In the Slavic mythology and folklore, the Baba Yaga entity is represented as an evil old lady who kidnaps misbehaving children. However, in the world of cybercrime, the BabaYaga malware is a rather feared threat that has great potential to cause a fair bit of headaches to its targets.

Targets a Variety of Websites

The main purpose of the BabaYaga threat is to compromise websites and direct their traffic to pages it contains, which are concealed. The pages in question would then direct the hijacked traffic to advertising links. The authors of the BabaYaga malware would generate revenue every time a user buys a product or subscribes to a service that was marketed to them via this shady network. The BabaYaga threat targets generic PHP sites, as well as Joomla, Drupal, and WordPress based websites.

Has Backdoor and Spam Engine Components

The BabaYaga malware consists of two main components – a spam engine and a backdoor. In order to receive commands from its operators, the BabaYaga malware will make sure to connect to the attackers’ C&C (Command & Control) server. In order to conceal the threatening nature of the backdoor component, the authors of the BabaYaga threat have named the files containing it with names that sound legitimate. Thanks to this component, the operators would have multiple backdoors at their disposal. Once the backdoor component of BabaYaga has completed its tasks successfully, the spam engine will get to work. The spam engine component is able to download malware from the attackers’ C&C server and inject it in specific core WordPress files. The BabaYaga malware’s spam engine is also able to check if the threat runs when a user visits the compromised page. It is also able to figure out if the visitors of the websites are real humans or bots. In case that the visitor is confirmed as a human, the spam engine would generate a line of JavaScript code that would make sure that the traffic is redirected to an affiliate website that contains advertisements. If the user buys a product, the authors of the BabaYaga malware will get paid.


The BabaYaga malware also is capable of:

  • Scanning the compromised site and locating any other malware that may be present.
  • Removing the located malware to ensure it is the only threat present on the system.
  • Updating itself once an update is available.
  • Reinstalling itself if removed with an anti-malware tool.
  • Installing WordPress.
  • Updating WordPress.
  • Uploading simple and complex files to the system.
  • Propagating itself to additional websites.

It is clear that the BabaYaga threat is not to be taken lightly. This threat operates very silently, and it is capable of hijacking traffic very efficiently. The fact that the BabaYaga threat is capable of removing other malware is rather interesting and very impressive.


Most Viewed