Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

BabShell

BabShell is a C++ reverse shell used by the Mysterious Elephant APT in cyber-espionage campaigns targeting government entities and foreign affairs sectors in South Asia and the broader Asia-Pacific region, with reported focus on Pakistan, Afghanistan, Bangladesh, Nepal, India, and Sri Lanka. In the early 2025 campaign described in the source material, initial access was obtained through exploit kits, phishing emails, and malicious documents, after which a PowerShell script dropped BabShell onto compromised systems. BabShell enables attackers to connect to infected hosts, collects system information including username, computer name, and MAC address, executes attacker commands in separate threads, writes command results to files named in the format output_[timestamp].txt, and exfiltrates the output to command-and-control infrastructure. The malware is described as part of a broader toolchain used by Mysterious Elephant alongside MemLoader modules. Specifically, BabShell was reported to launch MemLoader HidenDesk, an in-memory loader that can execute a Remcos RAT payload, and MemLoader Edge, another loader that embeds a vxRat-derived backdoor referred to as VRat. The surrounding campaign objective included theft of sensitive data, including WhatsApp Desktop-shared files and Chrome browser data via other associated exfiltration modules. The provided content does not include BabShell-specific hashes or network indicators.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Oct 24, 2025
APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign

BabShell is a C++ reverse shell used as an initial access tool to launch further payloads, including in-memory loaders and RATs.

Read more
risky biz rssNews
Oct 16, 2025
Risky Bulletin: F5 says an APT stole source code, vulnerability reports

Customized tool/module used by the Mysterious Elephant APT in recent campaigns (exact functionality not detailed in the content).

Read more
security online infoNews
Oct 16, 2025
Mysterious Elephant APT Campaign Targets South Asian Diplomacy, Steals WhatsApp Data with New MemLoader Backdoor

Named in the article tags and likely discussed as malware associated with the campaign, but no substantive details are visible in the provided content.

Read more
securelistNews
Oct 15, 2025
Mysterious Elephant APT: TTPs and tools | Securelist

C++ reverse shell used for interactive command execution via C2; collects host identifiers (username, computer name, MAC), executes received commands in separate threads, writes output to timestamped files, and exfiltrates results back to C2. Also used to load additional modules (e.g., MemLoader variants).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.

BabShell | Mallory