{
	"id": "0e10d2ed-6378-49ec-9eef-a4874392bf04",
	"created_at": "2026-04-06T00:18:23.62956Z",
	"updated_at": "2026-04-10T13:12:25.325801Z",
	"deleted_at": null,
	"sha1_hash": "d957fa1536e1e5daefd1a37c09c5942ae595c1de",
	"title": "Bahamut Threat Group Targets Users with Phishing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2668807,
	"plain_text": "Bahamut Threat Group Targets Users with Phishing\r\nBy cybleinc\r\nPublished: 2021-08-10 · Archived: 2026-04-05 23:03:40 UTC\r\nA phishing campaign from a Twitter post. The Threat Actor (TA) hosts malicious Android APK files on a\r\ncounterfeit version of Jamaat websites.\r\nDuring Cyble’s routine threat hunting exercise, we came across a Twitter post mentioning a phishing campaign\r\ninvolving a Threat Actor (TA) hosting malicious Android APK files on a counterfeit version of Jamaat websites.\r\nThe phishing websites used by the TA are as follows:\r\njamaat-ul-islam[.]com\r\njamatapplication[.]com\r\njamaatforummah[.]com\r\njamaatforallah[.]com\r\nThe figure below shows the phishing page.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 1 of 11\n\nFigure 1: Phishing page to deliver malware\r\nAs per Cyble’s research, this campaign is identical to the Bahamut group. Therefore, it is likely that the Bahamut\r\ngroup is operating under this alias. Bahamut is a threat group targeting the Middle East and South Asia and its\r\nattack vectors are phishing campaigns and malware. First noticed in 2017, Bahamut has targeted many individuals\r\nand entities.\r\nOur research team has downloaded the samples and conducted a thorough analysis. Based on this, the Cyble\r\nResearch Lab concluded that the malware is a variant of spyware and uploads the data to a Command \u0026 Control\r\n(C\u0026C) server. We also observed that the malicious app disguises itself as the Jamaat chat app and the Muslim Youth\r\napp.\r\nTechnical Analysis\r\nAPK Metadata Information\r\nApp Name: JamaatChat\r\nPackage Name: com.example.jamaat\r\nSHA256 Hash: 9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 2 of 11\n\nFigure 2: APK Metadata Information\r\nOur initial analysis observed that the TA had hosted the file with different names for the same sample.\r\nThe Bahamut malware requests the user for 21 different permissions, of which 14 are dangerous. The dangerous\r\npermissions are listed below.\r\nPermission Name Description\r\nandroid.permission.READ_CONTACTS Access to phone contacts\r\nandroid.permission.READ_EXTERNAL_STORAGE\r\nAccess device external\r\nstorage\r\nandroid.permission.WRITE_EXTERNAL_STORAGE\r\nModify device external\r\nstorage\r\nandroid.permission.READ_PHONE_STATE\r\nAccess phone state and\r\ninformation\r\nandroid.permission.RECORD_AUDIO\r\nAllows to record audio\r\nusing device microphone\r\nandroid.permission.ACCESS_COARSE_LOCATION\r\nFetch device location using\r\na mobile network\r\nandroid.permission.ACCESS_FINE_LOCATION\r\nFetch device location using\r\nGPS sensor\r\nandroid.permission.ACCESS_BACKGROUND_LOCATION\r\nAccess location information\r\nin background\r\nandroid.permission.CALL_PHONE\r\nPerform call without user\r\nintervention\r\nandroid.permission.CAMERA\r\nAccess device camera\r\nhardware\r\nandroid.permission.READ_CALL_LOG Access user’s call logs\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 3 of 11\n\nandroid.permission.READ_SMS\r\nAccess user’s SMSs stored\r\nin the device\r\nandroid.permission.RECEIVE_SMS\r\nFetch and process SMS\r\nmessages\r\nandroid.permission.WRITE_SETTINGS\r\nModify device’s system\r\nsettings\r\nTable 1: Dangerous permissions\r\nWhen the user enables these permissions, the malicious app will collect information such as Contacts, SMSs, Call\r\nLogs, Audio, etc.\r\nThe below figure shows that the app requests permission at the start.\r\nFigure 3: App requests permissions at the start\r\nThe Bahamut malware requests the user for Contacts and SMS permissions upon starting the application, among\r\nothers. Once the victim enables these permissions, the malware initiates background services to collect information.\r\nThe below figure depicts the code to start background services for collecting data.\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 4 of 11\n\nFigure 4: Background service for collecting information\r\nThe Bahamut malware creates a copy of the device’s contacts, SMS, call logs to the local database, named as\r\ntabs_database, in the initial stage. The below figure shows table details of the database.\r\nFigure 5: Code to create the database for storing information\r\nSpyware Activity\r\n1. Contacts: The spyware extracts all the contacts stored on the device and stores them on a database\r\ntable user_contacts. The below figure shows the code to collect contacts and store the data in a database\r\ntable.\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 5 of 11\n\nFigure 6: Code to collect contacts data\r\nSMSs: As the below figure shows, the malware collects SMSs and stores it in a database table named\r\nuser_sms.\r\nFigure 7: Code to collect SMSs\r\nCall Logs: As the below figure shows, the Bahamut malware extracts call log data and stores the data on a\r\ndatabase table call_logs.\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 6 of 11\n\nFigure 8: Code to collect Call Logs\r\nFiles List: A list of files from device storage is classified as documents, audio, video, images and stored in a\r\ndatabase table named as user_files\r\nLocation: Collects device location information\r\nDevice Hardware details: Collectsinformation such as IMEI number, IP address, device ID, and phone\r\nmodel.  \r\nThe below figure depicts the code to collect device information and location.\r\nFigure 9: Code to collect location and device hardware information\r\nThe malware creates listeners for users and device events, such as:\r\n1. DEVICE BOOT UP\r\n2. SMS RECEIVED\r\n3. CALL RECEIVED\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 7 of 11\n\n4. WIFI STATE CHANGE\r\n5. User event/New contact added\r\nThe below figure shows the code related to the listener created for CALL RECEIVED event.\r\nFigure 10: Code to listen for a call received event\r\nThe Bahamut malware will upload the collected data whenever the afore-mentioned events are triggered on the\r\nvictim device. The TA has also created a scheduler to upload data which will execute every 4 hours (14400000\r\nmilliseconds). The below code shows the listener for the BOOT-UP event which creates a scheduler that executes\r\nevery 4 hours.\r\nFigure 11: Code to listen for Boot up the event and to create a scheduler\r\n As the below code shows, initializeSocket() is the function that uploads all the data to the C\u0026C server.\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 8 of 11\n\nFigure 12: Code used to communicate with the C\u0026C server\r\nFor all communication with the C\u0026C server, the fake app uses a framework called Socket.IO, a real-time,\r\nbidirectional communication library. In addition, Bahamut malware uses HTTPS protocol to communicate with the\r\nC\u0026C server.\r\nC\u0026C server URL: hxxps://h94xnghlldx6a862moj3[.]de\r\nThe below figure shows the C\u0026C server IP, which is stored in the application code.\r\nFigure 13: C\u0026C server URL in malware’s code\r\nThe application also contains code to emulate a chat application by using the WebView functionality in Android.\r\nConclusion\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 9 of 11\n\nAccording to our research, Bahamut frequently uses phishing pages as an attack vector to deliver malware. In this\r\nscenario, the group is targeting users trying to access Jamaat domains with Android Spyware.\r\nTo protect yourself from these infections, the user should prefer to install applications from the official Google Play\r\nStore. Also, be aware of the threat groups and their attack vectors and take measures accordingly.\r\nOur Recommendations \r\nWe have listed some of the essential cybersecurity best practices that create the first line of control against attackers.\r\nWe recommend that our readers follow the best practices given below:   \r\n1. If you find this malware in your device, uninstall it immediately. \r\n2. Use the shared IoCs to monitor and block the malware infection. \r\n3. Keep your anti-virus software updated to detect and remove malicious software. \r\n4. Keep your system and applications updated to the latest versions. \r\n5. Use strong passwords and enable two-factor authentication. \r\n6. Download and install software only from registered app stores. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nDefense Evasion\r\nT1406\r\nT1418  \r\n1. Obfuscated Files or Information\r\n2. Application Discovery\r\nCredential Access\r\nT1412\r\nT1517  \r\n1. Capture SMS Messages\r\n2. Access Notifications\r\nDiscovery\r\nT1421\r\nT1422\r\nT1430\r\nT1426\r\nT1424\r\n1. System Network Connections Discovery\r\n2. System Network Configuration Discovery\r\n3. Location Tracking\r\n4. System Information Discovery\r\n5. Process Discovery\r\nCollection\r\nT1432\r\nT1433\r\nT1429\r\nT1507\r\nT1517\r\n1. Access Contact List\r\n2. Access Call Log\r\n3. Capture Audio\r\n4. Network Information Discovery\r\n5. Access Notifications\r\nCommand and Control T1436 Commonly Used Port\r\nIndicators of Compromise (IoCs): \r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 10 of 11\n\n9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325 SHA256\r\nHash of the\r\nsample1\r\nc5aa8327dfbca613e487d4075162f667e9ed967ad5d63427f79cb55ec79988b8 SHA256\r\nHash of the\r\nsample2\r\n4899519c3b0c8ba3c811e88e3f825d84833d05a6d82d64d9bc7e679ecdd36431 SHA256\r\nHash of the\r\nsample3\r\n7987841d022c799eeb0dbdc9bb656d88720b874353d42d709aa613705dd03597 SHA256\r\nHash of the\r\nsample5\r\nhxxps://h94xnghlldx6a862moj3[.]de URL\r\nC\u0026C\r\nServer URL\r\nAbout Us\r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as\r\none of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with\r\noffices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit www.cyble.com. \r\nSource: https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nhttps://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/"
	],
	"report_names": [
		"bahamut-threat-group-targeting-users-through-phishing-campaign"
	],
	"threat_actors": [
		{
			"id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9",
			"created_at": "2022-10-25T16:07:23.38079Z",
			"updated_at": "2026-04-10T02:00:04.574399Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "ETDA:Bahamut",
			"tools": [
				"Bahamut",
				"DownPaper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f99641e0-2688-47b0-97bc-7410659d49a0",
			"created_at": "2023-01-06T13:46:38.802141Z",
			"updated_at": "2026-04-10T02:00:03.106084Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "MISPGALAXY:Bahamut",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8",
			"created_at": "2022-10-25T15:50:23.6515Z",
			"updated_at": "2026-04-10T02:00:05.352078Z",
			"deleted_at": null,
			"main_name": "Windshift",
			"aliases": [
				"Windshift",
				"Bahamut"
			],
			"source_name": "MITRE:Windshift",
			"tools": [
				"WindTail"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434703,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d957fa1536e1e5daefd1a37c09c5942ae595c1de.pdf",
		"text": "https://archive.orkl.eu/d957fa1536e1e5daefd1a37c09c5942ae595c1de.txt",
		"img": "https://archive.orkl.eu/d957fa1536e1e5daefd1a37c09c5942ae595c1de.jpg"
	}
}