Babar is a sophisticated Windows espionage malware family associated with the SNOWGLOBE operation, also referred to in reporting as Animal Farm. Leaked CSEC material linked Babar to SNOWGLOBE and attributed the broader operation with moderate certainty to a French intelligence service; public reporting also noted French cultural references in the code, including the name "Babar" and the developer name "Titi." Researchers described Babar as a fully fledged espionage implant capable of invading running processes, hooking API calls to steal sensitive data on the fly, logging keystrokes, capturing screenshots, stealing clipboard contents, recording audio, and exfiltrating stolen information to remote servers. It hooked APIs related to network traffic, file creation, and audio processing in browsers, office applications, and softphone applications. Reported cryptographic behavior includes use of 128-bit AES with hard-coded keys for command-and-control communication and data handling. The Babar dropper contained the internal project name "Babar64" in debug information. Known hard-coded C2 domains mentioned in the content include horizons-tourisme.com and gezelimmi.com. Researchers also found directory names bb28, tfc422, and d13 on related C2 infrastructure, linking Babar to other malware families in the same cluster. The leaked CSEC slides described Babar beaconing with a misspelled "MSI" User-Agent string instead of "MSIE," which matched analyzed samples. Babar is presented as the best-known malware family within a broader cluster that also included NBOT, Bunny, Casper, and later reporting by Kaspersky under the Animal Farm label, with activity roughly spanning 2010 to 2014. The cluster shared code, infrastructure, API hashing, injection techniques, WMI-based antivirus enumeration, encrypted XML configurations, and naming conventions, supporting assessment that the families were authored and operated by the same group. Infection vectors directly mentioned for the broader cluster include spear-phishing and watering-hole attacks, but the provided content does not explicitly assign a specific initial infection vector to Babar itself. The content also notes that some modern antivirus detections label unrelated malware generically as Babar or Gen:Variant.Babar; those detections should not be treated as attribution to the historical French-linked Babar espionage platform.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
10 distinct techniques documented for this family, organized by ATT&CK tactic.
As a means of stealth, the bots create an svchost.exe process and inject a remote thread to execute their binary payload in the context of svchost.exe... The Babar implant will inject itself into a randomly chosen desktop process... Casper infector spawns a svchost.exe process and injects its malicious payload.
As a means of stealth, the bots create an svchost.exe process and inject a remote thread to execute their binary payload in the context of svchost.exe... The Babar implant will inject itself into a randomly chosen desktop process... Casper infector spawns a svchost.exe process and injects its malicious payload.
The Babar implant applies a global Windows hook... Babar installs hooks for types 2 and 3, which are WH_KEYBOARD and WH_GETMESSAGE.
Babar is a fully fledged piece of espionage software... log keystrokes... A summary of the capabilities is as follows: • Logging keystrokes
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Mentioned only as a generic AV family classification applied to the sample; the content explicitly warns not to attribute the analyzed sample to historical Babar activity based on AV naming alone.
Babar is a malware family, often categorized as spyware, delivered via malvertising and parked domain redirects. It is distributed through ClickFix attacks that attempt to trick users into running malicious scripts.
A malware family associated in the article with the Animal Farm cluster.
A malware family mentioned as part of the Animal Farm cluster referenced in the leaked presentation.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.