Connect with us

Hi, what are you looking for?



Experts Find 2007 Variant of Malware Linked to French Intelligence

Researchers at Palo Alto Networks have come across a 2007 variant of Babar, a piece of malware believed to have been developed by a French intelligence agency.

Researchers at Palo Alto Networks have come across a 2007 variant of Babar, a piece of malware believed to have been developed by a French intelligence agency.

The activities of the cyber espionage group known as the Animal Farm came to light in March 2014, when a French publication released a series of slides from Edward Snowden. The slides belonged to Canada’s Communications Security Establishment (CSE) and they detailed an espionage campaign dubbed “Operation Snowglobe.”

Further analysis by various security firms revealed that the Animal Farm group had been using several pieces of malware whose names have been inspired by cartoon characters, including Babar, Dino, Casper and Bunny. Other malware families used by the threat actor are NBot and Tafacalou.

The group, previously believed to have been active since at least 2009, has targeted government organizations, military contractors, private firms, media companies, activists, and humanitarian aid organizations in many countries around the world.

Back in 2015, Kaspersky mentioned that it had found evidence of some Animal Farm malware being developed as far back as 2007, but the company did not share any details. Palo Alto Networks now says it has found a 2007 version of Babar, also known as Snowball. Researchers pointed out that the previously analyzed samples of this malware had dated back to 2011.

“Analysing historical malware samples helps us learn about its set of features and technical capabilities. This helps us compare a tool used by one adversary to that used by similarly adversaries at that time,” Palo Alto’s Dominik Reichel said in a blog post.

Researchers analyzed a loader with a compilation timestamp of 11/09/2007 11:37:36 PM and a payload apparently compiled 10 seconds later. While timestamps can be modified, experts believe these are genuine.

Advertisement. Scroll to continue reading.

This version of Babar was capable of obtaining information about the compromised machine, rebooting or shutting down the infected system, downloading files, and killing arbitrary processes. When obtaining information on the default Web browser, the malware uses a method that does not work on Chrome, which Google released in 2008, further indicating that the samples were truly developed in 2007.

Researchers also pointed out that the malware had abused the official website of the Permanent Council of Accounting of the Democratic Republic of the Congo ( for command and control (C&C) communications.

Experts also found a design flaw that resulted in configuration data that should have been encrypted to be accessible in clear text, which is surprising considering that the malware was developed by a sophisticated actor.

Code and structure analysis suggests that the Casper malware used by Animal Farm is based on this version of Babar.

Overall, Palo Alto Networks believes this piece of malware is “only average” compared to other malware created at that time by threat groups believed to be backed by nation states, such as Regin or Careto.

The theory that a French intelligence agency is behind the Animal Farm is based on information from the CSE slides, the targeted entities, language and regional settings, and various strings found in the malware code. Palo Alto Networks’ analysis also found that the loader and the main payload for the 2007 version of Babar had the resource language ID set to 1036, which corresponds to French.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.