The Bahamut APT group has been focusing on Android users by means of a phony SecureVPN internet site since at least January 2022.
According to a new advisory from Eset, the application applied as aspect of this malicious marketing campaign was a trojanized variation of possibly of two genuine VPN applications, SoftVPN or OpenVPN. In both occasions, the apps ended up repackaged with Bahamut spyware code.
“We had been ready to recognize at the very least eight versions of these maliciously patched apps with code improvements and updates becoming made available via the distribution website, which could possibly signify that the marketing campaign is well taken care of,” Eset wrote.

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The security researchers defined that the principal reason of the app modifications was to exfiltrate sensitive person info and spy on victims’ messaging apps.
In certain, the phony SecureVPN Android applications could extract sensitive facts these as SMS messages, contacts, get in touch with logs, machine locale and recorded phone phone calls.
They also enabled the spying of chat messages on a number of messaging apps, including WhatsApp, Signal, Viber, Telegram and Facebook Messenger.
Facts exfiltration is carried out through the keylogging features of the malware, which depends on Android’s accessibility expert services. Eset instructed that the marketing campaign seems extremely focused, as the firm did not recognize any circumstances in their telemetry info.
“We feel that targets are cautiously chosen because the moment the Bahamut adware is launched, it requests an activation crucial before the VPN and adware performance can be enabled. Both the activation critical and website hyperlink are possible sent to specific users,” reads the technical produce-up.
Even with this, the advisory highlights that the Bahamut APT team, active since at minimum 2017, generally targets corporations and men and women in the Middle East and South Asia.
“Bahamut specializes in cyberespionage, and we imagine its goal is to steal delicate info from its victims,” Eset wrote. “Bahamut is also referred to as a mercenary team presenting hack-for-use expert services to a vast range of clientele.”
The firm’s advisory will come weeks just after security scientists at Zimperium learned a new Android spyware relatives dubbed ‘RatMilad’ striving to infect an organization unit in the Middle East.
Some parts of this report are sourced from:
www.infosecurity-magazine.com