Hacker-for-hire group leverages zero-days, disinformation in Middle East

Meet "Bahamut," a group that has included malicious apps in the Play Store and iOS marketplace.
Pete Linforth via Pixabay

An “elusive” hacking-for-hire operation is behind a series of campaigns that exploit unknown software flaws, malicious applications, and disinformation efforts, according to BlackBerry research published Wednesday.

The group, named “Bahamut,” is responsible for dozens of malicious applications that have been available in the Google’s Play store and Apple’s iOS marketplace, according to the BlackBerry research. Researchers say they believe Bahamut has used these applications to track surveillance targets, which are primarily located in the Middle East and South Asia, according to the report, which does not name the group’s suspected origins.

Bahamut’s targets could offer some clues about its clientele. Bahamut has targeted government entities in the United Arab Emirates, Pakistani military officials, Sikh separatists in India, Indian business executives, and Saudi Arabian diplomats, according to a Reuters investigation. The independent journalism outlet Bellingcat also examined Bahamut’s activities in 2017.

BlackBerry’s findings on the mercenary group are a reminder that malicious actors who want to disguise their surveillance operations, including scammers or foreign intelligence agencies, can outsource some of their their work to mercenaries to conceal their involvement, an option that appears increasingly attractive as law enforcement outfits around the world bolster their efforts to identify hackers.


Hack-for-hire groups are a growing problem, researchers noted. Citizen Lab, a human rights organization at the University of Toronto, revealed to Reuters that an Indian cybersecurity firm, called BellTroX, had similarly run contract operations against for its clients, which Citizen Lab did not identify.

Meanwhile, countries including Morocco, Togo, Saudi Arabia, Mexico, and the United Arab Emirates are alleged to avail themselves of commercially-available hacking tools sold by Israeli-based software surveillance firm NSO Group. The tools monitor dissidents, activists, and journalists, according to security researchers. (NSO Group has consistently denied any wrongdoing.)

Bahamut’s operations

Bahamut wields its capabilities against targets with a “skill-level well beyond most other known threat actor groups,” the BlackBerry researchers said, making it an attractive option for nation-states and criminals seeking to outsource sensitive hacking or information operations.

Overall, Bahamut’s operational security has been “above average,” making attribution difficult, said Eric Milam, BlackBerry’s vice president of research operations.


“The sophistication and sheer scope of malicious activity that our team was able to link to BAHAMUT is staggering,” Milam said in a statement. “Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that BAHAMUT is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics, and more.”

Correction, Oct. 7, 2020A prior version of this article incorrectly reported that the group was named “Baharat.” The group is named “Bahamut” and the references have been corrected in the story.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts