Bahamut is an adversary group discovered by Bellingcat, an investigative search network. This adversary group is known to target individuals/organizations from Middle East. Primary targets of this group includes Iranian women’s rights activists, Turkish government officials, Saudi Aramco and Europe-based human rights organizations. Additionally the group has shown keen interests in Qatar’s domestic and international politics, Egyptian lawyers and Iranian reformists. Based on their broad selection of targets it is highly likely that the actors are hackers for hire group that is used by nation state actors and other adversary groups to hack on their behalf.
The group has been active since at least 2016, when they conducted targeted campaign against spear-phishing campaigns against English and Persian speaking human rights activists. The campaigns conducted since then till April 2017 were conducing by sending socially engineered emails with a link to phishing page for social media, email or other accounts. These emails tricks uses by claiming that suspicious activities have been noticed on their accounts that needs to be checked. Several adversaries use these technique to create a panic situation for recipients and they hurriedly fell into trap by providing their credentials in phishing websites. The actors target same targets again after few months to gain access to their other accounts such as Google account or iCloud account, suggesting that the adversaries are advanced cyber espionage groups. Apart from gaining their credentials the group also gained their system information such as their IP addresses and other details. The campaigns against Middle-eastern targets were themed as impersonated BBC News Alerts, content related to the diplomatic conflict between Qatar or other Gulf states, or Google News alert for an article about Middle Eastern government support for Donald Trump. The known targets of these campaigns were from Arab, Turkey, and Iran.
Later in October 2017, Bellingcat reported that the adversary group has now enhanced sophistication of their campaigns and have enhanced the scope of their campaigns to South Asian region. The spear-phishing webpages have been updated to prevent enumeration attempts, each victim is now targeted with different sub-domain which is then disabled to hide trials. The probability of successful attack is increased by sending SMS messages to victim’s mobile number alerting on same suspicious activity as mentioned in the phishing email. Additionally the phishing pages detect the language settings on victim’s browser and display content accordingly (translated to wither English or Arabic). The campaigns in South Asia also included an Android malware embedded with relevant content related to India and Pakistan issues to trick victim into downloading the content. These application includes are used to monitor victim’s activities on the compromised device. Initially these applications were hosted on Google Play Store but later they were removed from Google team. Now the applications are spread via third party app stores.
The researchers form Bellingcat also suspects that the group has possible associations with another adversary group named Kingphish. In addition to commonalities in tier tactics the groups also registered similar domains and hosting infrastructure for their campaigns.