{
	"id": "7c9a07b5-5de4-42a2-8b6f-0b227bdac2d0",
	"created_at": "2026-04-06T00:08:47.988898Z",
	"updated_at": "2026-04-10T13:11:40.085094Z",
	"deleted_at": null,
	"sha1_hash": "a5efa8847c611c33c244aa25f0a5c39c0f8f9bd2",
	"title": "Countering hack-for-hire groups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62729,
	"plain_text": "Countering hack-for-hire groups\r\nBy Shane Huntley\r\nPublished: 2022-06-30 · Archived: 2026-04-05 17:23:07 UTC\r\nAs part of TAG's mission to counter serious threats to Google and our users, we've published analysis on a range\r\nof persistent threats including government-backed attackers, commercial surveillance vendors, and serious\r\ncriminal operators. Today, we're sharing intelligence on a segment of attackers we call hack-for-hire, whose niche\r\nfocuses on compromising accounts and exfiltrating data as a service.\r\nIn contrast to commercial surveillance vendors, who we generally observe selling a capability for the end user to\r\noperate, hack-for-hire firms conduct attacks themselves. They target a wide range of users and opportunistically\r\ntake advantage of known security flaws when undertaking their campaigns. Both, however, enable attacks by\r\nthose who would otherwise lack the capabilities to do so.\r\nWe have seen hack-for-hire groups target human rights and political activists, journalists, and other high-risk users\r\naround the world, putting their privacy, safety and security at risk. They also conduct corporate espionage, handily\r\nobscuring their clients’ role.\r\nTo help users and defenders, we will provide examples of the hack-for-hire ecosystem from India, Russia, and the\r\nUnited Arab Emirates and context around their capabilities and persistence mechanisms.\r\nHow Hack-For-Hire Operations Work\r\nThe hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of\r\ntargets they pursue in a single campaign at the behest of disparate clients. Some hack-for-hire attackers openly\r\nadvertise their products and services to anyone willing to pay, while others operate more discreetly selling to a\r\nlimited audience.\r\nFor example, TAG has observed Indian hack-for-hire firms work with third party private investigative services —\r\nintermediaries that reach out for services when a client requires them — and provide data exfiltrated from a\r\nsuccessful operation. This is detailed in depth in today’s Reuters investigation into the Indian hack-for-hire\r\necosystem. We have also observed Indian hack-for-hire firms work with freelance actors not directly employed by\r\nthe firms themselves.\r\nThe breadth of targets in hack-for-hire campaigns stands in contrast to many government-backed operations,\r\nwhich often have a clearer delineation of mission and targets. A recent campaign from an Indian hack-for-hire\r\noperator was observed targeting an IT company in Cyprus, an education institution in Nigeria, a fintech company\r\nin the Balkans and a shopping company in Israel.\r\nRecent Hack-for-Hire Campaigns\r\nIndia\r\nhttps://blog.google/threat-analysis-group/countering-hack-for-hire-groups/\r\nPage 1 of 4\n\nSince 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously\r\nworked for Indian offensive security providers Appin and Belltrox.\r\nOne cluster of this activity frequently targets government, healthcare, and telecom sectors in Saudi Arabia, the\r\nUnited Arab Emirates, and Bahrain with credential phishing campaigns. These credential phishing campaigns\r\nhave ranged from targeting specific government organizations to AWS accounts to Gmail accounts.\r\nSample AWS phishing email\r\nTAG has linked former employees of both Appin and Belltrox to Rebsec, a new firm that openly advertises\r\ncorporate espionage as an offering on its company website.\r\nRebsec’s offerings as per the company’s website\r\nRussia\r\nWhile investigating a 2017 credential phishing campaign that targeted a prominent Russian anti-corruption\r\njournalist, we discovered the Russian attacker targeting other journalists, politicians across Europe, and various\r\nNGOs and non-profit organizations. But what stuck out during this investigation was the breadth of targeting,\r\nwhich also included individuals that had no affiliation with the selected organizations, and appeared to be regular,\r\neveryday citizens in Russia and surrounding countries. This hack-for-hire actor has been publicly referred to as\r\n'Void Balaur'.\r\nThese campaigns were similar regardless of target, consisting of a credential phishing email with a link to an\r\nattacker-controlled phishing page. The lures ranged from fake Gmail and other webmail provider notifications to\r\nmessages spoofing Russian government organizations. After the target account was compromised, the attacker\r\ngenerally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or\r\ngenerating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked\r\nwhen a user changes their password.\r\nRussian hack-for-hire phishing email\r\nRussian hack-for-hire phishing site\r\nDuring our early investigation, TAG discovered the attacker’s public website (no longer available) advertising\r\naccount hacking capabilities for email and social media services. The site claimed to have received positive\r\nreviews on Russian underground forums such as Dublikat and Probiv.cc. Over the past five years, TAG has\r\nobserved the group targeting accounts at major webmail providers like Gmail, Hotmail, and Yahoo! and regional\r\nwebmail providers like abv.bg, mail.ru, inbox.lv, and UKR.net.\r\nPricing list from hacknet-service.com in 2018\r\nUnited Arab Emirates\r\nTAG is also tracking a hack-for-hire group now based in the United Arab Emirates that is mostly active in the\r\nMiddle East and North Africa. They have primarily targeted government, education, and political organizations\r\nhttps://blog.google/threat-analysis-group/countering-hack-for-hire-groups/\r\nPage 2 of 4\n\nincluding Middle East focused NGOs in Europe and the Palestinian political party Fatah. Amnesty International\r\nhas also reported on their campaigns.\r\nThe group commonly uses Google or OWA password reset lures to steal credentials from targets, often using the\r\nMailJet or SendGrid API to send phishing emails. Unlike many hack-for-hire actors that use open source phishing\r\nframeworks like Evilginx or GoPhish, this group uses a custom phishing kit that utilizes Selenium, a self\r\ndescribed 'suite of tools for automating web browsers.' Previously described by Amnesty, this phishing kit has\r\nremained under active development over the past five years.\r\nGoogle Security Alert phishing page\r\nAfter compromising an account, the actor maintains persistence by granting themselves an OAuth token to a\r\nlegitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a\r\nthird-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP.\r\nThis group also has links to the original developers of H-Worm, also known as njRAT. In 2014, Microsoft filed a\r\ncivil suit against the developer, Mohammed Benabdellah, for the development and dissemination of H-Worm.\r\nBenabdellah, who also goes by the moniker Houdini, has been actively involved in the day-to-day development\r\nand operational deployment of the credential phishing capabilities used by this group since its inception.\r\nProtecting Our Users\r\nAs part of our efforts to combat serious threat actors, we use results of our research to improve the safety and\r\nsecurity of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to\r\nprotect users from further harm. We encourage any high risk user to enable Advanced Protection and Google\r\nAccount Level Enhanced Safe Browsing and ensure that all devices are updated. Additionally, our CyberCrime\r\nInvestigation Group is sharing relevant details and indicators with law enforcement.\r\nTAG is committed to sharing our findings as a way of raising awareness with the security community, and with\r\ncompanies and individuals that might have been targeted. We hope that improved understanding of the tactics and\r\ntechniques will enhance threat hunting capability and lead to stronger user protections across the industry.\r\nWith contributions from Winnona DeSombre\r\nIndicators of Compromise\r\nUAE hack-for-hire Group Domains:\r\nmyproject-login[.]shop\r\nmysite-log[.]shop\r\nsupp-help[.]me\r\naccount-noreply3[.]xyz\r\ngoolge[.]ltd\r\ngoolge[.]help\r\naccount-noreply8[.]info\r\naccount-server[.]xyz\r\nhttps://blog.google/threat-analysis-group/countering-hack-for-hire-groups/\r\nPage 3 of 4\n\nkcynvd-mail[.]com\r\nmail-goolge[.]com\r\nkcynve-mail[.]com\r\nIndian hack-for-hire Group Domains:\r\ndtiwa.app[.]link\r\nshare-team.app[.]link\r\nmipim.app[.]link\r\nprocesss.app[.]link\r\naws-amazon.app[.]ink\r\nclik[.]sbs\r\nloading[.]sbs\r\nuserprofile[.]live\r\nrequestservice[.]live\r\nunt-log[.]com\r\nwebtech-portal[.]com\r\nid-apl[.]info\r\nrnanage-icloud[.]com\r\napl[.]onl\r\ngo-gl[.]io\r\nRussian hack-for-hire Group Domains:\r\nlogin-my-oauth-mail[.]ru\r\noauth-login-accounts-mail[.]ru\r\nmy-oauth-accounts-mail[.]ru\r\nlogin-cloud-myaccount-mail[.]ru\r\nmyaccounts-auth[.]ru\r\nsecurity-my-account[.]ru\r\nsource-place-preference[.]ru\r\nsafe-place-smartlink[.]ru\r\nsafe-place-experience[.]ru\r\npreference-community-place[.]ru\r\nSource: https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/\r\nhttps://blog.google/threat-analysis-group/countering-hack-for-hire-groups/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/"
	],
	"report_names": [
		"countering-hack-for-hire-groups"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "eed84d1d-a457-43d7-8dba-e41cf7cea6e5",
			"created_at": "2023-01-06T13:46:39.474045Z",
			"updated_at": "2026-04-10T02:00:03.340923Z",
			"deleted_at": null,
			"main_name": "Void Balaur",
			"aliases": [],
			"source_name": "MISPGALAXY:Void Balaur",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "dd5d24e4-366c-4bd4-8587-fc9606a0cff6",
			"created_at": "2022-10-25T16:07:24.383804Z",
			"updated_at": "2026-04-10T02:00:04.969329Z",
			"deleted_at": null,
			"main_name": "Void Balaur",
			"aliases": [
				"Rockethack"
			],
			"source_name": "ETDA:Void Balaur",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434127,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5efa8847c611c33c244aa25f0a5c39c0f8f9bd2.pdf",
		"text": "https://archive.orkl.eu/a5efa8847c611c33c244aa25f0a5c39c0f8f9bd2.txt",
		"img": "https://archive.orkl.eu/a5efa8847c611c33c244aa25f0a5c39c0f8f9bd2.jpg"
	}
}