{
	"id": "67eaabdd-1dc2-4dd7-bcbb-0242d1916bf8",
	"created_at": "2026-04-06T00:08:57.565839Z",
	"updated_at": "2026-04-10T03:34:00.477033Z",
	"deleted_at": null,
	"sha1_hash": "39f27a10fe667b3b7c0c09a0011fb3cd46760aa7",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 60059,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 16:20:28 UTC\r\n APT group: Bahamut\r\nNames Bahamut (Bellingcat)\r\nCountry [Middle East]\r\nMotivation Information theft and espionage\r\nFirst seen 2016\r\nDescription\r\n(Bellingcat) Bahamut was first noticed when it targeted a Middle Eastern human\r\nrights activist in the first week of January 2017. Later that month, the same tactics\r\nand patterns were seen in attempts against an Iranian women’s activist – an\r\nindividual commonly targeted by Iranian actors, such as Magic Hound, APT 35,\r\nCobalt Illusion, Charming Kitten and the Sima campaign documented in our 2016\r\nBlack Hat talk. Recurrent patterns in hostnames, registrations, and phishing scripts\r\nprovided a strong link between the two incidents, and older attempts were found that\r\ndirectly overlapped with these attacks. Over the course of the following months,\r\nseveral more attempts against the same individuals were observed, intended to steal\r\ncredentials for iCloud and Gmail accounts.\r\nBahamut was also observed engaging in reconnaissance and counter-reconnaissance\r\nattempts, intended to harvest IP addresses of emails accounts. One attempt\r\nimpersonated BBC News Alerts, using timely content related to the diplomatic\r\nconflict between Qatar and other Gulf states as bait. This message used external\r\nimages embedded in the email to track where the lure would be opened.\r\nObserved\r\nSectors: Political, economic and social.\r\nCountries: Egypt, Iran, Pakistan, Palestine, Qatar, Tunisia, Turkey, UAE.\r\nTools used Bahamut, DownPaper.\r\nOperations performed Dec 2016 Beginning in December 2016, unconnected Middle Eastern human\r\nrights activists began to receive spear-phishing messages in English\r\nand Persian that were not related to any previously-known groups.\r\nThese attempts differed from other tactics seen by us elsewhere, such\r\nas those connected to Iran, with better attention paid to the operation\r\nof the campaign.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=90fb0276-a977-4d3e-a148-85a95778aebe\r\nPage 1 of 3\n\nOct 2017\nFor three months there was no apparent further activity from the actor.\nHowever, in the same week of September a series of spear-phishing\nattempts once again targeted a set of otherwise unrelated individuals,\nemploying the same tactics as before. Bahamut remains active, and its\noperations are more extensive than first disclosed.\nJun 2018\nCisco Talos has identified a highly targeted campaign against 13\niPhones which appears to be focused on India. The attacker deployed\nan open-source mobile device management (MDM) system to control\nenrolled devices.\nJul 2018\nAndroid-based malware with some similarities to the iOS malware we\nidentified. That post kickstarted our investigation into any potential\noverlap between these campaigns and how they are potentially linked.\nThe new MDM platform we identified has similar victimology with\nMiddle Eastern targets, namely Qatar, using a U.K. mobile number\nissued from LycaMobile. Bahamut targeted similar Qatar-based\nindividuals during their campaign.\nJun 2020\nBahamut Possibly Responsible for Multi-Stage Infection Chain\nCampaign\nAug 2021\nBahamut Threat Group Targeting Users Through Phishing Campaign\nJan 2022\nBahamut cybermercenary group targets Android users with fake VPN\napps\nApr 2022 Bahamut Android Malware returns with New Spying Capabilities\n\nreturns-with-new-spying-capabilities/\u003e\nNov 2022\nAPT Bahamut Attacks Indian Intelligence Operative using Android\nMalware\nJul 2023\nAPT Bahamut Targets Individuals with Android Malware Using Spear\nMessaging\nInformation\nLast change to this card: 06 September 2023\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=90fb0276-a977-4d3e-a148-85a95778aebe\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=90fb0276-a977-4d3e-a148-85a95778aebe\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=90fb0276-a977-4d3e-a148-85a95778aebe"
	],
	"report_names": [
		"showcard.cgi?u=90fb0276-a977-4d3e-a148-85a95778aebe"
	],
	"threat_actors": [
		{
			"id": "82b92285-4588-48c9-8578-bb39f903cf62",
			"created_at": "2022-10-25T15:50:23.850506Z",
			"updated_at": "2026-04-10T02:00:05.418577Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"Charming Kitten"
			],
			"source_name": "MITRE:Charming Kitten",
			"tools": [
				"DownPaper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9",
			"created_at": "2022-10-25T16:07:23.38079Z",
			"updated_at": "2026-04-10T02:00:04.574399Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "ETDA:Bahamut",
			"tools": [
				"Bahamut",
				"DownPaper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d8af157e-741b-4933-bb4a-b78490951d97",
			"created_at": "2023-01-06T13:46:38.748929Z",
			"updated_at": "2026-04-10T02:00:03.087356Z",
			"deleted_at": null,
			"main_name": "APT35",
			"aliases": [
				"COBALT MIRAGE",
				"Agent Serpens",
				"Newscaster Team",
				"Magic Hound",
				"G0059",
				"Phosphorus",
				"Mint Sandstorm",
				"TunnelVision"
			],
			"source_name": "MISPGALAXY:APT35",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f99641e0-2688-47b0-97bc-7410659d49a0",
			"created_at": "2023-01-06T13:46:38.802141Z",
			"updated_at": "2026-04-10T02:00:03.106084Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "MISPGALAXY:Bahamut",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "257efa81-fa09-4318-ac8f-7e32b54b88bb",
			"created_at": "2022-10-25T16:07:24.195026Z",
			"updated_at": "2026-04-10T02:00:04.896357Z",
			"deleted_at": null,
			"main_name": "Sima",
			"aliases": [],
			"source_name": "ETDA:Sima",
			"tools": [
				"Luminosity RAT",
				"LuminosityLink",
				"Sima"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "029625d2-9734-44f9-9e10-b894b4f57f08",
			"created_at": "2023-01-06T13:46:38.364105Z",
			"updated_at": "2026-04-10T02:00:02.944092Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"iKittens",
				"Group 83",
				"NewsBeef",
				"G0058",
				"CharmingCypress",
				"Mint Sandstorm",
				"Parastoo"
			],
			"source_name": "MISPGALAXY:Charming Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eeb03ad7-d11f-4600-a587-b7c86aa38e5f",
			"created_at": "2023-01-06T13:46:38.564888Z",
			"updated_at": "2026-04-10T02:00:03.025514Z",
			"deleted_at": null,
			"main_name": "Sima",
			"aliases": [],
			"source_name": "MISPGALAXY:Sima",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8",
			"created_at": "2022-10-25T15:50:23.6515Z",
			"updated_at": "2026-04-10T02:00:05.352078Z",
			"deleted_at": null,
			"main_name": "Windshift",
			"aliases": [
				"Windshift",
				"Bahamut"
			],
			"source_name": "MITRE:Windshift",
			"tools": [
				"WindTail"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434137,
	"ts_updated_at": 1775792040,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/39f27a10fe667b3b7c0c09a0011fb3cd46760aa7.pdf",
		"text": "https://archive.orkl.eu/39f27a10fe667b3b7c0c09a0011fb3cd46760aa7.txt",
		"img": "https://archive.orkl.eu/39f27a10fe667b3b7c0c09a0011fb3cd46760aa7.jpg"
	}
}