Bahamut Threat Group Targets Users with Phishing
By cybleinc
Published: 2021-08-10 · Archived: 2026-04-05 23:03:40 UTC
A phishing campaign from a Twitter post. The Threat Actor (TA) hosts malicious Android APK files on a
counterfeit version of Jamaat websites.
During Cyble’s routine threat hunting exercise, we came across a Twitter post mentioning a phishing campaign
involving a Threat Actor (TA) hosting malicious Android APK files on a counterfeit version of Jamaat websites.
The phishing websites used by the TA are as follows:
jamaat-ul-islam[.]com
jamatapplication[.]com
jamaatforummah[.]com
jamaatforallah[.]com
The figure below shows the phishing page.
See Cyble in Action
World's Best AI-Native Threat Intelligence
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 1 of 11

Figure 1: Phishing page to deliver malware
As per Cyble’s research, this campaign is identical to the Bahamut group. Therefore, it is likely that the Bahamut
group is operating under this alias. Bahamut is a threat group targeting the Middle East and South Asia and its
attack vectors are phishing campaigns and malware. First noticed in 2017, Bahamut has targeted many individuals
and entities.
Our research team has downloaded the samples and conducted a thorough analysis. Based on this, the Cyble
Research Lab concluded that the malware is a variant of spyware and uploads the data to a Command & Control
(C&C) server. We also observed that the malicious app disguises itself as the Jamaat chat app and the Muslim Youth
app.
Technical Analysis
APK Metadata Information
App Name: JamaatChat
Package Name: com.example.jamaat
SHA256 Hash: 9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 2 of 11

Figure 2: APK Metadata Information
Our initial analysis observed that the TA had hosted the file with different names for the same sample.
The Bahamut malware requests the user for 21 different permissions, of which 14 are dangerous. The dangerous
permissions are listed below.
Permission Name Description
android.permission.READ_CONTACTS Access to phone contacts
android.permission.READ_EXTERNAL_STORAGE
Access device external
storage
android.permission.WRITE_EXTERNAL_STORAGE
Modify device external
storage
android.permission.READ_PHONE_STATE
Access phone state and
information
android.permission.RECORD_AUDIO
Allows to record audio
using device microphone
android.permission.ACCESS_COARSE_LOCATION
Fetch device location using
a mobile network
android.permission.ACCESS_FINE_LOCATION
Fetch device location using
GPS sensor
android.permission.ACCESS_BACKGROUND_LOCATION
Access location information
in background
android.permission.CALL_PHONE
Perform call without user
intervention
android.permission.CAMERA
Access device camera
hardware
android.permission.READ_CALL_LOG Access user’s call logs
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 3 of 11

android.permission.READ_SMS
Access user’s SMSs stored
in the device
android.permission.RECEIVE_SMS
Fetch and process SMS
messages
android.permission.WRITE_SETTINGS
Modify device’s system
settings
Table 1: Dangerous permissions
When the user enables these permissions, the malicious app will collect information such as Contacts, SMSs, Call
Logs, Audio, etc.
The below figure shows that the app requests permission at the start.
Figure 3: App requests permissions at the start
The Bahamut malware requests the user for Contacts and SMS permissions upon starting the application, among
others. Once the victim enables these permissions, the malware initiates background services to collect information.
The below figure depicts the code to start background services for collecting data.
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 4 of 11

Figure 4: Background service for collecting information
The Bahamut malware creates a copy of the device’s contacts, SMS, call logs to the local database, named as
tabs_database, in the initial stage. The below figure shows table details of the database.
Figure 5: Code to create the database for storing information
Spyware Activity
1. Contacts: The spyware extracts all the contacts stored on the device and stores them on a database
table user_contacts. The below figure shows the code to collect contacts and store the data in a database
table.
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 5 of 11

Figure 6: Code to collect contacts data
SMSs: As the below figure shows, the malware collects SMSs and stores it in a database table named
user_sms.
Figure 7: Code to collect SMSs
Call Logs: As the below figure shows, the Bahamut malware extracts call log data and stores the data on a
database table call_logs.
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 6 of 11

Figure 8: Code to collect Call Logs
Files List: A list of files from device storage is classified as documents, audio, video, images and stored in a
database table named as user_files
Location: Collects device location information
Device Hardware details: Collectsinformation such as IMEI number, IP address, device ID, and phone
model.  
The below figure depicts the code to collect device information and location.
Figure 9: Code to collect location and device hardware information
The malware creates listeners for users and device events, such as:
1. DEVICE BOOT UP
2. SMS RECEIVED
3. CALL RECEIVED
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 7 of 11

4. WIFI STATE CHANGE
5. User event/New contact added
The below figure shows the code related to the listener created for CALL RECEIVED event.
Figure 10: Code to listen for a call received event
The Bahamut malware will upload the collected data whenever the afore-mentioned events are triggered on the
victim device. The TA has also created a scheduler to upload data which will execute every 4 hours (14400000
milliseconds). The below code shows the listener for the BOOT-UP event which creates a scheduler that executes
every 4 hours.
Figure 11: Code to listen for Boot up the event and to create a scheduler
 As the below code shows, initializeSocket() is the function that uploads all the data to the C&C server.
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 8 of 11

Figure 12: Code used to communicate with the C&C server
For all communication with the C&C server, the fake app uses a framework called Socket.IO, a real-time,
bidirectional communication library. In addition, Bahamut malware uses HTTPS protocol to communicate with the
C&C server.
C&C server URL: hxxps://h94xnghlldx6a862moj3[.]de
The below figure shows the C&C server IP, which is stored in the application code.
Figure 13: C&C server URL in malware’s code
The application also contains code to emulate a chat application by using the WebView functionality in Android.
Conclusion
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 9 of 11

According to our research, Bahamut frequently uses phishing pages as an attack vector to deliver malware. In this
scenario, the group is targeting users trying to access Jamaat domains with Android Spyware.
To protect yourself from these infections, the user should prefer to install applications from the official Google Play
Store. Also, be aware of the threat groups and their attack vectors and take measures accordingly.
Our Recommendations 
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers.
We recommend that our readers follow the best practices given below:   
1. If you find this malware in your device, uninstall it immediately. 
2. Use the shared IoCs to monitor and block the malware infection. 
3. Keep your anti-virus software updated to detect and remove malicious software. 
4. Keep your system and applications updated to the latest versions. 
5. Use strong passwords and enable two-factor authentication. 
6. Download and install software only from registered app stores. 
MITRE ATT&CK® Techniques
Tactic Technique ID Technique Name
Defense Evasion
T1406
T1418  
1. Obfuscated Files or Information
2. Application Discovery
Credential Access
T1412
T1517  
1. Capture SMS Messages
2. Access Notifications
Discovery
T1421
T1422
T1430
T1426
T1424
1. System Network Connections Discovery
2. System Network Configuration Discovery
3. Location Tracking
4. System Information Discovery
5. Process Discovery
Collection
T1432
T1433
T1429
T1507
T1517
1. Access Contact List
2. Access Call Log
3. Capture Audio
4. Network Information Discovery
5. Access Notifications
Command and Control T1436 Commonly Used Port
Indicators of Compromise (IoCs): 
Indicators
Indicator
type
Description
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 10 of 11

9d4e5d46ab3e2bb4b38256960b88ddc7e266d1959fa75d676a0cac5e811ad325 SHA256
Hash of the
sample1
c5aa8327dfbca613e487d4075162f667e9ed967ad5d63427f79cb55ec79988b8 SHA256
Hash of the
sample2
4899519c3b0c8ba3c811e88e3f825d84833d05a6d82d64d9bc7e679ecdd36431 SHA256
Hash of the
sample3
7987841d022c799eeb0dbdc9bb656d88720b874353d42d709aa613705dd03597 SHA256
Hash of the
sample5
hxxps://h94xnghlldx6a862moj3[.]de URL
C&C
Server URL
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and
exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk
footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as
one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with
offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,
visit www.cyble.com. 
Source: https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
https://blog.cyble.com/2021/08/10/bahamut-threat-group-targeting-users-through-phishing-campaign/
Page 11 of 11