{ "id": "b6e5fbe7-527d-4d93-945e-921d4d69e182", "created_at": "2026-04-06T00:16:24.856677Z", "updated_at": "2026-04-10T13:11:38.500286Z", "deleted_at": null, "sha1_hash": "485371cb373a505eff108375fb9f2744deb36e80", "title": "APT Bahamut Attacks Indian Intelligence Operative using Android Malware - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1217100, "plain_text": "APT Bahamut Attacks Indian Intelligence Operative using\r\nAndroid Malware - CYFIRMA\r\nArchived: 2026-04-05 14:55:48 UTC\r\nPublished On : 2023-02-10\r\nExecutive Summary\r\nIn November 2022, CYFIRMA detected a cyber-attack on an intelligence operative in India. In this attack, the\r\nthreat actor was seen leveraging a strategic social engineering attack to deliver and install the .APK on the\r\nvictim’s mobile. The threat actor requested the victim to share unknown files in encrypted form via an android\r\napp, which was malicious. The malicious app was instantly attached with a direct message on telegram. Upon\r\ninstalling, the malicious Android Package, an app with a random icon led to a dummy sign-up and login page,\r\nfollowed by setting up a new pattern lock. The icon after installation and the icon after opening the app were both\r\ndifferent from each other. The threat actor has created the app as a decoy of an encrypted file-sharing app.\r\nHowever, the malicious .APK is just a dummy app with a pattern lock, login page, and sign-up page. The layer of\r\nthe pattern lock page is inserted to make the victim believe the app is a genuine encrypted file-sharing platform.\r\nETLM Attribution\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 1 of 13\n\nResearch revealed the threat actor Bahamut was behind the attack. Our team with high confidence attributed the\r\nattack to Bahamut APT. Through our investigation, we have found that IOCs that we fetched from the malicious\r\nandroid package were earlier associated with the Bahamut. The threat actor is known for conducting cyber strikes\r\nin the middle eastern region and South Asian region. The code in previous malicious apps that was used by\r\nBahamut is similar to the .APK that was used in the recent attack. Earlier .APK with the name “SecureVpn” (\r\nb65a8edc06bbeb598e495ccc44dc40e77ab2ef0ab11e136a0a10c24970640b42) was widely used for mass attacks\r\non Android users. However, this is the first time, we have observed Bahamut using a fake Secure File sharing app\r\nin a strategic social engineering attack. This is the first time CYFIRMA observed the threat actor Bahamut\r\ntargeting intelligence operatives, in fact, cyber-attack on intelligent assets is a rare occurrence in cyber espionage\r\noperations. Bahamut is specialized in targeting individuals with strategic social engineering attacks, they take time\r\nand showcase the ultimate level of patience while engaging with victims.\r\nThe threat actor leveraged strategic social engineering. CYFIRMA was able to get the screenshot of actual the\r\nattack taking place through telegram. In the below screenshot, the threat actor asks the victim to use the app to\r\nshare the files in encrypted form. The threat actor kept the engagement going for the past few days and suddenly\r\ntook leverage of earned trust to make the victim install the app. However, the attack was detected and dismantled\r\nbefore it could leave any damage.\r\nFigure 1. Screenshots of Bahamut delivering .APK payload.\r\nAnalysis of the Sample\r\nFile: SafeShare.apk\r\nSystem: Android System\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 2 of 13\n\nMD5: 76b6ff206d11cadde52f37df0d19eecd\r\nSHA1: 34538c92c5e48b62f6523bcbe9961d592a41e32d\r\nSHA256: 45a6a0b2b02a9d288afba1ff41c689be9b9bd40ee862aa4bd6b036e3f0a4c3ab Package Name:\r\ncom.secure.vault\r\nFile Type: APK\r\nProcess Overview\r\nUpon Installation, an app with the name Vault reflects on Apps Menu.\r\nFigure 2. Vault application stationed in App Menu.\r\nThe below figure shows that the Android Vault Application requests access permission at the start.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 3 of 13\n\nFigure 3. Usage access permission.\r\nAfter opening the app, it takes the victim to set the pattern lock. This page was added to make the victim believe\r\nthat the app is a legitimate secure file-sharing app.\r\nFigure 4. Setup Pattern Lock\r\nAfter setting the pattern lock, the app opens up the next page with login and Sign-Up options.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 4 of 13\n\nFigure 5. Login Activity.\r\nThis is the last page, where the victim is supposed to register for the service.\r\nFigure 6. Dummy Sign-Up Page.\r\nCode Overview\r\nApplication Certificates and Signatures\r\nThe META-INF folder contains the signature file and self-signed public key certificate. GOOGLE.RSA certificate\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 5 of 13\n\ncan be viewed using the key tool.\r\nFigure 7. Keytool.\r\nAndroidManifest File\r\nThis XML contains the necessary essential information about the application and its components, required\r\npermissions, used libraries and Java packages, and more, to run on the Android System.\r\nAs the manifest file is encoded, decode the file contents using the apktool with the d option.\r\nFigure 8. Apktool d option.\r\nThe apktool decodes all binary XML files, including Android manifests and resources, but also disassembles the\r\nDEX file with baksmali. The apktool generates, [.]smali files, which can be examined by any text editor.\r\nThe apktool output shows the below files/folders structure.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 6 of 13\n\nFigure 9. APKtool Output.\r\nApplication main activities (activities are nothing but pages in the App) \u0026 icon information from the manifest file.\r\nFigure 10. Main Activity \u0026 Icon.\r\nSDK \u0026 API Level information from the manifest file.\r\nFigure 11. SDK \u0026 API Level information.\r\nPermissions from the manifest file. The permissions clearly indicate the malicious .APK was put on the job to\r\nfetch maximum information from the victim’s mobile.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 7 of 13\n\nFigure 12. Permissions.\r\nBelow are a few dangerous permissions that are malicious. .APK is gaining access to them.\r\nSr.no Tactics Technique ID\r\n1 READ_SMS\r\nThis allows attackers to delete and read outgoing and\r\nincoming SMSs\r\n2 READ_CALL_LOG This allows actors to read and fetch call logs.\r\n3 READ_CONTACTS This permission allows TA to read and fetch contacts.\r\n4 READ_EXTERNAL_STORAGE\r\nThis allows threat actors to explore and fetch data from the file\r\nmanager.\r\n5 WRITE_EXTERNAL_STORAGE This allows threat actors to delete and move files.\r\n6 GET_ACCOUNTS\r\nThis allows the threat actor to extract emails and usernames\r\nused for login into various internet platforms\r\n7 CAMERA This allows the threat actor to use a front and back camera.\r\n8 ACCESS_FINE_LOCATION\r\nAllows the threat actor to fetch precise locations and track the\r\nlive movement of mobile phones.\r\n9 WRITE_CALL_LOG\r\nThis allows the threat actor to make calls and delete them from\r\ncall logs.\r\n10 WRITE_CONTACTS This allows the threat actor to delete and add contacts.\r\nAndroid Vault Application collects information on the device’s contacts, SMS, and call logs in the initial stage.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 8 of 13\n\nFigure 13. Lock service for collecting information.\r\nBelow is the module, which exploits “android.permission.ACCESS_FINE_LOCATION” permission to fetch the\r\nprecise location of the hacked user.\r\nFigure 14. Exploiting one of the permissions.\r\nBelow is the module, revealing what sort of information this malicious .APK collects, and sends to the C2. It\r\nfetches call logs, SMS logs, and live coordinates and tracks messages by keystrokes, by abusing accessibility from\r\napps like Telegram, Signal, Viber, IMO, and Conion.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 9 of 13\n\nFigure 15. List of Information, the malicious app steals from compromised users.\r\nAnalyze the code from SplashActivity, as the app execution starts from the main activity \u0026 Application\r\nsubclasses.\r\nFigure 16. Usage Access Setting\r\nAndroid API\r\nAndroid APIs used in this sample is based on static analysis.\r\nGet SIM Serial Number\r\nInter-Process Communication\r\nGet System Service\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 10 of 13\n\nURL Connection\r\nBase64 Encode\r\nStarting Service\r\nUDP Datagram Socket\r\nAndroid Notifications\r\nQuery Database of SMS, Contacts, etc. TCP Socket\r\nMessage Digest\r\nGet Device ID, IMEI, MEID/ESN etc. Crypto\r\nBase64 Decode\r\nStarting Activity\r\nJava Reflection Method Invocation\r\nURL Connection to file/http/https/ftp/jar Local File I/O Operations\r\nHTTP Connection\r\nGPS Location\r\nThe const-string is being used to move a value (string value) into the registers (v0, v1, etc.). The invoke- direct is\r\nused to invoke the instance methods. The invoke-direct accepts two arguments (po register and a reference to the\r\nmethod that needs to be called).\r\nFigure 17. Smali Code Analysis.\r\nThe below screenshot shows the module collects data in SQL queries.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 11 of 13\n\nFigure 18. SQL queries.\r\nThe module contains DNS and IP which belongs to the command-and-control server.\r\nFigure 19. URL \u0026 IP.\r\nList of IOCs\r\nSr.no Indicator Type Remarks\r\n1 45a6a0b2b02a9d288afba1ff41c689be9b9bd40ee862aa4bd6b036e3f0a4c3ab\r\nSHA-256\r\nSafeShare.apk\r\n2 cdw1ir0dc9g3dwl5oh1y.de DNS C\u0026C\r\n3 http://45.156.84.129 IP C\u0026C\r\nMITRE ATT\u0026CKTM Techniques Detection\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 12 of 13\n\nSr.no Tactics Technique ID\r\n1 TA0003: Persistence T1398: Boot or Logon Initialization Scripts\r\n2 TA0032: Discovery\r\nT1418: Software Discovery\r\nT1420: File and Directory Discovery\r\nT1426: System Information Discovery\r\n3 TA0009: Collections\r\nT1430: Location Tracking\r\nT1429: Audio Capturing\r\nT1512: Video Capture\r\nT1417.001: Input Capture: Keylogging\r\nT1636.002: Protected User Data: Call logs\r\nT1636.004: Protected User Data: SMS Messages\r\nT1636.003: Protected User Data: Contacts List\r\n4 TA0011: Command and Control T1437: Application Layer Protocol: Web Protocols\r\n5 TA0010: Exfiltration T1646: Exfiltration Over C2 Channel\r\nConclusion\r\nBahamut is Iran’s state-sponsored Advance Persistent threat group, communicating in the Urdu language for\r\nstrategic social engineering attacks. This indicates the threat actor knows its target very well and is focused to\r\ncompromise the individual target by going a bit far. In another example, the threat actor injected code to track\r\nkeystrokes entered on Conion. Conion is a Tor-based chatting app, that is currently considered to be an alternative\r\nto Signal, which is not well known to many, which again proves the threat actor is clear with their aim. The mobile\r\ncampaign operated by the Bahamut APT group is still active. Further, the spyware code, and hence its\r\nfunctionality, is the same as in previous campaigns, including collecting data to be exfiltrated in a local database,\r\nbefore sending it to the operators’ server, a tactic rarely seen in mobile cyberespionage apps.\r\nSource: https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/" ], "report_names": [ "apt-bahamut-attacks-indian-intelligence-operative-using-android-malware" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434584, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/485371cb373a505eff108375fb9f2744deb36e80.pdf", "text": "https://archive.orkl.eu/485371cb373a505eff108375fb9f2744deb36e80.txt", "img": "https://archive.orkl.eu/485371cb373a505eff108375fb9f2744deb36e80.jpg" } }