{ "id": "0e60b953-2cb7-4ffe-8766-e73d6ee63c12", "created_at": "2026-04-06T00:15:11.579133Z", "updated_at": "2026-04-10T13:11:28.514542Z", "deleted_at": null, "sha1_hash": "e26b4fa94a4993874e0e3b0ed31249023ed3eb18", "title": "Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3215916, "plain_text": "Bahamut Possibly Responsible for Multi-Stage Infection Chain\r\nCampaign\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-05 22:26:58 UTC\r\nAll Posts\r\n1\r\nmin read\r\nBahamut is a sophisticated APT group that utilizes anti-analysis techniques and multi-stage infection chains.\r\nPublished on\r\nKey FindingsOverviewDetailsTechnical AnalysisConclusionMITRE TTPsEndnotesIOCs\r\nhttps://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nPage 1 of 9\n\nAuthored by: Gage Mele, Tara Gould, Winston Marydasan, and Yury Polozov\r\nKey Findings\r\nAnomali Threat Research discovered cyberthreat actors distributing malicious documents exploiting a\r\nvulnerability (CVE-2017-8570) during a multi-stage infection chain to install a Visual Basic (VB)\r\nexecutable on target machines.\r\nThis exploitation creates a backdoor that appears to only retrieve an infected machine’s username, possibly\r\nindicating reconnaissance activity.\r\nhttps://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nPage 2 of 9\n\nWe assess with low confidence, based on limited technical intelligence and targeting consistent with\r\npreviously observed activity, that the advanced persistent threat (APT) cyberespionage group known as\r\nBahamut may be responsible for this campaign.\r\nBahamut is a “group for hire” and typically targets entities and individuals in the Middle East and South\r\nAsia with spearphishing messages and fake applications as the initial infection vector.\r\nOverview\r\nBased on a discovery in mid-February 2021, Anomali Threat Research assesses with low confidence that the APT\r\ncyberespionage group-for-hire Bahamut has been conducting malicious activity against multiple targets since at\r\nleast June 4, 2020. While researching malicious files, our researchers analyzed a .docx file (List1.docx) that\r\ncontained a shared bundled component with another .docx file that was communicating via template injection with\r\nlobertica.info, a domain previously attributed to Bahamut.[1] Further analysis of this file and the infection chain it\r\nfollows is provided in subsequent sections below.\r\nThe header dates of a template injection domain (lobertica.info/fefus/template.dot) contacted by Screeshot from\r\nNACTA Website.docx (including “Screeshot” spelling error) indicated malicious activity dating back to at least\r\nJune 4, 2020. The title of the document may be a reference to Pakistan’s National Counter Terrorism Authority\r\n(NACTA), which would be consistent with Bahamut’s previous targeting and geographical location. The June\r\ntimeframe also aligns with Pakistan’s virtual meeting with the Financial Action Task Force (Groupe d'Action\r\nFinancière) held on June 24, 2020, which resulted in keeping Pakistan on the financial grey list for terrorism\r\nfunding.[2] Additionally, in June 2020, between the 9th and 15th, the United Arab Emirates (UAE) and Pakistan\r\nconducted repatriation flights for Pakistani nationals in the UAE. And, as of June 29, the UAE suspended\r\npassengers from Pakistan, until more COVID-19-related facilities could be created.[3] While the timing may be\r\ncoincidental, sophisticated threat actors such as Bahamut are known to use real-world events as themes for\r\ntargeted cyber campaigns. Historically, in December 2016, Bahamut reportedly targeted human rights activists in\r\nthe Middle East with spearphishing attacks to deliver Android-based malware, this persisted through 2018, with\r\nthe targeting of entities and individuals in Egypt, Iran, India, Pakistan, Palestine, Qatar, Tunisia, and the UAE.[4]\r\nDetails\r\nAnomali Threat Research identified malicious .docx files that exploit a remote code execution (RCE) vulnerability\r\n(CVE-2017-8570). The activity apparently began in June 2020 and continued through at least mid-February 2021.\r\nThe actors used at least three files with generic names: List1.docx, List for Approval.docx, and report.doc, and\r\none appearing to employ a NACTA theme with a typo: Screeshot from NACTA Website.docx. (Figure 1)\r\nInfection Chain\r\nFigure 1 – Infection Chain\r\nTechnical Analysis\r\nThreat actors distributed .docx files with the objective of dropping a rich text format (RTF) file that began the\r\ninfection process for additional malicious activity. Analysis of the .docx revealed a multi-step infection process.\r\nhttps://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nPage 3 of 9\n\nThe graphic below displays the connection between the malicious files and actor infrastructure (see Figure 2). The\r\n.xml file at the top is shown as the bundled component that is contained inside other .docx files. The .docx files\r\nused template injection to download a file from a malicious domain. Next, we observed an .rtf file being dropped\r\nthat contained multiple files with the objective to drop VB executables. The final layer in the chart shows the IP\r\naddresses we observed communicating with the malicious files.\r\nMalicious Infrastructure\r\nFigure 2 – Malicious Infrastructure\r\nSelf Signed Certificate on 185.175.158.227\r\nFigure 3 – Self Signed Certificate on 185.175.158.227\r\nFigure 3 above shows a self-signed certificate on the IP 185.175.158.227, a method Bahamut has used in the\r\nprevious activity.\r\n[5]\r\n Bahamut has also been reported to have a preference for utilizing the marketing email service\r\nMailKing.[6] The alignment of these data points, while not conclusive, further supports the assessment that this\r\nactivity may be related to Bahamut.\r\nDOCX Analysis\r\nAnalyzed file – List1.docx\r\nMD5 – 3df18ecd55f8e267be39f6f757bcd5f0\r\nThe analyzed document is a .docx file with an embedded RTF object from memoadvicr.com/kodec/report.doc\r\n(see Figure 4). The external target is placed in the ‘webSettings.xml.rels’ file, which will download the RTF file.\r\nAs shown in Figure 4 the dropped file is called report.doc, which will be analyzed in the subsequent section.\r\nEmbedded RTF Object\r\nFigure 4 – Embedded RTF Object\r\nRTF Analysis\r\nAnalyzed File – report.doc\r\nMD5 – 9dc1cdba6d5838f7984de89521f18ae8\r\nThe analyzed document is an RTF file downloaded from a .docx file containing an obfuscated .sct file that exploits\r\nCVE-2017-8570 (RCE). Exploitation of the vulnerability allows execution of the .sct file that in-turn executes\r\nother files dumped from the RTF. Filenames contained in the RTF (shown in Figures 5-6) include:\r\neisghfgh321.tmp, d.tmp, E.sct.\r\nOLE Package File Information for .tmp Files\r\nFigure 5 – OLE Package File Information for .tmp Files\r\nOLE Package File Information for. sct File\r\nFigure 6 – OLE Package File Information for. sct File\r\nhttps://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nPage 4 of 9\n\nThe obfuscated .sct file contents were mixed with unwanted comments and confusing variable names to inhibit\r\nstatic analysis. (Figure 7). But, once reconstructed with comprehendible variable names and stripped of random\r\nstrings, we were able to construct a more comprehensible version of this .sct file (Figure 8).\r\nObfuscated .sct File Contents\r\nFigure 7 – Obfuscated .sct File Contents\r\nBeautified. sct File Contents\r\nFigure 8 – Beautified. sct File Contents\r\nWith a better understanding of the .sct file, we determined that the script checks the existence of the dropped file\r\nwithin the %temp% folder of the victim machine. This is the file that dropped during the exploitation of the CVE-2017-8570.\r\nNext, the function routine readBinary reads the data in eisghfgh321.tmp and the script replaces the first two\r\nbytes with MZ and substitutes the last two zero bytes until eisghfgh321.tmp is molded into dwmm.exe. The\r\nexecutable is then dropped in the %PUBLIC% folder on an infected machine.\r\nThe script again checks for the existence of this malicious executable in %PUBLIC% folder and, if it exists, the\r\nwinword.exe process is killed to close the initially opened decoy document. Lastly, the executable - written in VB\r\n- functions as a backdoor on an infected machine. After decompiling the code, we found that the POST payload,\r\ndwmm.exe, is generated on-the-fly and dropped while communicating with the actor’s C2 via a POST request to\r\nthe actor’s Command and Control (C2) server (see Figure 9).\r\ndxmm.exe POST Request\r\nFigure 9 – dxmm.exe POST Request\r\nAnalysis of the POST request shows that it will send back the username that was found located between “pt” and\r\n“tion,” as shown in Figure 10 below with brutal serving as the username.\r\ndxmm.exe POST Request Information\r\nFigure 10 – dxmm.exe POST Request Information\r\nConclusion\r\nBahamut is a sophisticated APT group that utilizes anti-analysis techniques and multi-stage infection chains.\r\nAdditionally, like many other APT groups, they employ social engineering and user interaction for the initial\r\ninfection through spearphishing emails and messages. While we have identified many consistencies between this\r\nmost recently discovered campaign and previously reported activity attributed to Bahamut, and the targeting\r\nappears to be consistent with Bahamut’s assessed interests, due to the lack of enough unique indicators of\r\ncompromise or tactics, techniques, and procedures (TTPs) we can only assess with “low confidence” that\r\nBahamut may be behind this activity. We will continue monitoring this group for additional malicious activity and\r\nprovide details when appropriate.\r\nMITRE TTPs\r\nhttps://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nPage 5 of 9\n\nApplication Layer Protocol - T1071\r\nCommand and Scripting Interpreter: Visual Basic - T1059.005\r\nData Staged: Local Data Staging - T1074.001\r\nDeobfuscate/Decode Files or Information - T1140\r\nMasquerading - T1036\r\nObtain Capabilities: Vulnerabilities - T1588.006\r\nPhishing - T1566\r\nPhishing: Spearphishing Attachment - T1566.001\r\nSystem Information Discovery - T1082\r\nTemplate Injection - T1221\r\nUser Execution - T1204\r\nUser Execution: Malicious File - T1204.002\r\nEndnotes\r\n[1]\r\n BlackBerry Research and Intelligence Team, “Bahamut: Hack-for-Hire Masters of Phishing, Fake, News, and\r\nFake Apps,” BlackBerry, accessed March 9, 2021, published October 2020,\r\nhttps://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf, 81.\r\n[2]\r\n “Pakistan’s case not taken up ate FATF meeting: FO,” Dawn, accessed March 9, 2021, published June 27,\r\n2020, https://www.dawn.com/news/1565473; “Pakistan needs legislation to meet three outstanding FATF\r\nbenchmarks: Report,” Hindustan Times, accessed March 9, 2021, published March 2, 2021,\r\nhttps://www.hindustantimes.com/world-news/pakistan-needs-legislation-to-meet-three-outstanding-fatf-benchmarks-report-101614669450193.html.\r\n[3]\r\n “Coronavirus: more repatriation flights from UAE to Pakistan announces,” The National, accessed March 10,\r\n2021, published June 9, 2020, https://www.thenationalnews.com/lifestyle/travel/coronavirus-more-repatriation-flights-from-uae-to-pakistan-announced-1.1030914; “UAE suspends receiving passengers from Pakistan as of\r\nJune 29 over COVID fears,” Reuters, accessed March 10, 2021, published June 28, 2020,\r\nhttps://www.reuters.com/article/us-health-coronavirus-emirates-pakistan/uae-suspends-receiving-passengers-from-pakistan-as-of-june-29-over-covid-fears-idUSKBN23Z0RM.\r\n[4]\r\n Collin Anderson, “Bahamut, Pursuing a Cyber Espionage Actor in the Middle East, Bellingcat, accessed March\r\n9, 2021, published June 21, 2017, https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/; Warren Mercer, et al., “Advanced Mobile Malware Campaign in India uses\r\nMalicious MDM - Part 2,” Cisco Talos Blog, accessed March 10, 2021, published July 25, 2018,\r\nhttps://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html;\r\nhttps://www.thaicert.or.th/downloads/files/A_Threat_Actor_Encyclopedia.pdf, 35; BlackBerry Research and\r\nIntelligence Team, “Bahamut: Hack-for-Hire Masters of Phishing, Fake, News, and Fake Apps,” BlackBerry, 5;\r\nTaha Karim, “IN THE TRAILS OF WINDSHIFT APT,” DarkMatter, accessed March 10, 2021, published August\r\n2018, https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-\r\n%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf, 13.\r\nhttps://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nPage 6 of 9\n\n[5]\r\n BlackBerry Research and Intelligence Team, “Bahamut: Hack-for-Hire Masters of Phishing, Fake, News, and\r\nFake Apps,” BlackBerry, 49.\r\n[6]\r\n Ibid.\r\nIOCs\r\nDomains and URLs\r\nhttp://lobertica.info\r\nhttp://lobertica.info/fefus/\r\nhttp://lobertica.info/fefus/report.doc\r\nhttp://lobertica.info/fefus/template.dot\r\nhttp://lobertica.info/msoll/igtxpres.zip\r\nhttp://zovwelle.com\r\nhttp://zovwelle.com/opregftyro/ijkbfumnbvc.php\r\nhttp://memoadvicr.com\r\nhttp://memoadvicr.com/kodec/report.doc\r\nhttp://memoadvicr.com/dvsec/report.doc\r\nhttp://fastfiterzone.com/sdjfbjsgdlfvfd/gfdbvgfgggh.php\r\nEXEs\r\n04e05054e9e4f1c6cba9292fcad9e06f\r\n61639f301c4cdadfd6c4a696375bdc99\r\nFiles\r\n.docx\r\n68d0e326e18bd7ec50db011f9c119e25\r\nde1f5c8223505f7e8c64a4b852614b14\r\n3df18ecd55f8e267be39f6f757bcd5f0\r\nRTF\r\n9dc1cdba6d5838f7984de89521f18ae8\r\nScriplet\r\nd3e989f44fe3065ec501fe7f0fc33c3e\r\nBundled\r\n11eb560d256383859b8135cfbbf98e30\r\nIPs\r\n185.183.161.125\r\n185.175.158.227\r\n208.91.197.54\r\n194.120.24.116\r\nhttps://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nPage 7 of 9\n\n93.184.220.29\r\n194.67.93.17\r\nApril 3, 2026\r\nAnomali Cyber Watch\r\nRead More\r\nApril 3, 2026\r\nPublic Sector\r\nhttps://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nPage 8 of 9\n\nAnomali Cyber Watch\r\nRead More\r\nApril 2, 2026\r\nAnomali Cyber Watch\r\nRead More\r\nExplore All\r\nSource: https://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nhttps://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.anomali.com/blog/bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign" ], "report_names": [ "bahamut-possibly-responsible-for-multi-stage-infection-chain-campaign" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bd4ed50-e116-494c-bb70-9587876663f1", "created_at": "2023-01-06T13:46:39.004062Z", "updated_at": "2026-04-10T02:00:03.178044Z", "deleted_at": null, "main_name": "WindShift", "aliases": [ "Windy Phoenix" ], "source_name": "MISPGALAXY:WindShift", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68f12936-2361-4720-87e1-b79a4fdbf1a0", "created_at": "2022-10-25T16:07:24.409855Z", "updated_at": "2026-04-10T02:00:04.978227Z", "deleted_at": null, "main_name": "WindShift", "aliases": [ "G0112", "Windy Phoenix" ], "source_name": "ETDA:WindShift", "tools": [ "WindTail" ], "source_id": "ETDA", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434511, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e26b4fa94a4993874e0e3b0ed31249023ed3eb18.pdf", "text": "https://archive.orkl.eu/e26b4fa94a4993874e0e3b0ed31249023ed3eb18.txt", "img": "https://archive.orkl.eu/e26b4fa94a4993874e0e3b0ed31249023ed3eb18.jpg" } }