Bahamut cybermercenary group targets Android users with fake VPN apps

Malicious apps used on this energetic marketing campaign exfiltrate contacts, SMS messages, recorded cellphone calls, and even chat messages from apps equivalent to Sign, Viber, and Telegram

ESET researchers have recognized an energetic marketing campaign focusing on Android customers, performed by the Bahamut APT group. This marketing campaign has been energetic since January 2022 and malicious apps are distributed via a faux SecureVPN web site that gives solely Android apps to obtain. Word that though the malware employed all through this marketing campaign makes use of the identify SecureVPN, it has no affiliation in anyway with the respectable, multiplatform SecureVPN software program and repair.

Key factors of this blogpost:

  • The app used has at totally different occasions been a trojanized model of one in all two respectable VPN apps, SoftVPN or OpenVPN, which have been repackaged with Bahamut adware code that the Bahamut group has used up to now.
  • We have been capable of determine no less than eight variations of those maliciously patched apps with code adjustments and updates being made obtainable via the distribution web site, which could imply that the marketing campaign is nicely maintained.
  • The primary function of the app modifications is to extract delicate person knowledge and actively spy on victims’ messaging apps.
  • We consider that targets are rigorously chosen, since as soon as the Bahamut adware is launched, it requests an activation key earlier than the VPN and adware performance may be enabled. Each the activation key and web site hyperlink are possible despatched to focused customers.
  • We have no idea the preliminary distribution vector (e-mail, social media, messaging apps, SMS, and many others.).

ESET researchers found no less than eight variations of the Bahamut adware. The malware is distributed via a faux SecureVPN web site as trojanized variations of two respectable apps – SoftVPN and OpenVPN. These malicious apps have been by no means obtainable for obtain from Google Play.

The malware is ready to exfiltrate delicate knowledge equivalent to contacts, SMS messages, name logs, gadget location, and recorded cellphone calls. It may possibly additionally actively spy on chat messages exchanged via extremely popular messaging apps together with Sign, Viber, WhatsApp, Telegram, and Fb Messenger; the information exfiltration is completed by way of the keylogging performance of the malware, which misuses accessibility companies. The marketing campaign seems to be extremely focused, as we see no situations in our telemetry knowledge.

Bahamut overview

The Bahamut APT group sometimes targets entities and people within the Center East and South Asia with spearphishing messages and faux purposes because the preliminary assault vector. Bahamut focuses on cyberespionage, and we consider that its objective is to steal delicate data from its victims. Bahamut can be known as a mercenary group providing hack-for-hire companies to a variety of shoppers. The identify was given to this risk actor, which seems to be a grasp in phishing, by the Bellingcat investigative journalism group. Bellingcat named the group after the big fish floating within the huge Arabian Sea talked about within the E book of Imaginary Beings written by Jorge Luis Borges. Bahamut is continuously described in Arabic mythology as an unimaginably huge fish.

The group has been the topic of a number of publications lately, together with:


The preliminary faux SecureVPN app we analyzed was uploaded to VirusTotal on 2022-03-17, from an IP handle that geolocates to Singapore, together with a hyperlink to a faux web site that triggered one in all our YARA guidelines.

On the similar time, we have been notified on Twitter by way of DM from @malwrhunterteam about the identical pattern.

The malicious Android utility used on this marketing campaign was delivered by way of the web site thesecurevpn[.]com (see Determine 1), which makes use of the identify – however not one of the content material or styling – of the respectable SecureVPN service (on the area

Determine 1. Faux SecureVPN web site supplies a trojanized app to obtain

This faux SecureVPN web site was created based mostly on a free web template (see Determine 2), which was almost definitely utilized by the risk actor as an inspiration, because it required solely small adjustments and appears reliable.

Determine 2. Free web site template used to create the distribution web site for the faux VPN app

thesecurevpn[.]com was registered on 2022-01-27; nevertheless, the time of preliminary distribution of the faux SecureVPN app is unknown. The malicious app is offered immediately from the web site and has by no means been obtainable on the Google Play retailer.


Malicious code within the faux SecureVPN pattern was seen within the SecureChat marketing campaign documented by Cyble and CoreSec360. We have now seen this code getting used solely in campaigns performed by Bahamut; similarities to these campaigns embody storing delicate data in a neighborhood database earlier than importing it to the C&C server. The quantity of information saved in these databases most likely will depend on the marketing campaign. In Determine 3 you may see malicious package deal lessons from this variant in comparison with a earlier pattern of Bahamut code.

Determine 3. Class identify comparability between the sooner malicious SecureChat package deal (left) and faux SecureVPN package deal (proper)

Evaluating Determine 4 and Determine 5, you may see the similarities in SQL queries within the earlier SecureChat malware, attributed to Bahamut, and the faux SecureVPN malware.

Determine 4. The SQL queries utilized in malicious code from the sooner SecureChat marketing campaign

Determine 5. The SQL queries utilized in malicious code within the faux SecureVPN marketing campaign

As such, we consider that the faux SecureVPN utility is linked to the Bahamut group.


Because the distribution web site has been on-line, there have been no less than eight variations of the Bahamut adware obtainable for obtain. These variations have been created by the risk actor, the place the faux utility identify was adopted by the model quantity. We have been capable of pull the next variations from the server, the place we consider the model with the bottom model suffix was offered to potential victims up to now, whereas extra lately greater model numbers (secureVPN_104.apk, SecureVPN_105.apk, SecureVPN_106.apk, SecureVPN_107.apk, SecureVPN_108.apk, SecureVPN_109.apk, SecureVPN_1010.apk, secureVPN_1010b.apk) have been used.

We divide these variations into two branches, since Bahamut’s malicious code was positioned into two totally different respectable VPN apps.

Within the first department, from model secureVPN_104 till secureVPN_108, malicious code was inserted into the respectable SoftVPN utility that may be discovered on Google Play and makes use of the distinctive package deal identify This package deal identify can be seen within the PARENT_APPLICATION_ID worth within the model data discovered within the decompiled supply code of the primary faux SecureVPN app department, as seen in Determine 6.

Determine 6. Faux SecureVPN v1.0.4 with malicious code included into SoftVPN as mother or father utility

Within the second department, from model secureVPN_109 till secureVPN_1010b, malicious code was inserted into the respectable open-source utility OpenVPN, which is accessible on Google Play, and that makes use of the distinctive package deal identify As with the trojanized SoftVPN department, the unique app’s package deal identify can be seen within the faux SecureVPN app’s model data, discovered within the decompiled supply code, as seen in Determine 7.

Determine 7. Faux SecureVPN v1.0.9 (SecureVPN_109) with malicious code included into OpenVPN as its mother or father utility despite the fact that the hardcoded VERSION_NAME (1.0.0) wasn’t modified between variations

In addition to the cut up in these two branches, the place the identical malicious code is implanted into two totally different VPN apps, different faux SecureVPN model updates contained solely minor code adjustments or fixes, with nothing vital contemplating its total performance.

The explanation why the risk actor switched from patching SoftVPN to OpenVPN as its mother or father app is just not clear; nevertheless, we suspect that the rationale could be that the respectable SoftVPN app stopped working or being maintained and was not capable of create VPN connections – as confirmed by our testing of the newest SoftVPN app from Google Play. This could possibly be a motive for Bahamut to change to utilizing OpenVPN, since potential victims may uninstall a non-working VPN app from their units. Altering one mother or father app to a different possible required extra time, sources, and energy to efficiently implement by the risk actor.

Malicious code packaged with the OpenVPN app was carried out a layer above the VPN code. That malicious code implements adware performance that requests an activation key after which checks the provided key towards the attacker’s C&C server. If the secret is efficiently entered, the server will return a token that’s mandatory for profitable communication between the Bahamut adware and its C&C server. If the secret is not appropriate, neither Bahamut adware nor VPN performance will probably be enabled. Sadly, with out the activation key, dynamic malware evaluation sandboxes may not flag it as a malicious app.

In Determine 8 you may see an preliminary activation key request and in Determine 9 the community site visitors behind such a request and the response from the C&C server.

Determine 8. Faux SecureVPN requests activation key earlier than enabling VPN and adware capabilities

Determine 9. Faux SecureVPN activation request and its C&C server’s response

The campaigns utilizing the faux SecureVPN app attempt to preserve a low profile, for the reason that web site URL is almost definitely delivered to potential victims with an activation key, which isn’t offered on the web site. Sadly, we weren’t capable of receive a working key.

The activation key layer doesn’t belong to the unique OpenVPN performance, and we don’t acknowledge it as code from another respectable app. We consider it was developed by Bahamut, because it additionally communicates with their C&C server.

Implementing a layer to guard a payload from being triggered proper after launch on a non-targeted person gadget or when being analyzed is just not a singular characteristic. We already noticed related safety being utilized in one other marketing campaign by the Bahamut group carried out within the SecureChat app analyzed by CoreSec360. That required further effort by the sufferer, who needed to create an account and log into it, which then enabled the Bahamut adware performance. We have now additionally noticed comparable safety being used by APT-C-23, the place the potential sufferer wants a sound Coupon Code to obtain the malicious app.


If the Bahamut adware is enabled, then it may be remotely managed by Bahamut operators and might exfiltrate numerous delicate gadget knowledge equivalent to:

  • contacts,
  • SMS messages,
  • name logs,
  • a listing of put in apps,
  • gadget location,
  • gadget accounts,
  • gadget data (kind of web connection, IMEI, IP, SIM serial quantity),
  • recorded cellphone calls, and
  • a listing of recordsdata on exterior storage.

By misusing accessibility companies, as seen in Determine 10, the malware can steal notes from the SafeNotes utility and actively spy on chat messages and details about calls from widespread messaging apps equivalent to:

  • imo-Worldwide Calls & Chat,
  • Fb Messenger,
  • Viber,
  • Sign Personal Messenger,
  • WhatsApp,
  • Telegram,
  • WeChat, and
  • Conion apps.

Determine 10. Faux SecureVPN request to manually allow Accessibility companies

All exfiltrated knowledge is saved in a neighborhood database after which despatched to the C&C server. The Bahamut adware performance consists of the flexibility to replace the app by receiving a hyperlink to a brand new model from the C&C server.


The cell marketing campaign operated by the Bahamut APT group continues to be energetic; it makes use of the identical technique of distributing its Android adware apps by way of web sites that impersonate or masquerade as respectable companies, as has been seen up to now. Additional, the adware code, and therefore its performance, is identical as in earlier campaigns, together with gathering knowledge to be exfiltrated in a neighborhood database earlier than sending it to the operators’ server, a tactic not often seen in cell cyberespionage apps.

It seems that this marketing campaign has maintained a low profile, as we see no situations in our telemetry knowledge. That is most likely achieved via extremely focused distribution, the place together with a hyperlink to the Bahamut adware, the potential sufferer is provided an activation key, which is required to allow the malware’s spying performance.



SHA-1 Package deal identify ESET detection identify Description
3144B187EDF4309263FF0BCFD02C6542704145B1 Android/Spy.Bahamut.M OpenVPN app repackaged with Bahamut adware code.
2FBDC11613A065AFBBF36A66E8F17C0D802F8347 Android/Spy.Bahamut.M OpenVPN app repackaged with Bahamut adware code.
2E40F7FD49FA8538879F90A85300247FBF2F8F67 Android/Spy.Bahamut.M SoftVPN app repackaged with Bahamut adware code.
1A9371B8AEAD5BA7D309AEBE4BFFB86B23E38229 Android/Spy.Bahamut.M SoftVPN app repackaged with Bahamut adware code.
976CC12B71805F4E8E49DCA232E95E00432C1778 Android/Spy.Bahamut.M SoftVPN app repackaged with Bahamut adware code.
B54FFF5A7F0A279040A4499D5AABCE41EA1840FB Android/Spy.Bahamut.M SoftVPN app repackaged with Bahamut adware code.
C74B006BADBB3844843609DD5811AB2CEF16D63B Android/Spy.Bahamut.M SoftVPN app repackaged with Bahamut adware code.
4F05482E93825E6A40AF3DFE45F6226A044D8635 Android/Spy.Bahamut.M OpenVPN app repackaged with Bahamut adware code.
79BD0BDFDC3645531C6285C3EB7C24CD0D6B0FAF Android/Spy.Bahamut.M OpenVPN app repackaged with Bahamut adware code.
7C49C8A34D1D032606A5E9CDDEBB33AAC86CE4A6 Android/Spy.Bahamut.M OpenVPN app repackaged with Bahamut adware code.


IP Area First seen Particulars
104.21.10[.]79 ft8hua063okwfdcu21pw[.]de 2022-03-20 C&C server
172.67.185[.]54 thesecurevpn[.]com 2022-02-23 Distribution web site

MITRE ATT&CK strategies

This desk was constructed utilizing version 11 of the ATT&CK framework.

Tactic ID Identify Description
Persistence T1398 Boot or Logon Initialization Scripts Bahamut adware receives the BOOT_COMPLETED broadcast intent to activate at gadget startup.
T1624 Occasion Triggered Execution Bahamut adware makes use of Observers to be told about adjustments in SMS, contacts, and calls.
Protection Evasion T1627 Execution Guardrails Bahamut adware gained’t run until a sound activation key’s offered at app startup.
Discovery T1420 File and Listing Discovery Bahamut adware can record obtainable recordsdata on exterior storage.
T1418 Software program Discovery Bahamut adware can receive a listing of put in purposes.
T1426 System Data Discovery Bahamut adware can extract details about the gadget together with kind of web connection, IMEI, IP handle, and SIM serial quantity.
Assortment T1417.001 Enter Seize: Keylogging Bahamut adware logs keystrokes in chat messages and name data from focused apps.
T1430 Location Monitoring Bahamut adware tracks gadget location.
T1429 Audio Seize Bahamut adware can report cellphone calls.
T1532 Archive Collected Information Bahamut adware shops collected knowledge in a database previous to exfiltration.
T1636.002 Protected Person Information: Name Logs Bahamut adware can extract name logs.
T1636.003 Protected Person Information: Contact Checklist Bahamut adware can extract the contact record.
T1636.004 Protected Person Information: SMS Messages Bahamut adware can extract SMS messages.
Command and Management T1437.001 Utility Layer Protocol: Net Protocols Bahamut adware makes use of HTTPS to speak with its C&C server.
Exfiltration T1646 Exfiltration Over C2 Channel Bahamut adware exfiltrates stolen knowledge over its C&C channel.


Leave a Reply

Your email address will not be published. Required fields are marked *