{
	"id": "076a7823-6739-4f1a-a29b-1186b3ceb873",
	"created_at": "2026-04-06T00:08:54.138799Z",
	"updated_at": "2026-04-10T13:11:26.782197Z",
	"deleted_at": null,
	"sha1_hash": "1b08127de0d1a285c4f039e4260d5a97f22199e4",
	"title": "The Far-Reaching Attacks of the Void Balaur Cybermercenary Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 979904,
	"plain_text": "The Far-Reaching Attacks of the Void Balaur Cybermercenary\r\nGroup\r\nArchived: 2026-04-05 15:02:11 UTC\r\nVoid Balaur’s Offerings\r\nOne of the threat actor’s primary services is hacking into the mailboxes of email providers and social media\r\naccounts. Void Balaur, in some cases, can even provide complete copies of mailboxes that are stolen without any\r\nuser interaction for a higher price. The latter is particularly interesting, since it would take unusual circumstances\r\nsuch as an insider threat or the compromise of an email provider’s system to be able to offer private data without\r\nuser interaction.\r\nStarting in 2019, Void Balaur also began selling the sensitive private data of Russian individuals. These included\r\npassport and flight information; criminal records; credit history; account balance and statements; and even\r\nprintouts of SMS messages. Again, it is difficult to determine how exactly the group manages to gather such an\r\nextensive array of information, especially with regards to telecom data — but there are several possibilities, such\r\nas telecom engineers being hacked, or even the telecom system itself being compromised.\r\nThe group uses Russian underground websites to advertise their products and services, especially in forums such\r\nas Darkmoney and Probiv. Void Balaur seems to be highly respected in these underground forums, as the feedback\r\nfor their services is almost unanimously positive, with their customers pointing out the threat actor’s ability to\r\ndeliver the requested information on time, as well as the quality of the data being provided. Previously, the group\r\nalso peddled its offerings on a website where it advertised services such as hacking into mailboxes, launching\r\ndistributed denial-of-service (DDoS) attacks, and flooding phone numbers in Commonwealth of Independent\r\nStates (CIS) countries.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group\r\nPage 1 of 5\n\nFigure 1. Some of the products being offered by Void Balaur on their website from 2020\r\nVoid Balaur also set its sights on cryptocurrency exchanges and their employees, creating numerous phishing sites\r\nto lure cryptocurrency exchange users in order to gain access to their wallets. One cryptocurrency exchange in\r\nparticular — EXMO — has been victimized several times by the group.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group\r\nPage 2 of 5\n\nFigure 2. An example of a Void Balaur phishing site that presents itself as a login page for EXMO\r\nAn extensive list of victims\r\nWe were able to determine the nature of the threat actor’s victims with some confidence by correlating indicators\r\nsuch as infrastructure, hostnames, and email addresses to information found in external reports from\r\neQualit.ieopen on a new tab and Amnesty Internationalopen on a new tab.\r\nThe reports mentioned attacks on human rights activists, journalists, media websites, and websites that cover\r\npolitical news. Void Balaur is not averse to going after more high-profile targets either, as the group also launched\r\nattacks the former head of an intelligence agency, active government ministers, members of the national\r\nparliament in an Eastern European country, and even presidential candidates.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group\r\nPage 3 of 5\n\nIt’s possible that these were not one-off attacks, but a part of a larger campaign with multiple fronts. In addition,\r\nwhile seemingly financially motivated, many of the threat actor’s campaigns could be driven by the desire to\r\ncause disruption and strife among their victims.\r\nFigure 3. Countries in which Void Balaur email targets were located (companies were targeted via corporate email\r\naddresses; individuals were targeted via private email addresses)\r\nVoid Balaur’s use of malware\r\nBased on the Amnesty International report, Void Balaur has also used seemingly simply — but highly specialized\r\n— malware. One of these malwares, called Z*Stealer, is designed to gather credentials from different types of\r\nsoftware such as instant messaging apps, email clients, browsers, and Remote Desktop Protocol (RDP) programs.\r\nIn addition, it is also capable of stealing cryptocurrency wallets.\r\nDroidWatcher is another malware the group uses in its campaigns. Similar to Z*Stealer, it is also meant for\r\ninformation theft, while adding spying and remote tracking capabilities, allowing its users to access sensitive\r\nlocation and communications information.\r\nDefending against cybermercenary attacks\r\nA cybermercenary group like Void Balaur possesses plenty of tools and resources at its disposal for perpetrating\r\nattacks against high-profile targets. These security best practices can help mitigate the impact of an attack or even\r\nprevent an attack from being successful.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group\r\nPage 4 of 5\n\nChoose email providers that prioritize security and have strong security protocols in place.\r\nUse two-factor authentication (2FA) when accessing email and social media accounts, preferably by using\r\napps or devices specially designed for 2FA.\r\nEnsure that apps that are used to transmit sensitive information have end-to-end encryption for\r\ncommunications.\r\nDelete older messages to minimize the chance of sensitive data ending up in the hands of malicious\r\nelements. Some mobile apps have a setting that automatically deletes chats after a certain time.\r\nEmploy drive encryption for all machines.\r\nTurn off both work and personal machines that store important data when not in use\r\nConsider the use of encryption systems for communication involving sensitive information or dialogue.\r\nLearn more about the cybermercenary known as Void Balaur in our research paper titled Void Balaur: Tracking a\r\nCybermercenary's Activitiesopen on a new tab.\r\nIndicators of compromise related to Void Balaur can be found hereopen on a new tab.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cyberm\r\nercenary-group\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group"
	],
	"report_names": [
		"the-far-reaching-attacks-of-the-void-balaur-cybermercenary-group"
	],
	"threat_actors": [
		{
			"id": "eed84d1d-a457-43d7-8dba-e41cf7cea6e5",
			"created_at": "2023-01-06T13:46:39.474045Z",
			"updated_at": "2026-04-10T02:00:03.340923Z",
			"deleted_at": null,
			"main_name": "Void Balaur",
			"aliases": [],
			"source_name": "MISPGALAXY:Void Balaur",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "dd5d24e4-366c-4bd4-8587-fc9606a0cff6",
			"created_at": "2022-10-25T16:07:24.383804Z",
			"updated_at": "2026-04-10T02:00:04.969329Z",
			"deleted_at": null,
			"main_name": "Void Balaur",
			"aliases": [
				"Rockethack"
			],
			"source_name": "ETDA:Void Balaur",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434134,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b08127de0d1a285c4f039e4260d5a97f22199e4.pdf",
		"text": "https://archive.orkl.eu/1b08127de0d1a285c4f039e4260d5a97f22199e4.txt",
		"img": "https://archive.orkl.eu/1b08127de0d1a285c4f039e4260d5a97f22199e4.jpg"
	}
}