Hack-for-Hire Group Bahamut Uncovered

Researchers for BlackBerry’s Research and Intelligence Team have shed light on a staggeringly sophisticated hack-for-hire group. The group, named Bahamut, the Arabic equivalent of the Judeo-Christian Behemoth, uses several tactics to primarily target governments and businesses in the Middle East and South Asia. Tactics include using custom malware and zero-day exploits; however, it is the phishing and social engineering tactics employed that deserve special mention for the care targeted campaigns are crafted to snare their victims.

The report, titled BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps, shows that Bahamut’s operations seem to date back to at least 2016. The group's operations have been neatly summarised by Eric Milam, VP of research operations at BlackBerry, who noted,

“The sophistication and sheer scope of malicious activity that our team was able to link to Bahamut is staggering. Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that Bahamut is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic AV evasion tactics, and more.”

While the tactics employed by Bahamut may not be new, it is how they are used which sets the hack-for-hire group apart from potential rivals. For instance, the groups use of zero-day exploits, vulnerabilities found in software that the vendor is unaware of, is not done on a whim. Their use also places the group amongst the world’s most sophisticated hackers. Also, the use of custom malware shows how skilled the group’s operators are.

bahamut hacking group uncovered

However, the use of both zero-days and custom malware variants is often seen as a measure of last resort, the group seems to prefer compromising networks via stolen credentials. Here Bahamut using a level of cunning and attention to detail in their social phishing and social engineering campaigns most definitely sets the group apart from other hackers.

Researchers believe that the main reason the group uses zero-days and malware as a last resort is that their use inevitably leaves behind evidence that can be used to piece together a comprehensive picture that can help organizations prevent falling victim to Bahamut’s actions. Further, the use of custom malware makes attributing attacks an easier task for researchers as well as anti-virus vendors can then create detection and remediation rules for the malware.

Zero-days can likewise be patched once their use is detected. By using phishing and social engineering tactics the group can remain in the shadows far more effective as it is easier to remain undetected through their use as victims are tricked into handing over important credentials that eventually lead to the compromise of an organization.

Cunning and Care

As mentioned above the group's use of phishing and social engineering tactics deserves special mention. Previously on this platform, we have looked at how devastating disinformation and fake news campaigns can be as well as how profitable they can be. Bahamut seems to have also learned this lesson and mastering aspects of this dark art. Bahamut is also patient, in some instances, the group monitored targeted networks for over a year.

All the information garnered from monitoring a victim’s network is used to craft an elaborate network of fake websites. The websites in themselves are expertly crafted and tailored to better catch a victim off guard adding to the attack campaigns' overall air of legitimacy. More than just developing a network of websites, applications, and unique online personas are also created. Again, this spider web of disinformation is used to determine what employees of the target are likely to click on. The traffic each fake website generates can then be turned to creating more effective phishing campaigns that are hyper-targeted to harvest credentials more effectively.

For example, in one case Bahamut took over the real domain for what was once a real technology and information security website and used it to push out articles on geopolitics, research, and industry news, complete with author profiles. While the authors used fake personas, they used pictures of real journalists. Initial contact with Bahamut is done using social media channels like LinkedIn or through targeted fake news. This information is further used to create more believable content to snare victims. In most of the cases, those targeted would not see copied content but would engage with original content. What people are told to look for in phishing scenarios, malicious links, poorly crafted websites, are missing and thus raising no alarm. To this extent, the group would manage several fake news websites.

So convincing was the fake content that an article from one of them was featured as a legitimate source in an industry news alert by Ireland's National Cyber Security Centre in 2019. As mentioned above all this is done to better harvest credentials. To do this the group creates fake login pages government agency logins, private email accounts, and account portals from Microsoft Live, Gmail, Apple ID, Yahoo!, Twitter, Facebook, Telegram, OneDrive, and Proton Mail. Here again, the gang could exhibit extreme levels of patience with some of these spear-phishing campaigns taking months. Some would also take hours depending on how effective they are. Further, Bahamut is willing to learn from mistakes and actively monitors the InfoSec community when its actions are detected. If detection occurs the group will change tactics, making the battle to attribute attacks even more arduous.

Malicious Mobile Apps

Along with the fake news and content empire created by Bahamut malicious mobile apps are used to create backdoors on victims’ devices. Here again, Bahamut crafts each app with a level of care rarely seen and used to target specific groups. Both Apple and Android devices are targeted, and apps come complete with privacy policies to not only fool victims but the app stores distributing the app as well. The report published by BlackBerry includes an extensive list of these malicious apps and the number of these apps created and maintained by Bahamut operatives is impressive.

Once installed on the device the app effectively becomes a backdoor to the device allowing operatives to monitor all the activity of the victims, such as the ability to read their messages, listen to their calls, monitor their location, and other espionage activity. Despite the care the apps’ creators have taken to remain undetected and difficult to peg to Bahamut’s flag, researchers have managed to attribute apps to Bahamut. This no small feat was done by analyzing the mistakes made by those creating the apps with researchers noting,

“For a group that historically set themselves apart by employing above average operational security and extremely skilled technical capabilities, Bahamut operators are, at the end of the day, still human. While their mistakes have been few, they have also proven devastating. BlackBerry found that the idiom "old habits die hard" applies to even the most advanced of threat groups,”

The question remains, for what purpose is so much effort spent to remain in the shadows. When Russian hackers brought the concepts of disinformation and fake news to the front of people's attention with attempts at influencing the outcomes of elections the purpose was clearly political in that it undermined a geopolitical rival. What of Bahamut? Those attacks that have been attributed to Bahamut show such a wide range of interests, geographies, political differences, and economic sectors researchers concluded that Bahamut operates as a hacker-for-hire organization. In practice, they seem to operate like cyber mercenaries with their skills and operational security rented out to those willing to pay for the pleasure. Given the level of care given to campaigns and the skill with which campaigns conducted it can only be assumed that hiring Bahamut comes with a hefty price tag.

For governments, large corporations, and the incredibly wealthy outsourcing cyber espionage operations to a third party like Bahamut can be an attractive idea. The groups focus on remaining undetected and applying high levels of operational security to campaigns provides a level of plausible deniability. To that effect, researchers concluded,

“The ever-expanding story of cyberespionage will undoubtedly continue well past our own lifetimes and is sure to define new norms in international relations. But as the new chapters in that story are written, the lessons and warnings of the past should not be forgotten. Jorge Luis Borges reminded us of one of them in his description of the Bahamut in The Book of Imaginary Beings. Quoting Edward Lane’s Arabian Society in the Middle Ages, he noted that God created the Bahamut to support the earth. And God placed water under the Bahamut for support, and under the water, darkness. But, he wrote, “the knowledge of mankind fails as to what is under the darkness” (Borges, 1967). Even when mercenary groups appear to surface briefly in security research, their true sponsors may forever remain in the dark”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps..

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal