Bahamut

Bahamut is a threat actor group known for its sophisticated cyber-espionage operations, targeting primarily South Asia. Meta's Adversarial Threat Report from the first quarter of 2023 identified Bahamut as one of three major groups involved in cyber espionage operations in the region, alongside Patchwork APT and a state-linked group in Pakistan. The company took action against these entities, removing approximately 110 accounts on Facebook and Instagram linked to Bahamut that were targeting individuals in Pakistan and India, including the Kashmir region. In addition, Bahamut has been known to use fake VPN apps for Android containing extensive spyware functionality, further highlighting their advanced tactics. In August 2023, new social engineering attacks by Bahamut were reported involving a fraudulent Android chat app called SafeChat. This application was used to facilitate a version of the CoverIm spyware aimed at exfiltrating mobile device data, according to BleepingComputer. The attack was attributed to Bahamut with a fair degree of confidence, although there were noted similarities in tactics to the advanced persistent threat group DoNot, believed to be linked to the Indian Government. These incidents underscore Bahamut's capacity for complex and targeted cyberattacks. Interestingly, while Bahamut's activities have mainly been traced back to South Asia, there are indications of links to China as well. A London-based operation creating fake personas impersonating US and EU companies and institutions, which later published negative commentary about Uyghur activists and critics of the Chinese state, was linked to individuals in China associated with Xi’an Tainwendian Network Technology. Despite the efforts of the actual operators to conceal their identities, this connection suggests that Bahamut may have a broader geographical reach and more diverse targets than initially assumed.