ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Bahamut

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Bahamut

NamesBahamut (Bellingcat)
Country[Middle East]
MotivationInformation theft and espionage
First seen2016
Description(Bellingcat) Bahamut was first noticed when it targeted a Middle Eastern human rights activist in the first week of January 2017. Later that month, the same tactics and patterns were seen in attempts against an Iranian women’s activist – an individual commonly targeted by Iranian actors, such as Magic Hound, APT 35, Cobalt Illusion, Charming Kitten and the Sima campaign documented in our 2016 Black Hat talk. Recurrent patterns in hostnames, registrations, and phishing scripts provided a strong link between the two incidents, and older attempts were found that directly overlapped with these attacks. Over the course of the following months, several more attempts against the same individuals were observed, intended to steal credentials for iCloud and Gmail accounts.

Bahamut was also observed engaging in reconnaissance and counter-reconnaissance attempts, intended to harvest IP addresses of emails accounts. One attempt impersonated BBC News Alerts, using timely content related to the diplomatic conflict between Qatar and other Gulf states as bait. This message used external images embedded in the email to track where the lure would be opened.
ObservedSectors: Political, economic and social.
Countries: Egypt, Iran, Pakistan, Palestine, Qatar, Tunisia, Turkey, UAE.
Tools usedBahamut, DownPaper.
Operations performedDec 2016Beginning in December 2016, unconnected Middle Eastern human rights activists began to receive spear-phishing messages in English and Persian that were not related to any previously-known groups. These attempts differed from other tactics seen by us elsewhere, such as those connected to Iran, with better attention paid to the operation of the campaign.
Oct 2017For three months there was no apparent further activity from the actor. However, in the same week of September a series of spear-phishing attempts once again targeted a set of otherwise unrelated individuals, employing the same tactics as before. Bahamut remains active, and its operations are more extensive than first disclosed.
Jun 2018Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices.
Jul 2018Android-based malware with some similarities to the iOS malware we identified. That post kickstarted our investigation into any potential overlap between these campaigns and how they are potentially linked.
The new MDM platform we identified has similar victimology with Middle Eastern targets, namely Qatar, using a U.K. mobile number issued from LycaMobile. Bahamut targeted similar Qatar-based individuals during their campaign.
Jun 2020Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign
Aug 2021Bahamut Threat Group Targeting Users Through Phishing Campaign
Jan 2022Bahamut cybermercenary group targets Android users with fake VPN apps
Apr 2022Bahamut Android Malware returns with New Spying Capabilities
Nov 2022APT Bahamut Attacks Indian Intelligence Operative using Android Malware
Jul 2023APT Bahamut Targets Individuals with Android Malware Using Spear Messaging

Last change to this card: 06 September 2023

Download this actor card in PDF or JSON format

Previous: Bad Magic, RedStinger
Next: Barium

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]