BabaYaga: A Unique Kind of Malware

babayaga malware

BabaYaga is the name of a mythical Slavic supernatural being that looks like a ferocious woman. She can either help you or harm you, be careful which. Now that name has been given to a new kind of malaware. BabaYaga Malware was discovered and reported by Wordfence technical experts.

BabaYaga targets WordPress websites most of the time, but it has also the capability to infect Joomla, Drupal, and even generic PHP based websites. Its malware infection generates spam links and redirects your website to other websites, but remains difficult to detect by its victims.

Why is it called BabaYaga?

BabaYaga works like an anti-virus. It can detect and remove other malware that infected your site. While it may sound great and helpful, but it’s like a lion trying to protect a buffalo from another lion’s breakfast preserving him for dinner. In short, BabaYaga can kill other malware. One of its unique features is that it is a self-updating malware which means after it removes other malware it will eventually update on its own, hiding its malicious purpose.

Why does BabaYaga remove other malware?

Like an actor playing a role of a bad person trying to be good. It detects and removes other malware for a very simple reason – your site needs to be active without notable issues so it can do its business. When your site is down nobody is on it and no business for BabaYaga.

How does BabaYaga work?

BabaYaga seems to be nice while it is not. It searches target files and checks if it contains malware then replaces it with a clean version. It will also find your index file and delete it since the index file can give it away in thatBabaYaga is present. It can severely impact your site’s Search Engine Optimisation (SEO). It could also make your site vulnerable to other security threats.

How can it affect your website?

When BabaYaga occupies your site, no other malware can penetrate or remain in there that makes it free to start working its real purpose. It will start generating spam content full of keywords that will easily show up in search engines. If a careless user were to click a link, he will be redirected to an external link, an affiliate link using your site to drive traffic to their syndicated website. If the user has to purchase something from that website, two things could happen; they will get a commission out of the purchase or they capture the payment details and use it to their benefit.

How would you know if your site is infected?

There is one simple way to detect if your site is infected. First, open a Google browser and type (of course you need to replace it with your own domain) and hit enter or click the search icon. The search results appear and if it looks like this picture, it means your site is infected.


If all the titles and descriptions are exactly the same of what your site contains, your good! See example below.

babayaga clean

What to do when your site is infected?

If you find your site is infected, you can do the following as soon as you can:

If you find your site is infected, you can do the following:

  • Start Scanning your computer with your installed anti-virus – while your virus scan is running get up from your chair, go outside, take a deep breath, be calm and relax everything will be okay.
  • Clean up your website – You can find instructions on how to clean your WordPress site from Google search but we can recommend “What to Do When Your WordPress Website Has Been Hacked” from Elegant Themes – developer of one great WordPress theme Divi.
  • Change your passwords – this includes your computer, your website, your FTP credentials and your hosting account password.
  • You may also restore your website backup – this is one of the reasons why keeping website backup is very important.
  • Or if all this is too much – Then CALL US.

How can you protect your site from BabaYaga and other malware?

Protection is still better than cure. Protecting your site against malware attack is less expensive than fixing and cleaning it up. You can do the following  to keep your WordPress site secure:

  • Keep your WordPress site updated – WordPress versions, themes and plugins are updated often. That’s because they are updating against new cyber threats.
  • Install a trusted security plugin – there are many to choose from depending on your preferences and budget. One thing is important to consider in choosing a security plugin –make sure it has a malware scan feature.
  • Use strong passwords – it is recommended to use alphanumeric with special character password to make it hard to guess.
  • Scan for malware regularly – needless to say, we need to protect our properties.
  • Be aware of what is going on in the website world – everything is changing rapidly that you need to keep yourself updated. (or read our newsletters)

There are many other advanced methods to keep your site secure that we offer in our Website Care packages.

The Future Impact

Nothing is foolproof. We expect more and more malware with similar features and enhanced functionalities to show up. Competing with each other or combining to hack your site.

Always remember that on the internet, things evolve very quickly. There is no security forever. We just have to protect what we have right now and deal with what will come in the future.

If you want to discuss how to best protect your site, please contact us today.

Leave a Comment: