Security Experts:

Connect with us

Hi, what are you looking for?



Hack-for-Hire Group Targets Android Users With Malicious VPN Apps

A hack-for-hire group known as Bahamut has been targeting Android users with trojanized versions of legitimate VPN applications, ESET reports.

A hack-for-hire group known as Bahamut has been targeting Android users with trojanized versions of legitimate VPN applications, ESET reports.

An advanced persistent threat (APT) actor focused on cyberespionage, Bahamut was initially detailed in 2017, but continues to be active, leveraging a fake online empire of social media personas, websites, and applications, which has allowed it to fly under the radar.

A mercenary group offering hack-for-hire services, Bahamut is known for the targeting of entities in the Middle East and South Asia, mainly via spearphishing and fake applications, with a focus on stealing sensitive information.

Also tracked as Ehdevel, Windshift, Urpage, and The White Company, Bahamut has hit government officials and politicians, human rights entities, organizations in the financial services and technology sectors, journalists, military organizations, scholars, and aerospace entities.

Starting January 2022, the APT has been observed distributing malicious applications for Android via a fake SecureVPN website distributing trojanized versions of SoftVPN and OpenVPN.

Bahamut registered the fake SecureVPN website at the end of January 2022. The fake VPN app targeting Android has been distributed solely via the website, ESET says.

The security firm observed similarities in the malicious code used in this campaign and code from earlier Bahamut attacks, and notes that the delivery technique remains the same.

According to ESET, at least eight versions of the Bahamut spyware have been available for download on the fake website, divided into two branches, as malicious code was inserted into either SoftVPN or OpenVPN, two legitimate applications available via Google Play.

“Besides the split in these two branches, where the same malicious code is implanted into two different VPN apps, other fake SecureVPN version updates contained only minor code changes or fixes, with nothing significant considering its overall functionality,” ESET explains.

The threat actor is believed to have switched from SoftVPN to OpenVPN because SoftVPN stopped working or being maintained, which might have resulted in users uninstalling it.

ESET also points out that the way the malicious code has been injected into the OpenVPN app made it unusable without an activation key (neither the Bahamut spyware nor VPN functionality would work without a correct key).

“Unfortunately, without the activation key, dynamic malware analysis sandboxes might not flag it as a malicious app. The campaigns using the fake SecureVPN app try to keep a low profile, since the website URL is most likely delivered to potential victims with an activation key, which is not provided on the website,” ESET notes.

Once enabled, the Bahamut spyware can exfiltrate sensitive information, including user accounts, contacts, messages, calls, installed apps, device location, external storage information, and recorded calls.

The malware would also spy on applications such as imo-International Calls & Chat, Facebook Messenger, Viber, Signal Private Messenger, WhatsApp, Telegram, WeChat, and Conion apps.

Related: New ‘Black Lotus’ UEFI Rootkit Provides APT-Level Capabilities

Related: Researchers Crowdsourcing Effort to Identify Mysterious Metador APT

Related: Iran-Linked OilRig APT Caught Using New Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.