{
	"id": "782cea26-8818-4ba2-b29d-bb58577514e0",
	"created_at": "2026-04-06T00:21:08.921012Z",
	"updated_at": "2026-04-10T03:35:29.166602Z",
	"deleted_at": null,
	"sha1_hash": "d0c53005e801ae155173cf94555915c2ddba9643",
	"title": "Bahamut Malware Returns With New Spying Features",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1354202,
	"plain_text": "Bahamut Malware Returns With New Spying Features\r\nPublished: 2022-06-29 · Archived: 2026-04-05 14:39:53 UTC\r\nCyble shares its observations on the return of Bahamut Malware and the new spyware capabilities built into it.\r\nBahamut is a well-known Advanced Persistent Threat (APT) group that was first discovered in 2017. The Bahamut\r\ngroup was involved in various phishing campaigns that were delivering malware targeting the Middle East and South\r\nAsia.\r\nCyble Research Labs has been closely monitoring the activities of the Bahamut group. In August 2021, Cyble\r\nreleased a blog on Bahamut Android Spyware, distributed through a phishing campaign impersonating Jamaat official\r\nsites.\r\nThe Bahamut group plans their attack on the target, stays in the wild for a while, allows their attack to affect many\r\nindividuals and organizations, and finally steals their data.\r\nWorld's Best AI-Native Threat Intelligence\r\nAfter their previous attack, the Threat Actors (TAs) behind Bahamut stayed silent for about a year and came back with\r\na new strategy for their current campaign. The group has continuously kept changing its mode of attack, and in the\r\npast few years, it is increasingly shifting its focus to targeting mobile devices.\r\nDuring our routine threat hunting exercise, Cyble Research Labs came across a Twitter post wherein a researcher\r\nmentioned a variant of Android malware, which is Bahamut Android Spyware.\r\nAfter about a year of silence, a new variant of Bahamut Android malware was spotted in the wild in April 2022, being\r\ndistributed via phishing sites. The phishing sites were masked as genuine websites for downloading a messaging\r\napplication that provides secure communication.\r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 1 of 10\n\nFigure 1 – Phishing site which distributes malware\r\nThe phishing site is well-designed and looks professional. The TA has also mentioned the features provided by the\r\napplication, the Contact Us page, and the Subscribe page, as shown in the below figure. The TAs added these features\r\nto the site to make it appear more genuine.\r\nFigure 2 – Features listed on phishing sites to look legitimate\r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 2 of 10\n\nThis indicates that the TA has invested time in developing a well-designed phishing website to attract the victim to\r\ndownload the malware.\r\nAlong with the secure chat phishing website, we have observed that Bahamut Spyware is being distributed through\r\nobscene sites “hxxps://www[.]iminglechat[.]de”.\r\nWhile comparing the old and new variants of Bahamut Android Spyware, we observed that the TA has modified their\r\ncode in the new variant and added extra modules specifically targeting messaging applications such as Viber, Imo,\r\nSignal, Telegram, and many more, wherein the old variant of the malicious app was collecting only Personally\r\nIdentifiable Information (PII) such as contacts, SMS data, call logs, etc. \r\nThe below image showcases the comparison and the extra module added to collect information from different\r\nmessaging apps.\r\nFigure 3 – Comparison of the old and new variants of Bahamut\r\nTechnical Analysis\r\nAPK Metadata Information   \r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 3 of 10\n\nApp Name: Chat Services\r\nPackage Name: com.chat.services\r\nSHA256 Hash: 1084b7ff4758b5d13dcfc4f9167b16e6b834bfff2032b540e74959ceb18a5b1e\r\nFigure 4 shows the metadata information of the application.  \r\nFigure 4 – App Metadata Information \r\nManifest Description  \r\nThe malicious application mentions 24 permissions, of which the TA exploits 9. The harmful permissions requested\r\nby the malware are:  \r\nPermission   Description \r\nCAMERA Required to access the camera device.\r\nREAD_SMS Access phone messages\r\nRECORD_AUDIO\r\nAllows the app to record audio with the microphone,\r\nwhich the attackers can misuse\r\nREAD_CONTACTS Access phone contacts\r\nREAD_CALL_LOG Access phone call logs\r\nREAD_EXTERNAL_STORAGE\r\nAllows the app to read the contents of the device’s external\r\nstorage\r\nRECEIVE_SMS Allows an application to receive SMS messages\r\nWRITE_EXTERNAL_STORAGE\r\nAllows the app to write or delete files to the external\r\nstorage of the device\r\nSYSTEM_ALERT_WINDOW Allows the app to draw on top of other applications\r\nSource Code Review  \r\nInstalling the malware prompts the user to enable a few permissions and Accessibility Service. Once the victim grants\r\nthese permissions, the malware abuses the Accessibility Service to fetch data from the targeted messaging\r\napplications.\r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 4 of 10\n\nFigure 5 – Accessibility Service\r\nThe malware then checks for the targeted application’s package name. It uses the Accessibility API to fetch text from\r\nthe current screen and stores it in a local database, as shown below.\r\nFigure 6 – Fetching data from the targeted applications\r\nBelow is the list of messaging applications targeted by the malware to collect the data:\r\ncom.viber.voip\r\ncom.protectedtext.android\r\ncom.facebook.orca\r\ncom.imo.android.imoim\r\norg.telegram.messenger\r\ncom.whatsapp\r\ncom.secapp.tor.conion\r\norg.thoughtcrime.securesms\r\nAfter collecting data from these messaging apps, the malware sends the stolen data to Command and Control (C\u0026C)\r\nserver. The code present in the below image depicts the same.\r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 5 of 10\n\nFigure 7 – Malware sending stolen information to the C\u0026C server\r\nAlong with collecting the data from messaging applications, the malware executes the below spyware activities:\r\nCollects contact information: The malware steals the contact data saved on the victim’s device and sends it to\r\nthe C\u0026C server.\r\nFigure 8 – Malware collecting contact data\r\nCollects SMS and call log data: The malware has a code to collect the SMS and call log information from the\r\nvictim’s device.\r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 6 of 10\n\nFigure 9 – Collecting SMS and call log information\r\nCollects files and basic device information: The malware collects the local files stored on the victim’s device\r\nalong with the basic information about the device such as model, device ID, version, SIM operator, etc.\r\nFigure 10 – Collecting files and basic device information\r\nThe figure below shows the C\u0026C server and endpoints used by the malware to send the stolen data.\r\nFigure 11 – C\u0026C server and endpoints\r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 7 of 10\n\nConclusion \r\nRecently many malware families and APT groups have been observed in the wild attacking specific targets and\r\nperforming malicious activities, then disappearing for some time. Bahamut malware follows the same cybercrime\r\nfootprint.\r\nBahamut malware was initially observed last year with sophisticated spying capabilities, and interestingly, it has\r\nreappeared with new additional code which collects messaging applications data used by the victim. The agenda\r\nbehind the malware distribution is very clear – to spy on the targeted entity.\r\nOver the next few years, we may observe a change in the activities of the Bahamut APT group, with different targets,\r\nenhanced techniques, and distribution modes. \r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:   \r\nHow to prevent malware infection? \r\nDownload and install software only from official app stores like Play Store or the iOS App Store. \r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices. \r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible. \r\nBe wary of opening any links received via SMS or emails delivered to your phone. \r\nEnsure that Google Play Protect is enabled on Android devices. \r\nBe careful while enabling any permissions. \r\nKeep your devices, operating systems, and applications updated. \r\nHow to identify whether you are infected? \r\nRegularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. \r\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. \r\nWhat to do when you are infected? \r\nDisable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile\r\nData. \r\nPerform a factory reset. \r\nRemove the application in case a factory reset is not possible. \r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset. \r\nWhat to do in case of any fraudulent transaction? \r\nIn case of a fraudulent transaction, immediately report it to the concerned bank. \r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 8 of 10\n\nWhat should banks do to protect their customers? \r\nBanks and other financial entities should educate customers on safeguarding themselves from malware attacks\r\nvia telephone, SMS, or emails. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Mean.\r\nCollection T1412 Capture SMS Messages\r\nCollection T1432 Access Contacts List\r\nCollection T1433 Access Call Logs\r\nCollection T1517 Access Notifications\r\nCollection T1533 Data from Local System\r\nCollection T1429 Capture Audio\r\nCommand and Control  T1571  Non-Standard Port \r\nIndicators of Compromise (IOCs) \r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n1084b7ff4758b5d13dcfc4f9167b16e6b834bfff2032b540e74959ceb18a5b1e SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\n44b7cd8d1078a619356d5408bcf9d325d246ec26 SHA1\r\nHash of the\r\nanalyzed\r\nAPK file \r\n45fa889f3524683b030db4ad3d43de63 MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhxxps://gkcx6ye4t4zafw8ju2xdr5na5[.]de URL C\u0026C server\r\nd11451503cbd5d0283450316289b0d6027033647cb92dd7bbce1e4d62b186697 SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\ndb2b2d2d43064b2a5300c811d635dbf673599b0c SHA1 Hash of the\r\nanalyzed\r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 9 of 10\n\nAPK file \r\neaa3b40142cad5b3a8426e2e0179b111 MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhxxps://5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62[.]de URL C\u0026C server\r\nhxxps://www[.]securechatnow[.]com/ URL\r\nMalware\r\ndistribution\r\nsite\r\nhxxps://www[.]iminglechat[.]de URL\r\nMalware\r\ndistribution\r\nsite\r\n5cd30ccebdd87fb1ea8f3a8995fc81b5b78e17ccc0f145703b5bd4da1ec22e66 SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\nfb63cfb371dbb79fde2f2b2835bb0edba4b5e5a6 SHA1\r\nHash of the\r\nanalyzed\r\nAPK file \r\nf4bfbcce73cd11051fc259a7811d2245 MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nSource: https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nhttps://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.cyble.com/2022/06/29/bahamut-android-malware-returns-with-new-spying-capabilities/"
	],
	"report_names": [
		"bahamut-android-malware-returns-with-new-spying-capabilities"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9",
			"created_at": "2022-10-25T16:07:23.38079Z",
			"updated_at": "2026-04-10T02:00:04.574399Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "ETDA:Bahamut",
			"tools": [
				"Bahamut",
				"DownPaper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f99641e0-2688-47b0-97bc-7410659d49a0",
			"created_at": "2023-01-06T13:46:38.802141Z",
			"updated_at": "2026-04-10T02:00:03.106084Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "MISPGALAXY:Bahamut",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8",
			"created_at": "2022-10-25T15:50:23.6515Z",
			"updated_at": "2026-04-10T02:00:05.352078Z",
			"deleted_at": null,
			"main_name": "Windshift",
			"aliases": [
				"Windshift",
				"Bahamut"
			],
			"source_name": "MITRE:Windshift",
			"tools": [
				"WindTail"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434868,
	"ts_updated_at": 1775792129,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d0c53005e801ae155173cf94555915c2ddba9643.pdf",
		"text": "https://archive.orkl.eu/d0c53005e801ae155173cf94555915c2ddba9643.txt",
		"img": "https://archive.orkl.eu/d0c53005e801ae155173cf94555915c2ddba9643.jpg"
	}
}