{ "id": "4db0775e-1099-4abc-af96-874c4f833194", "created_at": "2026-04-06T00:10:07.545279Z", "updated_at": "2026-04-10T03:34:00.638817Z", "deleted_at": null, "sha1_hash": "60b374976e1a1a88d1f431bb295b737d180acbfe", "title": "Bahamut, Pursuing a Cyber Espionage Actor in the Middle East - bellingcat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1582787, "plain_text": "Bahamut, Pursuing a Cyber Espionage Actor in the Middle East -\r\nbellingcat\r\nBy Collin Anderson\r\nPublished: 2017-06-12 · Archived: 2026-04-05 15:41:12 UTC\r\nThis post was co-authored with Claudio Guarnieri,  a security researcher specialized in investigating computer attacks and\r\ntracking state-sponsored hacking campaigns. He contributed to this report independently from any affiliation.  \r\nIntroduction\r\nBeginning in December 2016, unconnected Middle Eastern human rights activists began to receive spearphishing messages\r\nin English and Persian that were not related to any previously-known groups. These attempts differed from other tactics seen\r\nby us elsewhere, such as those connected to Iran, with better attention paid to the operation of the campaign. Curiously, the\r\ntwo initial targets have little in common with each other aside from human rights activism – although not having worked on\r\noverlapping issues or countries. This dissimilarity only grew with the further enumeration of other targets, describing a\r\nbroad targeting across the Middle East without wholly implicating any particular interest, despite clear political intent.\r\nAfter extensive work to unpack other potential attacks, we begin to describe an actor that has demonstrated higher than\r\naverage care to avoid discovery, and shown an ability to learn quickly from past mistakes. Efforts to track the operator\r\ndescribe a group that is broadly interested in a diverse set of Middle Eastern interests, from Iranian women’s rights activists\r\nto Turkish government officials, and from Saudi Aramco to a Europe-based human rights organization focused on the\r\nregion. A significant number of the targets of the group are connected to Qatar’s domestic and international politics, drawing\r\nrecurring parallels to previous campaigns and suggesting a partial connection to the country. Few state interests would\r\nconvincingly account why someone would engage in espionage against Egyptian lawyers at the same time as Iranian\r\nreformists, leaving open the possibility that the operator is a non-state actor with diverse motivations. Still, the operation’s\r\nambitious attempts against Arab foreign ministers and civil society, and dozens of others, warrants special interest. These\r\nincidents also reflect current tensions among Gulf states, undergirding the ubiquitous and central role of cyber espionage in\r\nMiddle Eastern statecraft.\r\nIn absence of personally-identifiable information or even descriptive identifiers within the campaigns, we are labeling this\r\nactor “Bahamut,” after Jorge Luis Borges’ monstrous fish afloat in the fathomless Arabian Sea from the Book of Imaginary\r\nBeings. Regardless of who is behind the campaign, these incidents provide a window into the broad scale of Middle Eastern\r\ncyber espionage and the constant struggles in attribution of attacks, and we attempt for this report to be understandable even\r\nfor those not as well versed in digital forensics or cyber security.\r\nCredential Harvesting\r\nOur direct observation of in-the-wild spearphishing attacks staged by the Bahamut group have been solely attempts to\r\ndeceive targets into providing account passwords through impersonation of notices from platform providers. The tactics\r\ntaken in these attempts revolve around credential theft, and while the group is not extremely sophisticated it has sometimes\r\ndemonstrated considerable ingenuity, flexibility and professionalism. Bahamut was first noticed when it targeted a Middle\r\nEastern human rights activist in the first week of January 2017. Later that month, the same tactics and patterns were seen in\r\nattempts against an Iranian women’s activist – an individual commonly targeted by Iranian actors, such as Charming Kitten\r\nand the Sima campaign documented in our 2016 Black Hat talk. Recurrent patterns in hostnames, registrations, and phishing\r\nscripts provided a strong link between the two incidents, and older attempts were found that directly overlapped with these\r\nattacks. Over the course of the following months, several more attempts against the same individuals were observed,\r\nintended to steal credentials for iCloud and Gmail accounts.\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 1 of 19\n\nBahamut Credential Harvesting Targeting Apple ID Accounts\r\nBahamut Credential Harvesting Targeting Google Accounts\r\nThe credential harvesting campaigns that were observed reflect a moderately professional attempt at impersonation of\r\nplatform providers, certainly better than the average level of care and preparation seen in the everyday cybercrime that most\r\npeople have become accustomed to. Messages included titles such as “Security info Confirmation” and “Verify your added\r\nemail,” warning the user to sign in to confirm their account settings or they would lose access. Later attempts posed as a\r\nwarning to the recipient that the application Truecaller had been granted full access to their account, and that “if you did not\r\nrеmоvе this аpp, the аpp rеquеst will be cоnfirmеd” (sic). As is also common, these messages were sent from Gmail\r\naccounts registered to appear official (e.g. info.auth.services (at) gmail). To improve credibility, the attackers even displayed\r\na correct but redacted phone number for the account, which we believe they found through the account recovery process of\r\nGmail. Based on crawling the attacker’s infrastructure, other pages hosted on the same site appeared designed to capture the\r\nsecond credential in two-factor authentication or to compromise the account through deceiving the user to engage in\r\nGoogle’s account recovery process.\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 2 of 19\n\nTracking Emails Sent to Targets\r\nBahamut was also observed engaging in reconnaissance and counter-reconnaissance attempts, intended to harvest IP\r\naddresses of emails accounts. One attempt impersonated BBC News Alerts, using timely content related to the diplomatic\r\nconflict between Qatar and other Gulf states as bait. This message used external images embedded in the email to track\r\nwhere the lure would be opened. Timestamps contained in the URLs of these tracking images indicate that they were\r\nuploaded on April 20. The tactic also aligns with the credential theft attempt we describe in the following section, including\r\nwith respect to timing.\r\nTracker Image (Unix Timestamp Bold):\r\nhxxp://res.cloudinary[.]com/demcz0ffi/image/upload/v1492692894/inx_header_j31vtx.png\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 3 of 19\n\nArabic Language Version of Google Credential Theft Campaign\r\nTwo features stand out within these phishing pages. First, Bahamut is a multi-lingual actor, although an imperfect one.\r\nSamples of attempts were observed in English, Arabic and Persian, with two-letter language codes passed as parameters to\r\nthe phishing site to tailor the page to the victim. Based on adjusting these parameters, there was no indication that other\r\nlanguages – not even regional languages such as Turkish, Hebrew, Kurdish, or Urdu – were supported on the phishing pages,\r\nlet alone French or other international languages.\r\nAnother minor but common improvement were the group’s evasion tactics. Bahamut often replaces Latin characters with\r\nsimilar letters from other alphabets (Unicode homoglyphs) in messages and pages. This means that for example the Latin\r\nletter “i” is replaced with the visibly-indistinguishable Cyrillic version “і” in key terms. This technique is generally used to\r\navoid automated scanning by spam filters or other security systems that are looking for suspect words or phrases such as\r\n“sign in.”\r\nΡlеаse sіgn in аgаin to\r\ncоntinuе to Gmаіl\r\n(Greek Rho)l(Cyrlic e)(Cyrillic a)se s(Cyrillic i)gn in (Cyrillic a)g(Cyrillic a)in to\r\nc(Cyrillic o)ntinu(Cyrillic e) to Gm(Cyrillic a)(Cyrillic i)l\r\nVictimology\r\nWhat makes Bahamut novel is not their techniques but their interests. Across our brief windows of visibility into their\r\nactivity, there is a consistent set of fundamental interests that suggests political espionage rather than economic motivations.\r\nBahamut is not an ordinary cybercrime campaign. Through directly reported phishing incidents, artifacts harvested from\r\ntheir infrastructure, and other public records, Bahamut appears to be a sustained campaign focused on diverse political,\r\neconomic, and social sectors in the Middle East.\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 4 of 19\n\nFake Google News Alert Targeting Anwar Gargash\r\nBy our observation, the spearphishing attempts appear to be narrowly targeted against a limited number of individuals\r\n(perhaps in the lower ‘tens’ per month) rather than broad scale. In one instance, in late April 2017, Bahamut appears to have\r\nimpersonated a Google News alert for an article about Middle Eastern government support for Donald Trump as a lure\r\ntargeting Anwar Gargash, the U.A.E. Minister of State for Foreign Affairs (screenshot inline from an attempt against\r\nGargash that we observed, which also aligns with our BBC notice). At the same time with the same infrastructure, the false\r\nnotice about the application Truecaller was used to target a relative of Iranian President Hassan Rouhani, a Saudi college\r\nstudent, two Iranian dissidents, and the head of an Emirati think tank.\r\nOperational security failures on the part of the attackers enabled a brief look into their activities. The phishing site in several\r\nBahamut attempts included a profile picture of the target to increase the appearance of legitimacy. These images had\r\npredictable and short filenames, often the target’s initials (hypothetically, ‘ag.jpg’ for Anwar Gargash). As a result, we could\r\nenumerate potential targets through making requests for combinations of letters. This is a time-consuming and aggressive\r\nprocess: for a three-character maximum (from ‘a.jpg’ up to ‘zzz.jpg’) the search would entail 17,576 requests. These images\r\nwere also organized in different folders – an organizational structure that could either reflect different campaigns or internal\r\nprocesses (with folder names of ‘ky’, ‘ct’, ‘dy’, and ‘er’). To search all four folders further increased the amount of requests,\r\ninvolving 70,304 requests for each site. While not a stealthy search, when a similar opportunity arose in our investigation for\r\nAmnesty’s “Operation Kingphish” report, it was a successful and worthwhile one.\r\nWe could be reasonably confident that those images that were return in this brute force search were individuals targeted by\r\nBahamut. The profile pictures also included metadata indicating that the images were copied from Google profiles, further\r\nsuggesting prior reconnaissance. Multiple individuals identified in this manner later confirmed receiving spearphishing\r\nmessages in recent months, none were surprised about the apparently political nature of the campaign.\r\nThis search yielded 59 images on three domains, with a little more than half being unique pictures. Where the individuals\r\ntargeted could be identified, the themes reinforce the hypothesis that Bahamut is focused on Middle Eastern political and\r\neconomic institutions. Moreover, those limited number of non-Middle Eastern targets – Swiss and British nationals – have\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 5 of 19\n\nprolonged involvements in the region as journalists, diplomats, or human rights advocates. Of those clearly identifiable, the\r\ntargets have been primary located in Egypt, Iran, Palestine, Turkey, Tunisia, and the United Arab Emirates, including:\r\nArab Middle East\r\na company that provides financial services that caters to high-net worth clients with an emphasis on “confidentiality”;\r\nEgypt-focused media and foreign press, including individuals previously imprisoned in the country;\r\nmultiple Middle Eastern human rights NGOs and local activists;\r\na diplomat in the Emirati Ministry of Foreign Affairs, the Emirati Minister of State for Foreign Affairs, and the head\r\nof an Emirati foreign policy think tank;\r\na prominent Sufi Islamic scholar; and,\r\nthe Union of Arab Banks.\r\nTurkey\r\na Delegate of Turkey to UNESCO; and,\r\nthe Turkish Minister of Foreign Affairs.\r\nIran\r\na relative of the President of Iran;\r\na women’s rights activist and a prominent female journalist in the diaspora; and,\r\na reformist politician who is an advisor to the former President Khatami.\r\nStill more references in Virustotal and other databases implicate the actor in additional attempts against Gulf institutions,\r\nincluding the Prime Minister’s Court of Bahrain, the Saudi Minister of Energy, and a former member of the Saudi Arabian\r\nNational Security Council. It is also notable that for a Middle East focused actor, none of the targets of the Bahamut\r\noperation appeared to be connected to Israel, but we do not believe the group to be Israeli.\r\nInfrastructure\r\nBahamut has taken clear precautions in order to avoid scrutiny. Often researchers unravel the vast network of infrastructure\r\nused in attacks through following the connections created by the reuse of email addresses in domain name registrations and\r\nsite hosting. Bahamut’s vigilance cuts the trail short quickly.\r\nWeb Created Across Bahamut’s Registration Addresses\r\nA consistent theme in the registration of Bahamut domain names is the use of private registration services and throw away\r\naccounts from the Mail.Ru Group. The fictitious email addresses are fairly consistent – an Anglo-European name sometimes\r\nfollowed by a number at mail.ru. Each account is used for the registration of only one domain. These addresses also appear\r\nin the other records for the domain (specifically, the Start of Authority record in DNS). Only on rare occasions do the\r\nattackers slip up and mismatch the accounts used between both records. A subtle web is weaved based on the accounts being\r\nconnected through their reuse as recovery addresses when they create new accounts.\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 6 of 19\n\nSimilarly, while multiple phishing sites are maintained by Bahamut in parallel, the sites are hosted on their own dedicated\r\nservers. While domains may be reused across time, the attackers use different subdomains for different campaigns.\r\nImportantly, they are quick to take down sites that appear to have been noticed. These shutdowns also provide fingerprint of\r\nBahamut, albeit non-exclusive to the group, which commonly entail redirection (HTTP 302 code) to the\r\n“www.accessdenied.com” site.\r\nAttack subdomains for Bahamut, including a subdomain believed to target the Prime Minister’s Court of Bahrain (domain:\r\nmy-validation[.]info):\r\nvalid.appid.support.validate-maillogon.service.authuser.continue.frontend.reason.redirect.file-manager.version-9.1.101.view-settings.svjjykd5v2vum3fbsxlgmxfmr3pjdklh.access-https.my-validation[.]info\r\nvvebrnail.prnc.gov.bh.362393h11idk.930012hfifd994.acccess.authdll.my-validation[.]info\r\nFree hosting provider used by Bahamut to avoid scrutiny.\r\nOur investigation has also shown a clear learning process. Whereas previous sites would stay active for days after an\r\nattempt, in recent incidents it was deleted within minutes (perhaps automatically) and the subdomain is taken offline within\r\nthe day. In doing so, Bahamut narrowed the window for forensic investigation, quite effectively. After the crawling of\r\nimages and victim information was noticed, Bahamut took further steps to hide their infrastructure – using free hosting\r\nservices as a redirection mechanisms and for hosting images used in phishing emails.\r\nOverlapping Infrastructure\r\nWhile Bahamut took precautions to avoid linkability, it has concentrated on a limited number of networks. Specifically, it\r\nhas a tendency to use hosting companies known to be slow to respond to abuse. These habits build fingerprints. Combining\r\ntheir preference for certain networks with their patterns in fictitious registration addresses, we can began build searchable\r\nindicators to identify other domains associated with the same group – albeit weak indicators.\r\nIn order to identify more of the attacker’s infrastructure, we aggregated all the domain names we could find that have been\r\npointed to the networks known to be used by Bahamut from various sources (e.g. passive DNS and DomainTools). We then\r\nqueried those domains (for the SOA “rname” record) and flagged those with a Mail.Ru Group address. Mistakes on their\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 7 of 19\n\npart also led to more suspicious mail addresses to search on. The resulting group was surprisingly small given the open-ended search (included in the Indicators of Compromise section below). No resulting domain appeared to be a legitimate\r\nsite, or even directed toward more standard cybercrime. Most appeared to be credential harvesting sites similar to our\r\noriginal set, with some confirmed to be malicious and relevant based on URLs appearing in Virustotal.\r\nFour domains stand out as different from credential theft and are worth additional discussion.\r\nmy-validation[.]info\r\n91.235.143.214 91.235.143.199 alfajrtaqni[.]org\r\n86400   IN      SOA     ns1.alfajrtaqni.org.\r\nwendy.walker.bk.ru. 2016051403 3600\r\n7200 1209600 86400\r\nOne of the domains within this set is a mirror of the al Qaeda associated Al Fajr Media Center Technical Committee. al-Fajr\r\nMedia Center is the developer of the “Security of the Mujahid” (Amn Almujahid) encryption application, and the site in\r\nquestion hosts copies of the application. Despite the creation of the domain on March 2016, it appears to be an out of date\r\nmirror of the al-Fajr Media Center captured in March 2015, potentially from another mirror (alfajrtaqni[.]ws). While the\r\nsuspicious al-Fajr Media Center hosts an older version of the organization’s Android and Windows applications, with newer\r\nversions posted to the real site after the snapshot was taken, those files appear to be same as the original (same checksums).\r\nThere is little indication as to how the site was used.\r\nThe remaining three are equally interesting:\r\nDomain IP DNS SOA Record (Includes Mail.Ru Group Email)\r\n16linesquran[.]info. 178.17.171.140\r\n86400   IN      SOA     ns1.16linesquran.info. m.cutov.mail.ru.\r\n2016041500 3600 7200 1209600 86400\r\nkhuaitranslator[.]com. 178.17.171.39\r\n86400   IN      SOA     ns1.khuaitranslator.com. andy.mingle.mail.ru.\r\n2017040514 3600 7200 1209600 86400\r\ntimesofarab[.]com 91.235.143.246\r\n86400   IN      SOA     ns1.timesofarab.com. randall.kaine.mail.ru.\r\n2017010303 3600 7200 1209600 86400\r\nAndroid Malware\r\nTwo of the suspicious sites are connected with Android applications, which are custom malware agents that have not been\r\nwidely-promoted (again, unlike most cybercrime). The “16 Lines” and “Khuai Translator” applications have small\r\ninstallation bases (respectively, “50-100” and “1-5” from Play Store statistics). The 16 Lines app, last release in March 2016,\r\nis a fully functional Urdu-language Quran application. Khuai Translator is a Chinese-English translator that relies on\r\nYandex’s translation service (despite also including code for Microsoft’s service) and is a little more than four months old.\r\nUnsurprisingly, Khuai Translator appears to have appropriated its name from a Firefox extension, and 16 Lines from a\r\nQuran archive. In neither case is it clear who the intended audience of the application is, and there is little record of their\r\ndomains being pushed to targets.\r\n16 Lines\r\nQuran\r\nhttps://play.google.com/store/apps/details?id=holy.qur.quran szymon.tchorzewski88@gmail.com\r\nKhuai\r\nTranslator\r\nhttps://play.google.com/store/apps/details?\r\nid=org.translator.chinese\r\ncaren.hee789@gmail.com\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 8 of 19\n\nKhaui Translator\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 9 of 19\n\n16 Lines Quran\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 10 of 19\n\nPermissions Required for 16 Lines Quran\r\nAs would be expected, both applications are designed to exfiltrate private information from the mobile device and monitor\r\nthe activities of the target, reporting back to the attacker:\r\nSMS messages and phone call logs;\r\ncontact information from the address book;\r\nbrowser history and bookmarks;\r\nphone hardware identifiers; and,\r\nprecise location and network information.\r\nBoth also advertise recording functions in the actual application, such as recording Quranic recitations or words for\r\ntranslation. This may be offered in order to provide a veneer of legitimacy to their large set of required permissions.\r\nThe malware is also of low quality – in version 1.1 of Khuai Translator, the URLs to report back to the attacker contain\r\ntypos (e.g. “htpp://”) that would lead to them being non-functional. This was resolved in a subsequent update, but other\r\ntypos are present in both applications across web properties, internal functions, and application dialogues, suggesting that\r\nquality was not a priority for the attackers.\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 11 of 19\n\nShared Code in Khuai Translator and 16 Lines Quran\r\nWhile the two applications are not exactly the same malware, both appear to have the same core design and tactics, such as\r\nhiding the malicious functions within classes that appear related to the legitimate application. In both applications, the\r\nmalware strangely reports back to a different web address for each type of information with the full URL repeatedly defined;\r\nthis works fine, but is not something a mature programmer would do. These URLs are individually scattered across the\r\napplication and encrypted to reduce detection (AES-128-ECB and encoded within latin1 character set). Both samples appear\r\nto share the same code for voice recording, network transmission, and encryption of URLs. These commonalities, down to\r\nsimilarly patterned contact addresses on the Play Store, strongly suggest that they have the same maintainers despite the use\r\nof pseudonyms and minor differences.\r\nHiding Browser Monitoring Functions in Application Code Labeled as Translation Services\r\nGiven the natural differences in audiences between the Android malware and the credential harvesting (China and Pakistan\r\nversus the Middle East), it is difficult to be fully confident of the link between both operations. Nothing within the\r\napplications directly connects both campaigns, despite other vague similarities. For example, the beacon endpoints of both\r\napplications are loosely reminiscent of those of the Bahamut spearphishing campaigns, with short file names, use of the PHP\r\nscripting language, and located within randomly-named folders:\r\nhttp://www.16linesquran[.]info/dhReqIopT/QzXrvTHG/ct.php\r\nhttp://www.khuaitranslator[.]com/TQaxcTr/spPlVl/WordTranslate.php\r\nAs of the time of publication, the site associated with 16 Lines Quran was down, returning the same 403 Forbidden message\r\nfamiliar on Bahamut sites. The Khuai Translator’s site and the malware endpoints remain operational.\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 12 of 19\n\n16 Lines Quran Removed with Error Similar to Known Bahamut Pages.\r\nTimes of Arab\r\nLast within the search results is the “Times of Arab” (timesofarab[.]com), on face value the only legitimate appearing site.\r\nThe Times of Arab is particularly relevant to the Bahamut campaign as it is focused exclusively on the Gulf region. Those\r\nbehind the site have been consistently active for at least five months. As with the al-Fajr Media Center, its end intent is\r\nunclear as no malicious activity has been observed. However, the content and description of the site warrants scrutiny. For\r\nexample, the About page for the Times of Arab is notable for its overall generic mission and claim of threats against staff\r\n(repetition and quotes in original).\r\nTimes of Arab Home Page\r\nTo bring substantial news to the surface, which is otherwise underreported by the global media. Our journalists\r\nensure the stories that reach you are impartial and unaffected from any sort of vested interest. We want to reshape\r\nthe world media by strengthening our bond with the readers, a bond formed with trust and truth. The defined goals\r\nare the reason why Times of Arab audience is growing rapidly – audience that appreciates our work.\r\nResponsibilities shared by our employees are strenuous, but they are needed in order to report news that is free\r\nfrom perception of any country, state, organization or individual. Although Times of Arab is centered in the\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 13 of 19\n\nMiddle-East, our revelations also encompass incisive range of global issues. Times of Arab journalists keep a low\r\nprofile and wear masks of anonymity due to threats they have recently received from different directions. “Times\r\nof Arab journalists keep a low profile and wear masks of anonymity due to threats they have recently received\r\nfrom different directions.”\r\nThe premise of threats against the Times of Arab is surprising given the content. The articles posted to the site are uniformly\r\npositive stories about Gulf regimes copied from elsewhere, including from regional state media organizations.\r\nStrange Content Posted to Times of Arab\r\nThe content is both targeted and irregular in quality. The Times of Arab often posts nonsensical articles with mismatched\r\ntitles, strange combination of images, and misspells country names within the filenames of images (e.g. “soudi,” “saoudi,”\r\n“kuaiti,” and “behrain”). For example, an ominous image with the phrase “Arab Spring” –  referring to the 2011 uprisings –\r\nheadlines one article where the content covers a seasonal basketball game that was copied from an Arab, Alabama\r\nnewspaper (hence, ‘Arab spring game’). While there are occasional technology stories, the majority of the articles focus on\r\nregional labor rights and social issues with titles such as “Nepal leaders praise Qatar’s treatment of expat labour” and “[FIFA\r\nchief] Infantino praises progress on Qatar 2022 worker conditions.” This focus recalls the themes in targeting in the\r\nOperation Kingphish campaign.\r\nThe Times of Arab is active across social media, with its uploaded YouTube videos being copied content from AP, Al\r\nJazeera, and other personal YouTube videos – again primarily about Qatar and the Gulf region. The Twitter account of the\r\nTimes of Arab follows several human rights organizations, such ARTICLE 19, Amnesty International, Human Rights Watch,\r\nincluding their regional accounts, as well as Qatar and Emirati related accounts – also reminiscent of Operation Kingphish.\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 14 of 19\n\nSocial Media Presence, All Copied Content\r\nAttribution and Origin\r\nThe measures taken by the attackers to conceal their identity have constrained our ability to make definitive assertions about\r\nwho is behind the Bahamut campaign. As noted previously, the consistent use of fictitious personas in registration and\r\nmaintenance of infrastructure leaves a short trail. The scripts and sites themselves do not have obvious hints as to their\r\norigins. Extending out the potential activity to include malware posing as a Chinese-English translator clouds the picture\r\nfurther.\r\nOn two occasions, compromised accounts provided IP addresses connected to the attackers. In the first case, initially, the\r\nattacker accessed a breached account using a feature that allows Mail.Ru accounts to access Gmail accounts (if they have the\r\nproper credentials). This approach allowed the attacker to conceal their original address, to bypass Google’s monitoring of\r\nsuspicious logins, and to maintain persistent access. However, later they attempted to access the accounts through logging in\r\ndirectly, doing so through two networks in Europe – at least one that was an OpenVPN server (185.113.128[.]207 and\r\n185.161.208[.]37). These addresses provide little direct insight into where the attacker is located, but did bolster their\r\noperational security credentials.\r\nIn a second case, an account was breached in early morning hours Gulf time through an ADSL connection provided by\r\nEmirates Telecommunications Corporation in Abu Dhabi, United Arab Emirates (83.110.89[.]246). However, this traffic\r\ncould be originating from a compromised machine – a possibility supported by the amount of exposed services found in a\r\nportscan of the address. The overlap would be especially surprising given that this occurred within the context of attempts\r\nagainst the Emirati Foreign Minister.\r\nBahamut appears on face value to have common traits with Operation Kingphish, but operates as though it were a generation\r\nahead in terms of professionalism and ambition. The phishing sites found in the campaign also recalls some of the design\r\nchoices made with the Operation Kingphish attempts against Qatar-focused labor rights activists. For example the\r\nropelastic[.]com phishing site from Operation Kingphish used the same hosting providers seen in Bahamut, had a similar\r\noverreliance on the tinyurl URL shortener, and was registered with a “stuart.boarden@mail[.]ru” address (that also used\r\nanother Mail.Ru account as backup, “mik*********@mail.ru”). This extends to the variable names with the source code of\r\nphishing pages and other infrastructure choices of the attackers. Still other artifacts on the spearphish pages are similar and\r\nreflect a common thought process, but Bahamut is always an improvement on Operation Kingphish.\r\nOperation Kingphish\r\nIP: 178.17.171[.]25 (AS43289, I.C.S. Trabia-Network S.R.L., Moldova)\r\nPhishing URL:  rqeuset.hanguot.g-puls.viwe.accnnout-loookout.auditi.devisionial-checlkout.inistructiion-mutuael.halftoine.appliacctiorn-gurad-way.leigacy-fs.termp-forn.provider-saefe.alvie-valuse.token-centeir.recollect.label.ping2port[.]info/?ml=[REDACTED]=\u0026n@e=[REDACTED]\u0026P4t=\r\n[REDACTED]\u0026Re3d=aHR0cDovL3Rpbnl1cmwuY29tL2g5d3h3cDg=\u0026pa=2\u0026gp=1\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 15 of 19\n\nProfile Image: ping2port[.]info/pc/dl/[REDACTED].jpg\nBahamut\nIP: 178.17.171[.]145 (AS43289, I.C.S. Trabia-Network S.R.L., Moldova)\nPhishing URL:\ngdrive.mydocument.validate.googlsupport.servicelogon.continue.owa.frontend.redirect.reason.file-manager.version-9.912.settings.sxoxakuxsgtis3vgslrrs0x6zjfwwlnjbsdfsm.access-https.authprofile[.]info/m/?\nt0R1I2A=[REDACTED]=\u0026nJm=[REDACTED]==\u0026pc=\u0026ReJd5S=[REDACTED]\u0026gn=1\u0026hr=\n[REDACTED]==\u0026lan=en\u0026rc=\u0026VeRcEm=\u0026VeRcPh=\nProfile Image: authprofile[.]info/iMHgT/dy/[REDACTED].jpg\nComparison of HTML of Kingphish and Bahamut Google Phishing Pages\n\u003c!– http-ref –\u003e\n(…)\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\nPage 16 of 19\n\nUnlike Operation Kingphish, which from our observation was mostly focused on internal Qatari politics, Bahamut is\nresponsive to the internal affairs of several Middle Eastern countries – targeting individuals that are solely focused on\ndomestic politics of different countries at sensitive times, such as Iranians in the lead up to the Iranian Presidential election\nin May 2017. As a result, there is not yet a definitive link between Kingphish and Bahamut despite the overlap in time.\nDespite its focus on Iranian targets, Bahamut does not appear to be Iranian, or well prepared to effectively target Persian\nspeakers. In the one Persian-language spearphishing email observed, the content was poorly-written with the grammatical\nmistakes that would be expected of Google Translate. The attackers also incorrectly use “pe” to identify whether the\nphishing page should be Persian – we would expect that a Persian-language speaker would be aware that the correct\ndesignation is “fa.”\nPersian-language phishing emails, with grammatical errors.\nRelatedly, the English used in the messages reflected the grammatical mistakes of a non-native speaker (rather a translation)\ncombined with a lack of concern or awareness about professionalism. The single Arabic-language page that we were able to\nfind had similar lack of professionalism – using the Arabic for “verify” rather than the “sign in” that is actually used by\nGoogle. Unlike Persian this was seemingly a mistake of professionalism rather than capability and did not necessarily\nindicate the use of a translation service.\nWe would be remiss not to address the frequent use of Russian services: this does not stand out beyond what we might\nexpect of someone attempting to avoid scrutiny, such as using a provider that does not require phone numbers or comply\nwith U.S. law. Many non-Russian groups use services such as Yandex and Mail.Ru, and so there is no indication of Bahamut\nbeing of Russian-origin.\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\nPage 17 of 19\n\nIn the end, our selection of the name “Bahamut” is motivated by the strange behavior of the group, which seems to sprawl\r\nacross different countries and contexts. If the malware agents, Kingphish, and the observed spearphishing attempts are all in\r\nfact related, then Bahamut’s interest exceed our expectations for the espionage activities a single Middle Eastern country.\r\nWhile Gulf countries have global interests, the targeting of obscure Iranian reformist figures, let alone the creation of Urdu\r\nand Chinese language malware applications, stretches the boundaries of imagination. Taken in the context of the overlapping\r\ndomains, the diversity suggests that Bahamut is not necessarily a state actor, and instead could be a more independent entity\r\nseeking financial remuneration from more than one client.\r\nConclusion\r\nWhoever is behind the spearphishing and malware documented, the Bahamut campaign is descriptive of how unique the\r\nMiddle East is in terms of cyber espionage and other cyber operations. The diverse set of political and economic interests\r\nthat makes the region so contentious draws in attention from many actors for different motivations. These incidents also bear\r\nwitness to a region in technological transition. As is well documented by now, international powers are actively engaged in\r\ncyber espionage against diverse targets in the Middle East, while several regional states have begun to pursue their own\r\ninterests. These offensive and defensive capabilities are not uniform, and the purchase of arms from abroad has not been\r\nshown to include tools for conducting cyber options (aside from surveillance platforms). Bahamut is therefore notable as a\r\nvision of the future where modern communications has lowered barriers for smaller countries to conduct effective\r\nsurveillance on domestic dissidents and to extend themselves beyond their borders.\r\nIndicators of Compromise\r\nStaging\r\ndpasdas.000webhostapp[.]com\r\nmailgooqlecominboxasm9003nmjknsidnpopjdasdkopm.000webhostapp[.]com\r\nObserved Credential Harvesting\r\nauthprofile[.]info\r\nauthuser[.]info\r\nmyprofileprivacy[.]com\r\nmyprofileview[.]info\r\nmyvalidation[.]info\r\nsession-id[.]com\r\nver-icloud[.]com\r\nmy-validation[.]info\r\nprofilesupport[.]info\r\nOverlapping Infrastructure\r\n16linesquran[.]info\r\nalfajrtaqni[.]org\r\nkhuaitranslator[.]com\r\nmail-sllogin[.]com\r\ntimesofarab[.]com\r\nernail-ver[.]com\r\nrnail[.]info\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 18 of 19\n\nsession-icloud[.]com\r\ncert-icloud[.]com\r\nmyinfosettings[.]com\r\nupdate-mailservice[.]com\r\nmy-auth[.]info\r\ninfocheckup[.]com\r\nmanagemysettings[.]com\r\nmanage-mysettings[.]com\r\nweb2chost[.]com\r\ncom-settings-ppsecure[.]com\r\ngolge[.]cc\r\nmainlogin[.]co\r\nicloud-auth[.]com\r\nacc-dot[.]com\r\nOverlapping Android Malware\r\n73f2c81473720629be32695800b7ad83494f2084  Khuai Translator v1.2\r\n2f239a96987284a4883014cf1dad39c16f8fc7ad  Khuai Translator v1.1\r\n60191fa19fb1184535608d7640a11320e59b0ab2 16 Lines v1.1\r\nKhaui Translator encryption key: Huisgte87Hdy4Oli\r\n16 Lines encryption key: 7sTbYe8Qo6OqZwIQ\r\nSource: https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nhttps://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/" ], "report_names": [ "bahamut-pursuing-cyber-espionage-actor-middle-east" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "257efa81-fa09-4318-ac8f-7e32b54b88bb", "created_at": "2022-10-25T16:07:24.195026Z", "updated_at": "2026-04-10T02:00:04.896357Z", "deleted_at": null, "main_name": "Sima", "aliases": [], "source_name": "ETDA:Sima", "tools": [ "Luminosity RAT", "LuminosityLink", "Sima" ], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "eeb03ad7-d11f-4600-a587-b7c86aa38e5f", "created_at": "2023-01-06T13:46:38.564888Z", "updated_at": "2026-04-10T02:00:03.025514Z", "deleted_at": null, "main_name": "Sima", "aliases": [], "source_name": "MISPGALAXY:Sima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434207, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/60b374976e1a1a88d1f431bb295b737d180acbfe.pdf", "text": "https://archive.orkl.eu/60b374976e1a1a88d1f431bb295b737d180acbfe.txt", "img": "https://archive.orkl.eu/60b374976e1a1a88d1f431bb295b737d180acbfe.jpg" } }