is executed silently, leaving the victim unaware of the security breach.

At the core of the attack is Babylon RAT, an open-source malware capable of enabling full control over infected systems. Once deployed, Babylon RAT grants cybercriminals the ability to monitor keystrokes, access sensitive information, and execute commands remotely.

Babylon RAT attack chain. | Source: Cyble

This RAT is notorious for its comprehensive surveillance capabilities, making it a valuable tool in espionage.

“Babylon RAT communicates with a command-and-control (C2) server for further instructions, data exfiltration, and payload delivery. It is often used for long-term surveillance and data harvesting in targeted cyberattacks,” researchers said.

Researchers found that the RAT maintains persistence through registry modifications, allowing it to survive system reboots and remain active for long periods, facilitating continuous monitoring. Its ability to operate stealthily enhances its effectiveness in long-term cyber espionage campaigns, as it silently harvests data and transmits it to command-and-control (C2) servers.

Once connected, threat actors can control the compromised system, execute commands, and exfiltrate sensitive information, further advancing their espionage objectives.

Researchers recommend that organisations use advanced email filtering solutions to block malicious attachments. In addition, regularly updating endpoint security tools and continuously monitoring the network can help identify and neutralise these threats. Finally, providing cyber security training to political figures and bureaucrats is important.

In the News: Bit File Manager plugin exposed to RCE flaw; patch issued

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>