{ "id": "e6fd5efb-0ac4-4a49-b26c-efe3dddbb92e", "created_at": "2026-04-06T03:36:12.677399Z", "updated_at": "2026-04-10T03:33:50.165432Z", "deleted_at": null, "sha1_hash": "c84668adcda73b057b4e6cce3957ef87917bd906", "title": "APT Bahamut Targets Individuals with Android Malware Using Spear Messaging - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3184316, "plain_text": "APT Bahamut Targets Individuals with Android Malware Using\r\nSpear Messaging - CYFIRMA\r\nArchived: 2026-04-06 03:22:17 UTC\r\nPublished On : 2023-07-28\r\nEXECUTIVE SUMMARY\r\nThe team at CYFIRMA recently obtained advanced Android malware targeting individuals in the South Asia region.\r\nThe suspicious Android malware is a dummy chatting app. Our initial technical analyses revealed that APT Bahamut is\r\nbehind the attack. As technical analyses proceeded further, we also found footprints of tactics used by DoNot APT in\r\nthe suspicious app belonging to APT Bahamut.\r\nINTRODUCTION\r\nThe malware that was acquired was specifically utilized to target individuals residing in South Asia. This particular\r\nmalware exhibits a similar operational mechanism to the previously identified malware (distributed through the Google\r\nPlay Store by the notorious APT group known as ‘DoNot’), however, this malware has more permissions, and thus\r\npresents a higher level of threat. The suspected Android malware, known initially as “CoverIm” was delivered to\r\nvictims via WhatsApp, and was found to be disguised as a dummy chatting application named “SafeChat”. The user\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 1 of 19\n\ninterface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all\r\nthe necessary information, before the victim realizes that the app is a dummy, the malware cleverly exploits\r\nunsuspecting Android Libraries to extract and transmit data to a command-and-control server. Our in-depth technical\r\nanalysis will provide a comprehensive overview of this Android malware and shed light on the sophisticated methods\r\nemployed by the threat actor to exploit Android Libraries for the purpose of data retrieval from victims’ mobile\r\ndevices. Let’s dive into the technical analyses.\r\nTECHNICAL ANALYSES\r\nProcess Overview\r\nAfter installation, a suspected app with the name “Safe Chat” appears on the main menu.\r\nAfter opening the app, the user is shown a landing page where the user is notified of operating a secure chatting app.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 2 of 19\n\nUpon opening the app, after fresh installation, the pop-up message instructs the user to allow permission.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 3 of 19\n\nThe below screenshot shows the app throwing another pop-up message and asking the user for permission to keep the\r\napp working in the background. Once allowed, the app will work even when the app is minimized or closed. This\r\npermission will let command and control seamlessly communicate with the app.\r\nOnce permission for ignoring battery optimization is allowed the user is allowed to sign in and sign-up.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 4 of 19\n\nThe sign-up page:\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 5 of 19\n\nAfter completion, the app signs you in, and then the user is shown another pop-up message for permission. This time it\r\nthrows a pop-up showing the need for another permission app to work properly.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 6 of 19\n\nOnce the user clicks on “Allow” as shown in the previous screenshot, the app takes the user to the accessibility page\r\nand asks the victim to enable accessibility for the Safe Chat app. Once the accessibility is on, then the malware will\r\ncapture activity on screen including keystrokes. Until it is enabled, the app will throw a pop-up message again and\r\nagain, as shown in the previous screenshot.\r\nAfter enabling accessibility for the Safe Chat app, it works properly, showing a different dummy page like any other\r\nchatting app.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 7 of 19\n\nCODE REVIEW\r\nThis excerpt is from the Android Manifest file that belongs to the suspicious Safe Chat Android app, showing\r\npermissions that are being employed by the app to perform malicious activity.\r\nThis table contains permissions that are dangerous if exploited for malicious activity:\r\nSr.no Permissions Descriptions\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 8 of 19\n\n1 ACESS_FINE_LOCATION\r\nAllows the threat actor to fetch precise locations and track the live\r\nmovement of mobile phones.\r\n2 READ_CONTACTS This permission allows TA to read and fetch contacts.\r\n3 READ_EXTERNAL_STORAGE\r\nThis permission allows the threat actor to access the file storage of\r\nthe mobile.\r\n4 READ_SMS This allows the threat actor to read all the SMSs of the device.\r\n5 READ_CALL_LOG This permission allows the threat actor to read call logs.\r\n6 READ_CONTACTS\r\nThis permission allows the threat actor to read all the saved contacts\r\nin the device.\r\nAnother snippet from the Android Manifest file shows that the threat actor designed the app to interact with other\r\nalready installed chat applications. The interaction will take place using intents, OPEN_DOCUMENT_TREE\r\npermission will select specific directories and access apps mentioned in intent.\r\nPart of the Kotlin code shows the exploitation of various permissions: the object “LibConfigKt” deals with the\r\nenabling and disabling of permissions, and the same object is called in different modules to exploit the permissions\r\naccessed by the suspicious App.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 9 of 19\n\nThis excerpt shows the API module that is being used as a command-and-control server. Port 2053 is configured to the\r\ndomain, where the transportation of data takes place.\r\nThe snippet below shows comments passed in one of the modules, revealing the use of the Ktor framework developed\r\nwith Kotlin. Ktor is employed to establish communication between the command-and-control server and the app. Last\r\nmonth, our report exposed Android malware belonging to the DoNot APT, which had employed a similar library called\r\nretrofit for HTTP requests in their Android Malware, deployed on the Google Play Store. The malicious app has since\r\nbeen deleted.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 10 of 19\n\nHere are some more out-takes from another module that interacts with the App, as part of monitoring different\r\nmessenger apps like Telegram, Signal, Facebook Messenger, etc.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 11 of 19\n\nThese snapshots are from a module that reveals the creation of JSON Object, which stores fetched information such as\r\nIMEI, Device ID, and SIM details, including location.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 12 of 19\n\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 13 of 19\n\nThe following is from the module that performs RSA Encryption using the public key:\r\nThese module snapshots demonstrate the function of the encryption method to start the process of encrypting data. The\r\nanalyses reveal that the threat actor is storing data in encrypted form using RSA/ECB/OAEPPadding.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 14 of 19\n\nThe following demonstrates a captured Live HTTP request, which shows the letsencrypt certificate being used for\r\nencrypted communication between the app and server to dodge network interception.\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 15 of 19\n\nEXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM)\r\nAttribution\r\nThrough our technical analyses, we confidently attribute this attack to APT Bahamut. However, the tactics employed\r\nby this threat actor are similar to the tactics employed by APT DoNot, and it is also interesting to note that the target\r\ngeography of both the threat actors is similar to each other.\r\nTHREAT ACTOR PROFILE\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 16 of 19\n\nVICTIMOLOGY\r\nIn this specific attack, the threat actor conducted targeted spear messaging attacks on WhatsApp Messenger, focusing\r\non individuals in the South Asia region. The malicious payload was delivered directly through WhatsApp chat. The\r\nattack on the individual served the interest of one nation state government. The nature of this attack, along with\r\nprevious incidents involving APT Bahamut, possibly indicate that it was carried out to serve the interests of one nation\r\nstate government. Notably, APT Bahamut has previously targeted Khalistan supporters, advocating for a separate\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 17 of 19\n\nnation, posing an external threat to India. The threat actor has also aimed at military establishments in Pakistan and\r\nindividuals in Kashmir, all aligning with the interests of one nation state government.\r\nCONCLUSION\r\nWe are unable to disclose the specific target location of the sensitive cyber-attack, due to its sensitivity and security\r\nconcerns. However, we can confirm that the target serves the interests of one nation state government. While some\r\nsecurity organizations initially identified the threat as originating from a mercenary group, our own analysis indicates\r\nthat it is, in fact, an Indian APT group acting on behalf of one nation state government. Several reasons support this\r\nconclusion.\r\nFirstly, it is highly unlikely that the said nation state government will employ mercenary groups for hacking sensitive\r\ntargets, unless the group is based within Indian territory. Based on past and present targets, it strongly suggests that the\r\nAPT group operates within Indian territory. Furthermore, the threat actor utilized encryption techniques to secure the\r\ndata and network traffic, using the same certificate authority as the DoNot APT group, which previously deployed\r\nAndroid Malware on the Google Play Store. Moreover, the APT actor employed the Ktor Library to efficiently fetch\r\nand transfer data to the command-and-control server, a tactic similar to how the DoNot APT group used retrofit for a\r\nsimilar data retrieval function.\r\nTaking all these factors into account, our analysis strongly indicates that the APT group behind the attack has ties to the\r\nIndian territory and is acting in the interest of one nation state government.\r\nDiamond Model\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 18 of 19\n\nAPPENDIX I\r\nIndicators of Compromise\r\nIndicator Type Remarks\r\n8A35D0B20B6F057FE42E606A124CB84D78FA95900A16B056269F1CC613853989\r\nHash:\r\nSHA256\r\nSafe_Chat.apk\r\nhttps://laborer-posted[.]nl:2053\r\nDomain\r\nand port\r\nCommand and\r\ncontrol\r\nAPPENDIX II\r\nMITRE ATT\u0026CK Technique Detection\r\nTactics Technique ID Description\r\nTA0101 – Command\r\nand Control\r\nT0869-Standard Application\r\nLayer Protocol\r\nThe threat actor uses a web service as a command-and-control server.\r\nTA0035 – Collection T1430-Location Tracking\r\nFetches precise Location as a part of information\r\ngathering.\r\nTA0035 – Collection\r\nT1532 – Archive Collected\r\nData\r\nThe threat actor uses encryption over data transfer\r\nto the command and control.\r\nTA0101 – Command\r\nand Control\r\nT1521.002 Asymmetric\r\nCryptography\r\nThe threat actor encrypts the fetched data using an\r\nasymmetric encryption method.\r\nTA0035 – Collection T1636.002 Call Log\r\nThe threat actor exploits Call log permission to\r\naccess call logs\r\n  T1636.004 SMS Messages\r\nThe threat actor accesses SMSs by exploiting\r\ngained SMS permission.\r\n  T1636.002 Contact List The threat actor fetches Updated contact list.\r\nSource: https://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nhttps://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cyfirma.com/outofband/apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging/" ], "report_names": [ "apt-bahamut-targets-individuals-with-android-malware-using-spear-messaging" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446572, "ts_updated_at": 1775792030, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c84668adcda73b057b4e6cce3957ef87917bd906.pdf", "text": "https://archive.orkl.eu/c84668adcda73b057b4e6cce3957ef87917bd906.txt", "img": "https://archive.orkl.eu/c84668adcda73b057b4e6cce3957ef87917bd906.jpg" } }