{ "id": "a7fdd47c-a76e-4a6a-a3b8-ae7432bfa882", "created_at": "2026-04-06T00:12:30.945903Z", "updated_at": "2026-04-10T03:33:50.194063Z", "deleted_at": null, "sha1_hash": "e695755280ab29560ebc445003ee3a3a1cd5328f", "title": "Bahamut cybermercenary group targets Android users with fake VPN apps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1328422, "plain_text": "Bahamut cybermercenary group targets Android users with fake VPN\r\napps\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 16:31:41 UTC\r\nESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This\r\ncampaign has been active since January 2022 and malicious apps are distributed through a fake SecureVPN website that\r\nprovides only Android apps to download. Note that although the malware employed throughout this campaign uses the name\r\nSecureVPN, it has no association whatsoever with the legitimate, multiplatform SecureVPN software and service.\r\nKey points of this blogpost:\r\nThe app used has at different times been a trojanized version of one of two legitimate VPN apps, SoftVPN or\r\nOpenVPN, which have been repackaged with Bahamut spyware code that the Bahamut group has used in the past.\r\nWe were able to identify at least eight versions of these maliciously patched apps with code changes and updates\r\nbeing made available through the distribution website, which might mean that the campaign is well maintained.\r\nThe main purpose of the app modifications is to extract sensitive user data and actively spy on victims’ messaging\r\napps.\r\nWe believe that targets are carefully chosen, since once the Bahamut spyware is launched, it requests an activation\r\nkey before the VPN and spyware functionality can be enabled. Both the activation key and website link are likely\r\nsent to targeted users.\r\nWe do not know the initial distribution vector (email, social media, messaging apps, SMS, etc.).\r\nESET researchers discovered at least eight versions of the Bahamut spyware. The malware is distributed through a fake\r\nSecureVPN website as trojanized versions of two legitimate apps – SoftVPN and OpenVPN. These malicious apps were\r\nnever available for download from Google Play.\r\nThe malware is able to exfiltrate sensitive data such as contacts, SMS messages, call logs, device location, and recorded\r\nphone calls. It can also actively spy on chat messages exchanged through very popular messaging apps including Signal,\r\nViber, WhatsApp, Telegram, and Facebook Messenger; the data exfiltration is done via the keylogging functionality of the\r\nmalware, which misuses accessibility services. The campaign appears to be highly targeted, as we see no instances in our\r\ntelemetry data.\r\nBahamut overview\r\nThe Bahamut APT group typically targets entities and individuals in the Middle East and South Asia with spearphishing\r\nmessages and fake applications as the initial attack vector. Bahamut specializes in cyberespionage, and we believe that its\r\ngoal is to steal sensitive information from its victims. Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. The name was given to this threat actor, which appears to be a master in phishing, by\r\nthe Bellingcat investigative journalism group. Bellingcat named the group after the enormous fish floating in the vast\r\nArabian Sea mentioned in the Book of Imaginary Beings written by Jorge Luis Borges. Bahamut is frequently described in\r\nArabic mythology as an unimaginably enormous fish.\r\nThe group has been the subject of several publications in recent years, including:\r\n2017 – Bellingcat [1][2]\r\n2018 – Talos [1][2]\r\n2018 – Trend Micro\r\n2020 – BlackBerry [pdf]\r\n2020 – SonicWall\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 1 of 10\n\n2021 – 打假的Hunter\r\n2021 – Cyble\r\n2022 – CoreSec360\r\n2022 – Cyble\r\nDistribution\r\nThe initial fake SecureVPN app we analyzed was uploaded to VirusTotal on 2022-03-17, from an IP address that geolocates\r\nto Singapore, along with a link to a fake website that triggered one of our YARA rules.\r\nAt the same time, we were notified on Twitter via DM from @malwrhunterteam about the same sample.\r\nThe malicious Android application used in this campaign was delivered via the website thesecurevpn[.]com (see Figure 1),\r\nwhich uses the name – but none of the content or styling – of the legitimate SecureVPN service (at the domain\r\nsecurevpn.com).\r\nFigure 1. Fake SecureVPN website provides a trojanized app to download\r\nThis fake SecureVPN website was created based on a free web template (see Figure 2), which was most likely used by the\r\nthreat actor as an inspiration, since it required only small changes and looks trustworthy.\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 2 of 10\n\nFigure 2. Free website template used to create the distribution website for the fake VPN app\r\nthesecurevpn[.]com was registered on 2022-01-27; however, the time of initial distribution of the fake SecureVPN app is\r\nunknown. The malicious app is provided directly from the website and has never been available at the Google Play store.\r\nAttribution\r\nMalicious code in the fake SecureVPN sample was seen in the SecureChat campaign documented by Cyble and\r\nCoreSec360. We have seen this code being used only in campaigns conducted by Bahamut; similarities to those campaigns\r\ninclude storing sensitive information in a local database before uploading it to the C\u0026C server. The amount of data stored in\r\nthese databases probably depends on the campaign. In Figure 3 you can see malicious package classes from this variant\r\ncompared to a previous sample of Bahamut code.\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 3 of 10\n\nFigure 3. Class name comparison between the earlier malicious SecureChat package (left) and fake SecureVPN package\r\n(right)\r\nComparing Figure 4 and Figure 5, you can see the similarities in SQL queries in the earlier SecureChat malware, attributed\r\nto Bahamut, and the fake SecureVPN malware.\r\nFigure 4. The SQL queries used in malicious code from the earlier SecureChat campaign\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 4 of 10\n\nFigure 5. The SQL queries used in malicious code in the fake SecureVPN campaign\r\nAs such, we believe that the fake SecureVPN application is linked to the Bahamut group.\r\nAnalysis\r\nSince the distribution website has been online, there have been at least eight versions of the Bahamut spyware available for\r\ndownload. These versions were created by the threat actor, where the fake application name was followed by the version\r\nnumber. We were able to pull the following versions from the server, where we believe the version with the lowest version\r\nsuffix was provided to potential victims in the past, while more recently higher version numbers (secureVPN_104.apk,\r\nSecureVPN_105.apk, SecureVPN_106.apk, SecureVPN_107.apk, SecureVPN_108.apk, SecureVPN_109.apk,\r\nSecureVPN_1010.apk, secureVPN_1010b.apk) have been used.\r\nWe divide these versions into two branches, since Bahamut’s malicious code was placed into two different legitimate VPN\r\napps.\r\nIn the first branch, from version secureVPN_104 until secureVPN_108, malicious code was inserted into the legitimate\r\nSoftVPN application that can be found on Google Play and uses the unique package name com.secure.vpn. This package\r\nname is also visible in the PARENT_APPLICATION_ID value in the version information found in the decompiled source\r\ncode of the first fake SecureVPN app branch, as seen in Figure 6.\r\nFigure 6. Fake SecureVPN v1.0.4 with malicious code included into SoftVPN as parent application\r\nIn the second branch, from version secureVPN_109 until secureVPN_1010b, malicious code was inserted into the legitimate\r\nopen-source application OpenVPN, which is available on Google Play, and that uses the unique package name\r\ncom.openvpn.secure. As with the trojanized SoftVPN branch, the original app’s package name is also visible in the fake\r\nSecureVPN app’s version information, found in the decompiled source code, as seen in Figure 7.\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 5 of 10\n\nFigure 7. Fake SecureVPN v1.0.9 (SecureVPN_109) with malicious code included into OpenVPN as its parent application\r\neven though the hardcoded VERSION_NAME (1.0.0) wasn’t changed between versions\r\nBesides the split in these two branches, where the same malicious code is implanted into two different VPN apps, other fake\r\nSecureVPN version updates contained only minor code changes or fixes, with nothing significant considering its overall\r\nfunctionality.\r\nThe reason why the threat actor switched from patching SoftVPN to OpenVPN as its parent app is not clear; however, we\r\nsuspect that the reason might be that the legitimate SoftVPN app stopped working or being maintained and was no longer\r\nable to create VPN connections – as confirmed by our testing of the latest SoftVPN app from Google Play. This could be a\r\nreason for Bahamut to switch to using OpenVPN, since potential victims might uninstall a non-working VPN app from their\r\ndevices. Changing one parent app to another likely required more time, resources, and effort to successfully implement by\r\nthe threat actor.\r\nMalicious code packaged with the OpenVPN app was implemented a layer above the VPN code. That malicious code\r\nimplements spyware functionality that requests an activation key and then checks the supplied key against the attacker’s\r\nC\u0026C server. If the key is successfully entered, the server will return a token that is necessary for successful communication\r\nbetween the Bahamut spyware and its C\u0026C server. If the key is not correct, neither Bahamut spyware nor VPN functionality\r\nwill be enabled. Unfortunately, without the activation key, dynamic malware analysis sandboxes might not flag it as a\r\nmalicious app.\r\nIn Figure 8 you can see an initial activation key request and in Figure 9 the network traffic behind such a request and the\r\nresponse from the C\u0026C server.\r\nFigure 8. Fake SecureVPN requests activation key before enabling VPN and spyware functions\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 6 of 10\n\nFigure 9. Fake SecureVPN activation request and its C\u0026C server’s response\r\nThe campaigns using the fake SecureVPN app try to keep a low profile, since the website URL is most likely delivered to\r\npotential victims with an activation key, which is not provided on the website. Unfortunately, we were not able to obtain a\r\nworking key.\r\nThe activation key layer does not belong to the original OpenVPN functionality, and we do not recognize it as code from\r\nany other legitimate app. We believe it was developed by Bahamut, since it also communicates with their C\u0026C server.\r\nImplementing a layer to protect a payload from being triggered right after launch on a non-targeted user device or when\r\nbeing analyzed is not a unique feature. We already saw similar protection being used in another campaign by the Bahamut\r\ngroup implemented in the SecureChat app analyzed by CoreSec360. That required extra effort by the victim, who had to\r\ncreate an account and log into it, which then enabled the Bahamut spyware functionality. We have also observed comparable\r\nprotection being used by APT-C-23, where the potential victim needs a valid Coupon Code to download the malicious app.\r\nFunctionality\r\nIf the Bahamut spyware is enabled, then it can be remotely controlled by Bahamut operators and can exfiltrate various\r\nsensitive device data such as:\r\ncontacts,\r\nSMS messages,\r\ncall logs,\r\na list of installed apps,\r\ndevice location,\r\ndevice accounts,\r\ndevice info (type of internet connection, IMEI, IP, SIM serial number),\r\nrecorded phone calls, and\r\na list of files on external storage.\r\nBy misusing accessibility services, as seen in Figure 10, the malware can steal notes from the SafeNotes application and\r\nactively spy on chat messages and information about calls from popular messaging apps such as:\r\nimo-International Calls \u0026 Chat,\r\nFacebook Messenger,\r\nViber,\r\nSignal Private Messenger,\r\nWhatsApp,\r\nTelegram,\r\nWeChat, and\r\nConion apps.\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 7 of 10\n\nFigure 10. Fake SecureVPN request to manually enable Accessibility services\r\nAll exfiltrated data is stored in a local database and then sent to the C\u0026C server. The Bahamut spyware functionality\r\nincludes the ability to update the app by receiving a link to a new version from the C\u0026C server.\r\nConclusion\r\nThe mobile campaign operated by the Bahamut APT group is still active; it uses the same method of distributing its Android\r\nspyware apps via websites that impersonate or masquerade as legitimate services, as has been seen in the past. Further, the\r\nspyware code, and hence its functionality, is the same as in previous campaigns, including collecting data to be exfiltrated in\r\na local database before sending it to the operators’ server, a tactic rarely seen in mobile cyberespionage apps.\r\nIt appears that this campaign has maintained a low profile, as we see no instances in our telemetry data. This is probably\r\nachieved through highly targeted distribution, where along with a link to the Bahamut spyware, the potential victim is\r\nsupplied an activation key, which is required to enable the malware’s spying functionality.\r\nIoCs\r\nFiles\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 8 of 10\n\nSHA-1 Package name ESET detection name Description\r\n3144B187EDF4309263FF0BCFD02C6542704145B1 com.openvpn.secure Android/Spy.Bahamut.M\r\nOpenVPN app repacka\r\nBahamut spyware cod\r\n2FBDC11613A065AFBBF36A66E8F17C0D802F8347 com.openvpn.secure Android/Spy.Bahamut.M\r\nOpenVPN app repacka\r\nBahamut spyware cod\r\n2E40F7FD49FA8538879F90A85300247FBF2F8F67 com.secure.vpn Android/Spy.Bahamut.M\r\nSoftVPN app repackag\r\nBahamut spyware cod\r\n1A9371B8AEAD5BA7D309AEBE4BFFB86B23E38229 com.secure.vpn Android/Spy.Bahamut.M\r\nSoftVPN app repackag\r\nBahamut spyware cod\r\n976CC12B71805F4E8E49DCA232E95E00432C1778 com.secure.vpn Android/Spy.Bahamut.M\r\nSoftVPN app repackag\r\nBahamut spyware cod\r\nB54FFF5A7F0A279040A4499D5AABCE41EA1840FB com.secure.vpn Android/Spy.Bahamut.M\r\nSoftVPN app repackag\r\nBahamut spyware cod\r\nC74B006BADBB3844843609DD5811AB2CEF16D63B com.secure.vpn Android/Spy.Bahamut.M\r\nSoftVPN app repackag\r\nBahamut spyware cod\r\n4F05482E93825E6A40AF3DFE45F6226A044D8635 com.openvpn.secure Android/Spy.Bahamut.M\r\nOpenVPN app repacka\r\nBahamut spyware cod\r\n79BD0BDFDC3645531C6285C3EB7C24CD0D6B0FAF com.openvpn.secure Android/Spy.Bahamut.M\r\nOpenVPN app repacka\r\nBahamut spyware cod\r\n7C49C8A34D1D032606A5E9CDDEBB33AAC86CE4A6 com.openvpn.secure Android/Spy.Bahamut.M\r\nOpenVPN app repacka\r\nBahamut spyware cod\r\nNetwork\r\nIP Domain First seen Details\r\n104.21.10[.]79 ft8hua063okwfdcu21pw[.]de 2022-03-20 C\u0026C server\r\n172.67.185[.]54 thesecurevpn[.]com 2022-02-23 Distribution website\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 11 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nPersistence\r\nT1398\r\nBoot or Logon\r\nInitialization Scripts\r\nBahamut spyware receives the BOOT_COMPLETED\r\nbroadcast intent to activate at device startup.\r\nT1624\r\nEvent Triggered\r\nExecution\r\nBahamut spyware uses Observers to be informed about\r\nchanges in SMS, contacts, and calls.\r\nDefense\r\nEvasion\r\nT1627 Execution Guardrails\r\nBahamut spyware won’t run unless a valid activation key is\r\nprovided at app startup.\r\nDiscovery\r\nT1420\r\nFile and Directory\r\nDiscovery\r\nBahamut spyware can list available files on external storage.\r\nT1418 Software Discovery Bahamut spyware can obtain a list of installed applications.\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 9 of 10\n\nTactic ID Name Description\r\nT1426\r\nSystem Information\r\nDiscovery\r\nBahamut spyware can extract information about the device\r\nincluding type of internet connection, IMEI, IP address, and\r\nSIM serial number.\r\nCollection\r\nT1417.001\r\nInput Capture:\r\nKeylogging\r\nBahamut spyware logs keystrokes in chat messages and call\r\ninformation from targeted apps.\r\nT1430 Location Tracking Bahamut spyware tracks device location.\r\nT1429 Audio Capture Bahamut spyware can record phone calls.\r\nT1532\r\nArchive Collected\r\nData\r\nBahamut spyware stores collected data in a database prior to\r\nexfiltration.\r\nT1636.002\r\nProtected User Data:\r\nCall Logs\r\nBahamut spyware can extract call logs.\r\nT1636.003\r\nProtected User Data:\r\nContact List\r\nBahamut spyware can extract the contact list.\r\nT1636.004\r\nProtected User Data:\r\nSMS Messages\r\nBahamut spyware can extract SMS messages.\r\nCommand and\r\nControl\r\nT1437.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nBahamut spyware uses HTTPS to communicate with its\r\nC\u0026C server.\r\nExfiltration T1646\r\nExfiltration Over C2\r\nChannel\r\nBahamut spyware exfiltrates stolen data over its C\u0026C\r\nchannel.\r\nSource: https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nhttps://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/" ], "report_names": [ "bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434350, "ts_updated_at": 1775792030, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e695755280ab29560ebc445003ee3a3a1cd5328f.pdf", "text": "https://archive.orkl.eu/e695755280ab29560ebc445003ee3a3a1cd5328f.txt", "img": "https://archive.orkl.eu/e695755280ab29560ebc445003ee3a3a1cd5328f.jpg" } }