An investigation by the Cyble Research and Intelligence Lab (CRIL) has uncovered a sophisticated cyberattack aimed at Malaysian political figures and government officials. Initiated in July 2024, the attack utilizes fake ISO files to deploy Babylon RAT, a dangerous malware that allows cybercriminals to gain full control of infected devices and steal sensitive information. 

The ISO files look harmless but actually contain dangerous elements like a shortcut, a hidden PowerShell script, a harmful program, and a fake PDF. When someone opens the file, it quietly installs Babylon RAT on their computer. The Cyble Vision platform has linked this attack to previous malware campaigns involving Quasar RAT, suggesting a consistent strategy targeting high-profile individuals in Malaysia. 

The fake documents used in the attack often focus on political and governmental topics, including those related to the Majlis Amanah Rakyat (MARA), adding a layer of credibility to the malicious files. 

When a victim opens the ISO file, a hidden PowerShell script runs in the background, launching a decoy PDF while installing the malicious executable. This ensures that Babylon RAT is installed and can operate on the victim’s device. The malware enables the hacker to monitor keystrokes, steal passwords, track clipboard activity, and execute remote commands. 

Babylon RAT also persists on the device even after it is restarted. Babylon RAT, which first appeared on dark web forums in 2015, has been a staple in phishing attacks across multiple industries. It can spread across networks, initiate DDoS attacks, and act as a proxy to capture network traffic from compromised systems. 

CRIL researchers recommend implementing advanced email filters, keeping security systems updated, monitoring network activity for anomalies, and training staff to recognize phishing attempts to mitigate the risk of such attacks. Additionally, ensuring that software is always up to date with the latest security patches is essential for safeguarding against future threats.