Unit 42 reports that BabyShark activity continued through March and April 2019 after earlier spear-phishing against U.S. national-security think tanks, with newer decoys also showing interest in cryptocurrency-related financial gain. The malware used a multi-stage structure with server-side checks, base64-encoded denylisted IPs and computer names in blackip.txt, suspicious-access logging, and redirects to go.microsoft.com to hide exposed C2 files. Operators could issue VBS and PowerShell commands to archive and upload files, collect host information, run keyloggers, load DLLs, execute secondary payloads, and clean up execution artifacts. The researchers recovered server and client files showing that BabyShark delivered encoded “Cowboy” payloads through EXE or DLL loaders, with KimJongRAT and PCRat observed as the secondary malware families.