Discord Blockchain Fans Targeted by New Babadeda Trojan Campaign

By Ava McKinneyOnline Safety

New Babadeda Cryptor Trojan Targets Blockchain Enthusiasts on Discord

Cybersecurity experts at Morphisec have uncovered a malicious campaign targeting members of NFT and DeFi communities on Discord, as well as fans of blockchain-based games. Attackers are using an unusual cryptor program, codenamed Babadeda (named after a placeholder string found in its code), to bypass antivirus detection and distribute trojans.

How the Attack Works

The newly discovered Windows malware has already been seen in cyber campaigns aimed at spreading info-stealers, RAT trojans, and the LockBit ransomware. Since late summer, it has primarily been used to deliver BitRAT and Remcos malware.

According to Morphisec’s blog post, the attacks begin with teaser messages sent in Discord channels, offering users the chance to download a useful program—such as a tool for the game Mines of Dalarnia. When a user clicks the provided link, they are redirected to a website that closely resembles the legitimate one.

The fake site’s address also appears convincing: attackers use typosquatting or register the same domain name in a different top-level domain (TLD) zone. To further enhance credibility, the spoofed site uses a free Let’s Encrypt SSL certificate.

After the browser is automatically redirected, a fake Windows installer is downloaded to the victim’s machine, initiating the infection chain.

Scope and Detection

During the investigation, 82 malicious domains associated with the Babadeda campaign were identified. All of these domains were created between July 24 and November 17 of this year, with at least one site presented in Russian.

Researchers also found several variants of the cryptor. Some display an interactive error message window (indicating an application failure) when executed—likely another trick to mask the malware’s true intent.

The first Babadeda samples uploaded to VirusTotal (such as LarvaLabs-App_v2.1.1-setup.exe) had very low detection rates—only 1 or 2 out of more than 60 antivirus engines flagged them. As of November 26, 15 scanners are able to detect it.

Stay Safe

  • Be cautious when downloading software from links shared in Discord or other chat platforms, especially if related to blockchain, NFT, or gaming communities.
  • Always verify the legitimacy of websites and domain names before downloading any files.
  • Keep your antivirus software up to date and be aware that new threats may evade detection initially.

Leave a Reply