{ "id": "31ec0b1c-c81d-4588-ba9f-03b1f3dae679", "created_at": "2026-04-06T00:15:31.422558Z", "updated_at": "2026-04-10T13:12:23.610012Z", "deleted_at": null, "sha1_hash": "a73f3a21613f17623f47018192bfcf102134d9bc", "title": "Bahamut (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46906, "plain_text": "Bahamut (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:54:54 UTC\r\napk.bahamut (Back to overview)\r\nBahamut\r\nActor(s): Bahamut, Dropping Elephant\r\nAccording to PCrisk, Bahamut is the name of Android malware with spyware functionality. Threat actors use\r\nBahamut to steal sensitive information. The newest malware version targets various messaging apps and\r\npersonally identifiable information.\r\nReferences\r\n2022-11-23 ⋅ ESET Research ⋅ Lukáš Štefanko\r\nBahamut cybermercenary group targets Android users with fake VPN apps\r\nBahamut\r\n2022-06-29 ⋅ cyble ⋅ Cyble Research Labs\r\nBahamut Android Malware Returns With New Spying Capabilities\r\nBahamut\r\n2022-04-12 ⋅ ⋅ 360 Threat Intelligence Center ⋅ 360 Beacon Lab\r\nRecent attacks by Bahamut group revealed\r\nBahamut\r\n2020-10-06 ⋅ Blackberry ⋅ Blackberry Research\r\nBAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps\r\nBahamut Bahamut\r\n2018-08-29 ⋅ Trend Micro ⋅ Daniel Lunghi, Ecular Xu\r\nThe Urpage Connection to Bahamut, Confucius and Patchwork\r\nAndroRAT Bahamut\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut\r\nPage 1 of 2\n\n2018-08-29 ⋅ Trend Micro ⋅ Daniel Lunghi, Ecular Xu\r\nBahamut, Confucius and Patchwork Connected to Urpage\r\nBahamut Confucius Urpage\r\n2017-10-27 ⋅ Bellingcat ⋅ Collin Anderson\r\nBahamut Revisited, More Cyber Espionage in the Middle East and South Asia\r\nBahamut Bahamut Bahamut\r\n2017-06-12 ⋅ Bellingcat ⋅ Collin Anderson\r\nBahamut, Pursuing a Cyber Espionage Actor in the Middle East\r\nBahamut Bahamut Bahamut\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut" ], "report_names": [ "apk.bahamut" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "37714790-40c0-4b6b-8e49-1c8f45a0463f", "created_at": "2022-10-25T16:07:24.37091Z", "updated_at": "2026-04-10T02:00:04.961707Z", "deleted_at": null, "main_name": "Urpage", "aliases": [], "source_name": "ETDA:Urpage", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "8fddd571-37dc-4bb2-84b4-e41ac6fd11f5", "created_at": "2024-02-08T02:00:04.32487Z", "updated_at": "2026-04-10T02:00:03.584509Z", "deleted_at": null, "main_name": "Urpage", "aliases": [], "source_name": "MISPGALAXY:Urpage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434531, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a73f3a21613f17623f47018192bfcf102134d9bc.pdf", "text": "https://archive.orkl.eu/a73f3a21613f17623f47018192bfcf102134d9bc.txt", "img": "https://archive.orkl.eu/a73f3a21613f17623f47018192bfcf102134d9bc.jpg" } }