{ "id": "0d27ceab-cab5-456e-a1b6-15da2fb32342", "created_at": "2026-04-06T00:12:07.092878Z", "updated_at": "2026-04-10T03:33:50.178045Z", "deleted_at": null, "sha1_hash": "823df99bb42c74b5e0484e6fb20c36a450175f4a", "title": "Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia - bellingcat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5369906, "plain_text": "Bahamut Revisited, More Cyber Espionage in the Middle East and\r\nSouth Asia - bellingcat\r\nBy Collin Anderson\r\nPublished: 2017-10-27 · Archived: 2026-04-05 16:39:00 UTC\r\nIntroduction\r\nIn June we published on a previously unknown group we named “Bahamut,” a strange campaign of phishing and\r\nmalware apparently focused on the Middle East and South Asia. In the Bahamut report, we documented a capable\r\nactor interested in a diverse set of political, economic, and non-governmental targets, which suggested espionage\r\nrather than criminal intent. Bahamut was shown to be resourceful, not only maintaining their own Android\r\nmalware but running propaganda sites, although the quality of these activities varied noticeably.\r\nOur publication on the campaign coincided with a series of defacements and leaked emails related to Qatar and its\r\nneighbors, the same types of targets that arose in our research. While we have found no evidence to link the group\r\nto these incidents, Bahamut provided a useful window into the activities rampant in the Gulf at a time when\r\nhacking has contributed to a regional diplomatic crisis. The incident further demonstrated the blurred lines in\r\ncybersecurity between attacks against human rights communities and espionage against diplomats, as well as the\r\npotential role of non-state actors in state-aligned cyber operations.\r\nAfter publication, the identified operations and malware domains were taken down. For three months there was no\r\napparent further activity from the actor. However, in the same week of September a series of spearphishing\r\nattempts once again targeted a set of otherwise unrelated individuals, employing the same tactics as before.\r\nBahamut remains active, and its operations are more extensive than first disclosed. Our primary contribution in\r\nthis update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations, and to\r\nfurther affirm our belief that the group is a hacker-for-hire operation. Toward this we document a previously\r\nunnoticed link with a campaign targeting South Asia that was published last year. This post extends the previous\r\npublication with recent activity and lends more evidence to our past hypotheses about the political nature of its\r\noperations.\r\nOverlap with Previous Campaigns\r\nOur initial observation of the Bahamut group originated from in-the-wild attempts to deceive targets into\r\nproviding account passwords through impersonation of platform providers. After unpacking the larger targeting of\r\nthe attacks, the credential theft operations were found to cover a broad range of interests in the Middle East, such\r\nas Turkish diplomats and Iranian political figures in the lead up to the recent presidential election. As we noted\r\nthen, these incidents stood out because they exceeded the level of care and preparation seen in the everyday\r\ncybercrime. In our report, we also noted a similarity to the “Operation Kingphish” campaign published by\r\nAmnesty International earlier this year. As we wrote then, compared to Kingphish, Bahamut “operates as though it\r\nwere a generation ahead in terms of professionalism and ambition.”\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 1 of 13\n\nA more recent credential theft attempt provided the most credible link between the two campaigns thus far, and\r\nbolsters our hypothesis that the operations are related. Among a flurry of spearphishing attempts associated with\r\nBahamut in recent weeks, one fake Google message directed its target to a unique domain (string2port[.]com) to\r\nsteal login credentials. The string2port domain (registered in May 2016) strongly reflects the ping2port[.]info\r\ndomain (registered in September 2016) that was used in Kingphish against Qatar-focused labor rights advocates.\r\nThe ping2port domain is now pending deletion – abandoned due to discovery – but the previously unnoticed and\r\nrelated string2port has been reused. Given the similarities in tactics, administration of infrastructure, domains, and\r\nother factors, it appears increasingly clear both campaigns against Middle Eastern diplomats and those directed\r\nagainst human rights advocates are connected.\r\nThe similarities to other research is not limited to Kingphish, and includes a prolific campaign in South Asia. In\r\nour original post we noted that an expansive operation was evident from a search of potential domains based on\r\ncommon pattern in domain registration and hosting behavior (an Anglo-European name sometimes followed by a\r\nnumber at mail.ru, often also found in the DNS ‘Start of Authority’ record). Here too, we find multiple other\r\ncandidate domains based on simple search patterns, although other email providers such as Pobox.sk are now\r\nmore common. While we published a number of domain names that were clearly malicious and similar to\r\nBahamut, we did not post the full list out of a concern of false positives. Included in these results was a domain\r\ni3mode[.]com, which used a Mail.ru contact email and was hosted on a network found in other Bahamut\r\nspearphishing attempts.\r\nWhois (i3mode[.]com):\r\nRegistrant Name: KEDRICK BROWN\r\nRegistrant Phone: +503.503226605642\r\nRegistrant Email: KEDRICK.BROWN.84@MAIL.RU\r\nThis domain appears in Kaspersky’s blog post “InPage zero-day exploit used to attack financial institutions in\r\nAsia” from November 2016. That campaign targeted financial institutions with malware that took advantage of a\r\nvulnerability in text processing software popular with Urdu and Arabic speaking users. The domains in the InPage\r\ncampaign match the same pattern of registration and hosting within Bahamut. The Urdu connection recalls our\r\nidentification of Android malware posing as a Urdu Quranic reference. This thematic overlap also includes a\r\nrelevant sample “Analysis Report on Kashmir.exe,” which would be of interest to a South Asian audience.\r\nAdditionally, another sample connecting to the i3mode domain (“E-Challan.zip”) appears to be a reference to\r\nreceipt for payment or delivery specific to India and Pakistan. The staging domain for that malware also has\r\nanother subdomain that appeared to reference an Indian business newspaper (“mint-news-portal.hymnfork.com”).\r\nThis faint connection in domains and similar interests provides a first hint that Bahamut is more active than we\r\nwere previously aware and bolsters our hypothesis that the group is a hackers-for-hire operation.\r\nMalware Campaigns in South Asia\r\nIn the Bahamut report, we discussed two domains found within our search that were linked with a custom Android\r\nmalware agent. This connection between the malware and credential theft was reinforced by some similarities in\r\nhow the agent reported back to the attacker’s servers, and thus we felt moderately confident about a link between\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 2 of 13\n\nthe credential theft and the malware. After the publication of the original report, these sites were taken offline\r\ndespite the fact that one agent was even updated a six days prior to our post (the “Khuai” application).\r\nAdditionally, antivirus engines began to detect copies of this malware based on common patterns in development,\r\nincluding apps that we were not aware of. Based on a search of public sources, we find three more malicious\r\napplications focused mostly on South Asia, including samples uploaded from India.\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 3 of 13\n\nIncluded in the newly detected apps was one named “Devoted to Humanity,” which has been taken down from the\r\nPlay Store (devoted.to.humanity). Based on the name and domains used in the communications\r\n(“devotedtohumanity-fif[.]info”, which was registered in March 2016), it appears that the application\r\nimpersonates the “Falah-e-Insaniat Foundation” (FIF) that ostensibly operates as a religious charity primarily in\r\nPakistan. FIF is notable for its links to the Lashkar-e-Taiba (LeT) terrorist organization, which has committed\r\nmass-casualty attacks in India in support of establishing Pakistani control over the disputed Jammu and Kashmir\r\nborder region. As a result of its connections to LeT and international pressure to crack down on Kashmiri jihadists,\r\nPakistan placed FIF under on a terrorism watch list in January 2017. The development of a malware agent relevant\r\nto Indian and Pakistani security interests, timed with increased international scrutiny on FIF, suggests a\r\ncounterterrorism and intelligence motive for Bahamut’s espionage.\r\nThe “Devoted to Humanity” app also references an image hosted on domain voguextra[.]com, which appears to\r\nhave been used to stage decoy documents.\r\nThe Falah-e-Insaniat Foundation app is not the only Kashmir-related campaign associated with Bahamut. Pivoting\r\noff the unique contact information used to register the FIF domain, “adgnad dangda” and “adgnad@mail.ru”, we\r\nalso find two more (“Android-Cloud.net” and “Kashmir-Weather-Info.com”) that were cohosted on the same\r\nserver as the FIF site. The Kashmir Weather domain corresponds with a now-removed Android application with\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 4 of 13\n\nthe similar set of permissions and tactics found in the previous malware (com.weather.kashmir). The purpose of\r\nthe “Android-Cloud.net” domain is not currently known.\r\nIt is important to note that the domains had lapsed and were re-registered since they were first used. So while they\r\nappear to be malicious, the current custody is unclear. The domains now purport to be for a platform “Donkey\r\nService” (“DoDoDonkey”), which provides a less than credible pitch:\r\nDonkey Service has incredibly large network and infrastructure to stop really large attacks on the\r\nMobile system. \r\nWe just get clean requests and never have to deal with malicious traffic or attacks on the Mobile\r\ninfrastructure. We are the perfect partner for our business!\r\nMuch of this text is copied from a customer quote about Cloudflare.\r\nAs with the “Khuai” Chinese-English translator malware in the previous post, other identified agents have unclear\r\ntargets, such as the “MXI Player” that was last updated August 2017 (mxiplayer[.]com). MXI Player appears to be\r\na version of the Bahamut agent, designed to record the phone calls and collect other information about the user\r\n(com.mxi.videoplay). After having been kicked off Play Store several times, it appears that Bahamut is now\r\nhosting its agent on the APKPure alternative app store. However, the malware retains certain design choices seen\r\nin previous attacks, for example around encryption and communications with the attacker server. As a result, it is\r\nalready flagged as Bahamut by antivirus engines.\r\nMore interestingly, the MXI Player site also includes a Windows version of the application, which is a rebranded\r\nmedia player that also installs a malware agent posing as a software updater (mxiupdate.exe). A full write up of\r\nthe Windows malware is not in scope of this article for the sake of brevity and our intended contribution. A hash\r\nfor the malware agent is provided in the appendix for those interested. A cursory inspection of debugging artifacts\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 5 of 13\n\nand other details, such as an embedded filesystem path referring to a template code project\r\n(“EmbeddedAssembly_1.3”), suggests that the agent is both rudimentary and custom designed.\r\nOne important trait worth noting is that the Windows malware’s communications strongly resembles the malware\r\nconnected to the domains disclosed by Kaspersky. These similarities include same approach of communication\r\nbeacons to a randomly-named path on the attacker’s server, with the same URL parameters that contain similar\r\ntypes of values (probably AES encrypted strings represented in base64, like the Android applications):\r\nBahamut’s Mixi Player malware (mxiplayer[.]com):\r\n/hdhfdhffjvfjd/gfdhghfdjhvbdfhj.php?p=1\u0026g=[string]\u0026v=N/A\u0026s=[string]\u0026t=[string]\r\nInPageCampaign malware (encrypzi[.]com):\r\n/fdjgwsdjgbfv/dbzkfgdkgbvfb.php?p=1\u0026g=[string]\u0026v=0\u0026s=[string]\r\nThese repeated parallels further indicate a relationship between the Android malware operations and the InPage-related espionage. In review, these connections include:\r\nOverlap between the extended network of domains relevant to Bahamut’s credential theft infrastructure and\r\nmalware domains in Kaspersky’s report;\r\nSimilarity in the format of beacons between Bahamut’s Windows agent and malware associated with the\r\nInPage domains, and to a lesser extent even in the Android agent; and,\r\nCommonalities in targeted interests, namely the contested Kashmir region.\r\nOne curious trait of Bahamut is that it develops fully-functional applications in support of its espionage activities,\r\nrather than push nonfunctional fake apps or bundle malware with legitimate software. These include translation\r\nand weather applications that involved requests to third-party APIs and other user interactions. While much of the\r\ncode appears to be copied and these applications are simple, Bahamut must spend a fair amount of time on\r\noperations that target a small number of individuals. The content and app market descriptions of the three Android\r\napplications also recalls our previous observation that the Bahamut actor appears to be fluent in English, albeit\r\nconstrained either due to not being native speakers or lack of professionalism.\r\nCredential Theft in the Middle East\r\nBahamut has taken a more concerted effort to reduce exposure of their operations, preventing the research\r\ntechniques that led to our cataloguing of their infrastructure and operations in the first post. Once again, the\r\nattempts all originate from less reputable hosting companies and networks (AS44901, BelCloud Hosting\r\nCorporation). Spearphishing pages are now more resistant to enumeration attempts and appear to use a dedicated\r\nsubdomain for one specific victim. The unique subdomain appears to be automatically disabled after the\r\n“successful” phishing attempt in order to cover the trail of the attack (redirecting the user elsewhere or appearing\r\nto be a Google error page). These pages have also increased their use of unicode replacements for letters and other\r\nfont tricks as a way to evade network filters or to deceive users (e.g. using r and n, “rn”, to appear like the letter\r\n“m”). Altogether an already stealthy actor has improved their operational profile.\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 6 of 13\n\nCuriously, Bahamut appears to track password attempts in response to failed phishing attempts or to provoke the\r\ntarget to provide more passwords. These passwords are hardcoded in the phishing page so that the login form will\r\nimmediately return a “bad password” message if entered. This could be designed to trick the user into providing\r\nolder passwords or alternative passwords used on other platforms to provide a foothold into other services. The\r\nresult is that Bahamut spearphishing pages include over two hundred possible real world passwords that appear to\r\ncover at least a couple of dozen likely victims.\r\nThe theme of the passwords provide indication of the types of targets and victims of Bahamut since our last\r\nencounter. Most of the domains clearly reflect a Middle Eastern audience, including referring to individuals’\r\nnames (e.g. “al Khalifa”) and Emirati phone numbers. Some of these passwords are cryptic – such as one\r\nreferencing a supermarket in Beirut. Others reference a “national bloc,” Gaza, the Dubai Expo in 2020, and a\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 7 of 13\n\nSaudi media entity. More generally, these targets appear to include people or entities in the United Arab Emirates,\r\nMorocco, Jordan, Libya, and Bahrain, among other Arab countries. Further demonstrating its focus on the Middle\r\nEast, the phishing page specifically (and exclusively) checks if the visitor’s browser is set to the Arabic language\r\nand redirects them to a translated page. Where targets are personally identifiable, these campaigns reflect an\r\nintimate understanding of the relationships and members of the policy and international relations sectors of certain\r\nGulf states – information that would not be readily accessible to a bystander, and targets that would not be of\r\ninterest outside of political motivations.\r\nThe recent incidents also involved a social engineering tactic well documented in the Kingphish report: fictitious\r\nsocial media profiles. In Kingphish, a profile active on LinkedIn, Twitter, and Facebook (purporting to be an IT\r\nand business professional) approached labor rights advocates requesting help on research about human trafficking.\r\nSimilarly, a fictitious LinkedIn profile named “Sophie Foster” attempted to simultaneously approach multiple\r\ntargets of Bahamut’s phishing messages. The Foster profile appears crafted for a professional Middle East related\r\ndemographic, claiming to have experience in public relations and international trade. Among connections to\r\nSOAS and LSE students, which appear to be cover related to her claimed educational background, the profile has\r\na clear theme in targets: journalists and public relations professionals in the Middle East, including individuals at\r\nSky News Arabia and Al-Masry Al-Youm, and others in Egypt, Lebanon, Saudi, UAE, and Turkey. A two-year old\r\nFacebook profile exists for the persona, which has liked pages for Lebanese politicians and has a Mail.ru account\r\nlinked to it.\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 8 of 13\n\nBahamut spearphishing attempts have also been accompanied with SMS messages purporting to be from Google\r\nabout security issues on their account, including a class 0 message or “flash text.” These text messages did not\r\ninclude links but are intended to build credibility around the fake service notifications later sent to the target’s\r\nemail address. The use of fake sender identifiers – especially combined with the unusual flash text approach –\r\ncould be effective, but once again Bahamut is betrayed by its unusual English.\r\nBahamut also appears to be more aggressive in reconnaissance against targets. As it harvested potential addresses\r\nassociated with targets, it would sended tailored or salacious messages with image-based trackers to check if the\r\nmessage was opened. These provide a metric as to whether the target is ignoring attacks, or whether the email\r\naddress is not monitored or active. The messages were crafted to a Middle East focused audience, primarily\r\nposing as news stories or media outlets (e.g. Al Monitor) relevant to the region.\r\nConclusion and Implications\r\nGiven our increased confidence that Bahamut was responsible for targeting of Qatari labor rights advocates and its\r\nfocus on the foreign policy institutions other Gulf states, Bahamut’s interests are seemingly too expansive to be\r\nlimited one sponsor or customer. However, those targets fall within coherent themes. It is unclear which single\r\nclient could be interested in both a Kashmiri organization on a terrorism watchlist and Egyptian journalists. Thus\r\nfar, Bahamut’s campaigns have appeared to be primarily espionage or information operations – not destructive\r\nattacks or fraud. The targets and themes of Bahamut’s campaigns have consistently fallen within two regions –\r\nSouth Asia (primarily Pakistan, specifically Kashmir) and the Middle East (from Morocco to Iran). The targeting\r\nof organizations scrutinized ties to terrorism raises the stakes for the operation, and differentiate it from usual\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 9 of 13\n\ncybercrime. Targets outside of the Middle East tend to still have associations to Middle Eastern issues, such as a\r\nEuropean investment firm active in a Gulf country and a foreign policy experts in the West. We have not found\r\nevidence of Bahamut engaging in crime or operating outside its limited geographic domains, although this narrow\r\nperspective could be accounted for by its compartmentalization of operations.\r\nThere remains ample questions and research opportunities to be explored. While Bahamut has leveraged resources\r\nin Urdu and Arabic, it appears to be most comfortable in the English language despite its uncommon grammar.\r\nWhile we note malicious domains that maintain a similar profile to Bahamut that impersonate Qatari government\r\nemail services, we have not found a direct connection to those campaigns, and there has been little indication of\r\nthe targeting of Qatar within our monitoring. We have not fully explored the extent of Bahamut’s operations, such\r\nas its Windows malware agent or possible other Android malware. Moreover, the networks and tactics used within\r\nBahamut’s operations turn up suspicious sites that resemble the Times of Arab operation disclosed previously –\r\noften Middle East focused news published in English that recirculate content on technology and politics with no\r\nclear attribution or purpose. These suspicious sites and those we can account for as Bahamut repeatedly turn up a\r\nnexus with India, more so than the Middle East, despite attempts by the attackers to stay anonymous. Once again,\r\nour investigation only seems to be a limited window into a strange operation.\r\nThe proposition that a non-state hacker-for-hire operation could be used in pursuit of regional state interests is not\r\nunusual. At this point most Middle Eastern governments have at least once procured cyber espionage capabilities\r\nfrom abroad, such as from the government malware vendors FinFisher, NSO and Hacking Team. By one account,\r\nQatar even sought to outsource an offensive cyber program to American companies – a deal that was quashed by\r\nthe U.S. government. This reliance on contractors could indicate that such countries have been unable to develop\r\ntheir own in-house capacity, which would align with their general reliance on foreign military firms. It is also\r\nworth noting that while some government agencies may have acquired tools already, other entities such as local\r\npolice might still desire their own capabilities leading to overlaps. On the vendor side, in recent years companies\r\nsuch as the Indian-firm Aglaya have been implicated in selling full hacking as a service, rather than simply\r\nproviding tools for government use. This parallels the unclear lines between cybercrime and espionage seen\r\nelsewhere, and hints that mercenary cyber operations are more common than currently understood. Thus Bahamut\r\nwarrants attention as an emblematic case of the interest in cyber espionage in places such as the Middle East and\r\nthe range of vendors willing to meet that demand.\r\nAcknowledgement\r\nWe appreciate the help from Tom Lancaster, who noticed the overlap with Kaspersky’s InPage report and an\r\nadditional Android malware agent. Our prior publication also failed to acknowledge immensely valuable input\r\nfrom a number of colleagues, including Nadim Kobeissi’s feedback on how the API endpoints on the Android\r\nmalware were encrypted. Thank you to everyone who contributed to this research and provided feedback.\r\nIOCs\r\nCredential Harvesting and Recon\r\nnoreply.user.subscripton@gmail[.]com\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 10 of 13\n\nmirror.news.live@gmail[.]com\r\nmail.noreplyportals@gmail[.]com\r\nrnicrosoft-recovery-update@hotmail[.]com\r\nnoreply.subscribeuser.alert@gmail[.]com\r\nnoreply.users.validation@gmail[.]com\r\nnoreply.applc.id.service@gmail[.]com\r\nnoreply.user.subscripton@gmail[.]com\r\nplaybooy.magazine.update@outlook[.]com\r\nnoreply.goolgemail@gmail[.]com\r\ndubaicalender.eventupdate@outlook[.]com\r\nsputniknews@email[.]com\r\nnews_update@email[.]com\r\nbbcnewsdailysubscribe@gmail[.]com\r\nrnicrosoft-recovery-update@hotmail[.]com\r\nnoreply.goolgehangouts@gmail[.]com\r\nsqure39-cld[.]info\r\ngoolg-en[.]com\r\nlogin-asmx[.]com\r\nstring2port[.]com\r\nsession-en[.]com\r\nsingin-go-olge[.]com\r\n111.90.138[.]81\r\n188.68.242[.]18\r\n91.92.136[.]134\r\n200.63.45[.]47\r\nAndroid Agent\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 11 of 13\n\ndevotedtohumanity-fif[.]info\r\nkashmir-weather-info[.]com\r\nmxiplayer[.]com\r\n6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0 Khuai Translator (1.3)\r\n0550dad8d55446e5b5dbae61783cfb7c78ee10d2 MXI Player (1.2)\r\n00d000679baab456953b4302d8b2a1e65241ed12 Devoted to Humanity (1.0)\r\nddaf5e43da0b00884ef957c32d7b16ed692a057a Kashmir Weather (1.2)\r\nWindows Agent\r\n9850ac30c3357d3a412d0f6cec2716b63db6c21d\r\nmxiplayer[.]com\r\nOther Malware References\r\n“Analysis Report on Kashmir.exe” 9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560\r\n“E-Challan.zip”  1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96)\r\nmint-news-portal.hymnfork[.]com\r\nonline-tracking-status.hymnfork[.]com\r\nSimilar Infrastructure\r\ninsidecloud-aspx[.]com\r\ndata-covery[.]com\r\nsa-google[.]com\r\nrnail-aspx[.]com\r\nsession-service[.]com\r\nsession-owa[.]com\r\nmyinfocheck[.]com\r\nhost-auth[.]com\r\njanko.kolar@bulletmail[.]org\r\njacbov.vjan@bulletmail[.]org\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 12 of 13\n\nrobert.warne@list[.]ru\r\nviera.taafi@pobox[.]sk\r\naaron.drago@pobox[.]sk\r\nmarek.franko@pobox[.]sk\r\noliver.dagur@mail[.]ru\r\nralph.cramey@mail[.]ru\r\npetru.negru@pobox[.]sk\r\nSource: https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nhttps://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" ], "report_names": [ "bahamut-revisited-cyber-espionage-middle-east-south-asia" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434327, "ts_updated_at": 1775792030, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/823df99bb42c74b5e0484e6fb20c36a450175f4a.pdf", "text": "https://archive.orkl.eu/823df99bb42c74b5e0484e6fb20c36a450175f4a.txt", "img": "https://archive.orkl.eu/823df99bb42c74b5e0484e6fb20c36a450175f4a.jpg" } }