{ "id": "bc4848ce-6010-4806-afd1-7e205928388c", "created_at": "2026-04-06T00:12:03.104574Z", "updated_at": "2026-04-10T03:34:59.953345Z", "deleted_at": null, "sha1_hash": "eb09d6c749a3a9c2933403d736ac7c18ad73593f", "title": "Spam campaign using Discord to host - CYJAX", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1765181, "plain_text": "Spam campaign using Discord to host - CYJAX\r\nArchived: 2026-04-05 18:28:30 UTC\r\nMercenary APTs\r\nMercenary advanced persistent threat (APT) groups, sometimes called “hackers-for-hire” — and dubbed private-sector offensive actors (PSOAs) by Microsoft — have become a significant part of the threat landscape in recent\r\nyears. These cyber-soldiers of fortune have been executing increasing numbers of attack campaigns for their\r\nclients, usually nation-states, that are looking for surveillance capabilities. Not all countries have the technical\r\ncapability to launch their own attacks: many, however, have the financial resources to pay someone who does.\r\nOver the last decade, more than a dozen mercenary APT campaigns have been disclosed. Many of these have been\r\nboth highly sophisticated and highly persistent. Victims often include politicians, human rights activists,\r\njournalists, academics, embassy workers, and dissidents from around the world. They frequently target end-to-end\r\nencrypted (E2EE) applications, such as Signal, WhatsApp, and Telegram, that are used to thwart traditional\r\ngovernment surveillance tactics. A growing number of these mercenary APT campaigns are now also actively\r\ninfiltrating and stealing intellectual property and other sensitive information from enterprises.\r\nThese campaigns are supported by a significant market for 0day exploits and malware developers. As such,\r\nnation-states that want to begin hacking campaigns no longer need the technical expertise of years gone by: they\r\njust need to be well-resourced. Furthermore, even though these APTs have existed for decades, the capabilities\r\npreviously associated uniquely with them are more accessible than ever before. And, in the case of nation-state\r\nAPTs, it has become easier to predict which companies and sectors are most likely to be attacked, meaning\r\ndefence has also been made, marginally, easier.\r\nIf the threat landscape is evolving in the way these mercenary groups suggest, however, where anyone can hire\r\nmercenaries for a broad spectrum of intrusion campaigns, even this minor advantage may have been lost.\r\nHackers For Hire – A Line-Up\r\nIn the following section, we will outline the pre-eminent mercenary APT groups that have engaged in malicious\r\nactivity over the past few years: CostaRicto, Bahamut, DarkBasin, and DeathStalker. First, we explore the\r\nintriguing case of the DarkMatter espionage unit.\r\nIn September 2021, the US Department of Justice revealed that three former US intelligence agency employees\r\nhad been fined $1.69 million and barred from ever again receiving security clearance. The employees violated US\r\ncomputer abuse laws by spying for the government of the UAE. The three men admitted to selling sensitive\r\nmilitary technology while working for Project Raven: the codename for a secretive company, DarkMatter, that\r\nacted as a clandestine spying unit for the UAE.\r\nProject Raven leveraged computer network exploitation (CNE) to compromise the accounts of human rights\r\nactivists, journalists, and rival governments. Whilst engaged in Project Raven, the three men reportedly targeted\r\nhttps://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/\r\nPage 1 of 6\n\nthe US and exported spying software to a foreign government without gaining the required permission from the\r\nUS State Department’s Directorate of Defense Trade Controls (DDTC). As noted in a Reuters investigation, the\r\nthree men are former US National Security Agency (NSA) employees and worked for DarkMatter in the UAE\r\nbetween January 2016 and November 2019. While working for DarkMatter, the ex-NSA employees helped\r\ndevelop and deploy two iOS zero-click exploits called Karma and Karma 2. These were reportedly used against\r\niPhones belonging to dissidents, reporters, and government opposition leaders. The US Department of Justice also\r\nnoted that this agreement was the first resolution of its kind for two types of criminal activity: providing\r\nunlicensed export-controlled services in support of hacking campaigns; and a commercial company supporting a\r\nforeign government to access networks and devices of computers worldwide, including in Qatar, Yemen, and the\r\nUS. (1, 2)\r\nIn November 2020, BlackBerry researchers disclosed a new mercenary APT, dubbed CostaRicto. This group was\r\ntargeting organisations around the world but predominantly in South Asia — India, Bangladesh, and Singapore —\r\nAfrica, Europe, and the Americas. The victims were spread across several verticals, with many in the financial\r\nsector. It is unclear where these hackers-for-hire are located. However, as they mainly focused on South Asian\r\ntargets, the researchers believe they are most likely to be based there. For many of its campaigns, CostaRicto uses\r\nspear-phishing attacks to drop a custom backdoor, dubbed SombRAT, that has rarely been seen in the wild. The\r\ncode suggests there are multiple versions, indicating the backdoor can be flexibly adapted for different attacks.\r\nThe earliest compilation timestamps for SombRAT date back to 2017. The group has also compromised its targets\r\nvia stolen credentials, reportedly purchased on the darknet. (1, 2)\r\nActive since 2016, a mercenary APT known as Bahamut (connected to WindShift) has launched multiple highly\r\ntargeted ongoing campaigns against Android users in the Middle East. Individuals targeted by the group have\r\nusually been human rights activists, military officers, members of royal families, diplomats, religious leaders, and\r\nbusiness executives. Bahamut’s targets have also been located in other parts of the globe, such as the US. The\r\ngroup usually uses malicious mobile applications distributed via legitimate application stores, masquerading as\r\nfitness trackers or password managers. Once downloaded by a victim, an array of personal information is\r\nextracted which can then be used for a wide spectrum of malicious activities, with potentially serious implications.\r\n(1, 2, 3)\r\nIn June 2020, researchers from Citizen Lab disclosed that thousands of individuals and hundreds of institutions\r\nhad been targeted by a mercenary group known as DarkBasin. Targets included advocacy groups, journalists, and\r\nsenior government officials, as well as hedge funds and other organisations from various sectors. The group\r\nmainly targeted American non-profits, especially those working on a campaign operating under the hashtag\r\n#ExxonKnew, which claims ExxonMobil hid information concerning climate change for decades. DarkBasin was\r\nalso linked to phishing campaigns targeting net-neutrality advocates. Further investigation into the group\r\nuncovered several ties to an Indian cybersecurity company, called BellTroX InfoTech Services, which\r\nsubsequently disappeared once the investigation was made public. Analysis of DarkBasin’s phishing\r\ninfrastructure, which used a custom URL shortener, revealed 28,000 additional URLs containing emails of targets.\r\n(1, 2)\r\nIn August 2020, Kaspersky researchers disclosed an unusual Russian-speaking mercenary APT group called\r\nDeathStalker (originally named Deceptikons). Unlike the other groups mentioned above, DeathStalker primarily\r\nfocuses on law firms and financial institutions. These threat actors are reportedly tasked with gathering sensitive\r\nhttps://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/\r\nPage 2 of 6\n\nbusiness information in what are believed to be corporate espionage campaigns. DeathStalker uses custom\r\nmalware distributed in highly targeted spear-phishing emails. For C\u0026C communication, the malware uses “dead\r\ndrop” resolvers: using safe websites, such as GitHub, Facebook, YouTube, Reddit, and Twitter, to host the\r\nlocations of C\u0026C servers. This means the communication is camouflaged amongst legitimate traffic, in much the\r\nsame way as spies use a dead drop to pass messages undercover. DeathStalker’s victims are spread around the\r\nworld in countries such as the UK, Switzerland, the UAE, India, China, Taiwan, Israel, Lebanon, Jordan, Cyprus,\r\nArgentina, and Turkey. (1, 2)\r\nFig. 1 - Geographic targeting of known Mercenary APTs\r\nHacking-as-a-Service\r\nWhile Mercenary APTs carry out their criminal activity with no action needed on their clients' behalf, there are\r\nalso a growing number of licensed companies selling offensive software that can be bought and deployed by\r\nanyone with malicious intent. Intelligence agencies, law enforcement, and military units around the world are\r\nincreasingly acquiring these off-the-shelf hacking software, buying exploits for 0day vulnerabilities, and paying\r\nothers to develop spying tools.\r\nThe standard defence of ethically dubious products is that their software is used to fight terrorism and organised\r\ncrime. More often than not, however, their products end up being used to target human rights defenders,\r\njournalists, lawyers, activists, and dissidents. FinFisher, also known as FinSpy, is a surveillance software created\r\nand distributed by Gamma International. The company was breached in 2014 by an individual working under the\r\nmoniker Phineas Fisher, who stole and leaked an archive containing 40GB of data from Gamma International\r\nservers. This information included price lists, source code, invoices, and other private data able to link the\r\npurchase of spyware to specific clients.\r\nAnother company that was hacked by Phineas Fisher was Hacking Team, which suffered a much more serious\r\nattack than Gamma International and went out of business. The attack on HackingTeam left a gap in the market,\r\nfrom mid-2015 onwards, for surveillance tools. This was filled by Gamma International with its FinFisher\r\nspyware suite. Although Gamma International was breached by the same individual, the incident was not as\r\nserious and the spyware firm was able to recover, operating in the vacuum left by HackingTeam. The Phineas\r\nFisher leaks unveiled what many suspected about these commercial spyware developers: they were knowingly\r\nselling surveillance tools to authoritarian regimes who used them to spy on civilians. (1, 2, 3)\r\nFig. 2 - Graphical User Interface of FinSpy (circa 2011)\r\nIn July, Microsoft released new information regarding a private-sector offensive actor (PSOA) it tracks as\r\nSourgum, which reportedly belongs to an Israel-based company called Candiru. The organisation has targeted over\r\n100 victims around the world, including politicians, human rights activists, journalists, academics, embassy\r\nhttps://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/\r\nPage 3 of 6\n\nworkers, and political dissidents with a malware family called DevilsTongue. Approximately half of the victims\r\nwere found in the Palestinian Authority, with others in Israel, Iran, Lebanon, Yemen, Spain (specifically\r\nCatalonia), the UK, Turkey, Armenia, and Singapore. It should be noted that the identification of victims of the\r\nmalware in a country is not indicative that an agency in that country is a Candiru customer, as international\r\ntargeting is common. Nonetheless, this is not proof that the country in question is not a Candiru customer, either.\r\nCandiru uses a chain of vulnerabilities in web browsers and Windows to install its DevilsTongue modular multi-threaded backdoor. This custom malware is written and can steal credentials from web browsers, such as Chrome\r\nor Firefox. It also decrypts and exfiltrates conversations from Signal, the E2EE messaging app. The attacks begin\r\nwith a single-use URL that is sent via messaging applications, such as WhatsApp. These threat actors have also\r\nweaponised Windows 0day vulnerabilities, tracked as CVE-2021-31979 and CVE-2021-33771, to support\r\ndelivery. Successful exploitation led to privilege escalation, giving an attacker the ability to escape browser\r\nsandboxes and gain kernel code execution. Spy agencies in Uzbekistan, the UAE, and Saudi Arabia are among the\r\nlist of Candiru’s alleged previous customers. (1, 2)\r\nIn August, CitizenLab revealed that the infamous NSO Group, an Israeli spyware developer, had once again been\r\nimplicated in an unethical surveillance campaign. The latest Pegasus spyware campaign targeted at least nine\r\nBahraini activists, a French lawyer, and an Indian journalist via a new iOS exploit, dubbed FORCEDENTRY. This\r\nwas a highly sophisticated zero-click, 0day vulnerability in iMessage, meaning it could be triggered without the\r\nintended victim either viewing the message sent by the threat actors or clicking the link contained in the message.\r\nThe NSO Group, however, allegedly does not carry out hacking itself: the most recent campaign having been\r\norchestrated by a Pegasus customer and operator, dubbed LULU, linked to the government of Bahrain. The\r\ntechnically impressive part of the FORCEDENTRY exploit is that it could bypass BlastDoor, which Apple\r\nrecently developed to protect from such attacks. It places parts of iMessage inside a sandbox to isolate malicious\r\ncode from interacting with the underlying operating system (OS). Interestingly, four of the victims' phone numbers\r\nwere present in the list of 50,000 potential Pegasus targets obtained by Forbidden Stories and Amnesty\r\nInternational in July. The leaked phone numbers belong to hundreds of business executives, religious figures,\r\nacademics, NGO employees, union officials, and government officials. Also shown in the leak are NSO Group\r\nclients from at least 11 countries, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco,\r\nRwanda, Saudi Arabia, Togo, and the UAE. (1, 2)\r\nFig. 3 - Graphical User Interface of Pegasus spyware (circa 2012)\r\nA Mercenary Future\r\nMercenary APTs, malicious software developers, and 0day brokers significantly lower the barrier to entry for\r\nlaunching advanced hacking campaigns. Technical expertise and a small army of highly skilled individuals are no\r\nlonger required to perform such attacks. Now, all that is needed, are resources: of which many nation-states have a\r\nlot. The previously technically impossible is made available through 0day exploits worth millions of dollars on\r\nunderground markets. Mercenary APTs develop bespoke malware tooling, manage their own infrastructure,\r\nhttps://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/\r\nPage 4 of 6\n\nperform their own reconnaissance, and execute all phases of the intrusion. This is the effective outsourcing of\r\nmany of the most nefarious parts of the playbook for despotic regimes.\r\nA mercenary APT’s tactics, techniques, and procedures (TTPs) often resemble highly sophisticated state-sponsored campaigns, but the profiles and geography of their victims are far too diverse to be aligned with one\r\nstate’s interests. Therefore, these cybercriminals must carefully choose their targets to avoid the risk of being\r\nexposed and having their operations shut down: consequently, many go undetected for several years. Even\r\nnotorious adversaries, experienced in cyber-espionage, can benefit from adding a layer of obfuscation to their\r\ncampaigns. By using a mercenary group as a proxy, therefore, the real attacker can better protect their identity and\r\nfrustrate attempts at attribution by the cybersecurity community.\r\nDefending against these powerful and disaggregated threats, however, can lead to a sort of “security nihilism”,\r\nwherein it seems that nothing can be done to prevent these sophisticated attacks. We contend that this conclusion,\r\nhowever, is incorrect. The majority of these attacks rely on victims making simple mistakes, such as clicking on a\r\nlink, opening a document, or leaving devices unpatched. As such, by practising proper security awareness, using\r\npassword managers and multi-factor authentication, keeping devices and applications updated, and investing in\r\nsecurity software, attackers’ campaigns will be frustrated to the point that they will eventually move on to softer\r\ntargets.\r\nThank you! Your submission has been received!\r\nOops! Something went wrong while submitting the form.\r\nhttps://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/\r\nPage 5 of 6\n\nSource: https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/\r\nhttps://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyjax.com/2021/10/26/mercenary-apts-an-exploration/" ], "report_names": [ "mercenary-apts-an-exploration" ], "threat_actors": [ { "id": "c72c09b8-81ba-4e6e-9094-cd84ee4bda79", "created_at": "2022-10-25T15:50:23.667393Z", "updated_at": "2026-04-10T02:00:05.344613Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [ "CostaRicto" ], "source_name": "MITRE:CostaRicto", "tools": [ "PowerSploit", "SombRAT", "PsExec", "PS1", "CostaBricks" ], "source_id": "MITRE", "reports": null }, { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "b77f9b40-dca7-449d-819e-115cd2295b41", "created_at": "2022-10-25T16:07:23.502671Z", "updated_at": "2026-04-10T02:00:04.63173Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "ETDA:CostaRicto", "tools": [ "CostaBricks", "PowerSploit", "PsExec", "SombRAT", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bd4ed50-e116-494c-bb70-9587876663f1", "created_at": "2023-01-06T13:46:39.004062Z", "updated_at": "2026-04-10T02:00:03.178044Z", "deleted_at": null, "main_name": "WindShift", "aliases": [ "Windy Phoenix" ], "source_name": "MISPGALAXY:WindShift", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68f12936-2361-4720-87e1-b79a4fdbf1a0", "created_at": "2022-10-25T16:07:24.409855Z", "updated_at": "2026-04-10T02:00:04.978227Z", "deleted_at": null, "main_name": "WindShift", "aliases": [ "G0112", "Windy Phoenix" ], "source_name": "ETDA:WindShift", "tools": [ "WindTail" ], "source_id": "ETDA", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b", "created_at": "2024-02-02T02:00:04.032871Z", "updated_at": "2026-04-10T02:00:03.532955Z", "deleted_at": null, "main_name": "Caramel Tsunami", "aliases": [ "SOURGUM", "Candiru" ], "source_name": "MISPGALAXY:Caramel Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null }, { "id": "115cf618-02a8-42b8-8d25-305292eafedb", "created_at": "2023-11-21T02:00:07.396534Z", "updated_at": "2026-04-10T02:00:03.478259Z", "deleted_at": null, "main_name": "CostaRicto", "aliases": [], "source_name": "MISPGALAXY:CostaRicto", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434323, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb09d6c749a3a9c2933403d736ac7c18ad73593f.pdf", "text": "https://archive.orkl.eu/eb09d6c749a3a9c2933403d736ac7c18ad73593f.txt", "img": "https://archive.orkl.eu/eb09d6c749a3a9c2933403d736ac7c18ad73593f.jpg" } }