The Bahamut APT group has been focusing on Android users by means of a phony SecureVPN internet site since at least January 2022.
According to a new advisory from Eset, the application applied as aspect of this malicious marketing campaign was a trojanized variation of possibly of two genuine VPN applications, SoftVPN or OpenVPN. In both occasions, the apps ended up repackaged with Bahamut spyware code.
“We had been ready to recognize at the very least eight versions of these maliciously patched apps with code improvements and updates becoming made available via the distribution website, which could possibly signify that the marketing campaign is well taken care of,” Eset wrote.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The security researchers defined that the principal reason of the app modifications was to exfiltrate sensitive person info and spy on victims’ messaging apps.
In certain, the phony SecureVPN Android applications could extract sensitive facts these as SMS messages, contacts, get in touch with logs, machine locale and recorded phone phone calls.
They also enabled the spying of chat messages on a number of messaging apps, including WhatsApp, Signal, Viber, Telegram and Facebook Messenger.
Facts exfiltration is carried out through the keylogging features of the malware, which depends on Android’s accessibility expert services. Eset instructed that the marketing campaign seems extremely focused, as the firm did not recognize any circumstances in their telemetry info.
“We feel that targets are cautiously chosen because the moment the Bahamut adware is launched, it requests an activation crucial before the VPN and adware performance can be enabled. Both the activation critical and website hyperlink are possible sent to specific users,” reads the technical produce-up.
Even with this, the advisory highlights that the Bahamut APT team, active since at minimum 2017, generally targets corporations and men and women in the Middle East and South Asia.
“Bahamut specializes in cyberespionage, and we imagine its goal is to steal delicate info from its victims,” Eset wrote. “Bahamut is also referred to as a mercenary team presenting hack-for-use expert services to a vast range of clientele.”
The firm’s advisory will come weeks just after security scientists at Zimperium learned a new Android spyware relatives dubbed ‘RatMilad’ striving to infect an organization unit in the Middle East.
Some parts of this report are sourced from:
www.infosecurity-magazine.com