Tech analysis indicates connection between APT Bahamut and Innefu’s DoNot APT cyber group

Cyber Warfare Asia
5 min readOct 6, 2023

Recently, Cyfirma analysts came over advanced Android malware targeting individuals in the South Asia region. The suspicious Android malware is a dummy chatting app. Their initial technical analyses revealed that APT Bahamut is behind the attack. As technical analyses proceeded further, they had also found footprints of tactics used by DoNot APT in the suspicious app belonging to APT Bahamut.


The malware that was acquired was specifically utilized to target individuals residing in South Asia. This particular malware exhibits a similar operational mechanism to the previously identified malware (distributed through the Google Play Store by the notorious APT group known as ‘DoNot’), however, this malware has more permissions, and thus presents a higher level of threat. The suspected Android malware, known initially as “CoverIm” was delivered to victims via WhatsApp, and was found to be disguised as a dummy chatting application named “SafeChat”. The user interface of this app successfully deceives users into believing its authenticity, allowing the threat actor to extract all the necessary information, before the victim realizes that the app is a dummy, the malware cleverly exploits unsuspecting Android Libraries to extract and transmit data to a command-and-control server. Our in-depth technical analysis will provide a comprehensive overview of this Android malware and shed light on the sophisticated methods employed by the threat actor to exploit Android Libraries for the purpose of data retrieval from victims’ mobile devices. Let’s dive into the technical analyses.


Process Overview

After installation, a suspected app with the name “Safe Chat” appears on the main menu.

After opening the app, the user is shown a landing page where the user is notified of operating a secure chatting app.

Upon opening the app, after fresh installation, the pop-up message instructs the user to allow permission.

Once permission for ignoring battery optimization is allowed the user is allowed to sign in and sign-up.


This excerpt is from the Android Manifest file that belongs to the suspicious Safe Chat Android app, showing permissions that are being employed by the app to perform malicious activity.



Through their technical analyses, they had confidently attributed this attack to APT Bahamut. However, the tactics employed by this threat actor are similar to the tactics employed by APT DoNot, and it is also interesting to note that the target geography of both the threat actors is similar to each other.


They had unable to disclose the specific target location of the sensitive cyber-attack, due to its sensitivity and security concerns. However, they can confirm that the target serves the interests of one nation state government. While some security organizations initially identified the threat as originating from a mercenary group, our own analysis indicates that it is, in fact, an Indian APT group acting on behalf of one nation state government. Several reasons support this conclusion.

Firstly, it is highly unlikely that the said nation state government will employ mercenary groups for hacking sensitive targets, unless the group is based within Indian territory. Based on past and present targets, it strongly suggests that the APT group operates within Indian territory. Furthermore, the threat actor utilized encryption techniques to secure the data and network traffic, using the same certificate authority as the DoNot APT group, which previously deployed Android Malware on the Google Play Store. Moreover, the APT actor employed the Ktor Library to efficiently fetch and transfer data to the command-and-control server, a tactic similar to how the DoNot APT group used retrofit for a similar data retrieval function.

Taking all these factors into account, their analysis strongly indicates that the APT group behind the attack has ties to the Indian territory and is acting in the interest of one nation state government.

My previous article- “Weak Technical commonality found between Bahamut APT and DoNot APT”- stated that both the APTs, i.e. cyfirma‘s Bahamut and DoNot APT have the same target countries, i.e. South Asia and Middle Eastern region. They have also been using similar methodology while conducting cyber attack,i.e. using similar Android Sample file named “SafeShare.apk.”

However, our researchers dug more about Bahamut’s APK file SafeShare.apk and concluded that SafeShare.apk string belongs to a person named “Shubham Tyagi” and that there are indicators of his connection to Innefu labs. Below are the screenshots:

DoNot APT belongs to Innefu Labs

In Oct 2021, Amnesty International released a report that established connection between the Donot Team (APT- C-35) group’s spyware and infrastructure used in the attacks, and Innefu Labs, a cybersecurity company based in India.

It was done by identifying the IP address that belonged to Innefu Labs, which was connected to the infrastructure used for the allocation of Donot Team spyware in the cyber-attacks targeting the human rights activist in Togo.

Innefu lab offers a variety of solutions for the defence and paramilitary forces, law enforcement, private enterprises, and retail. Innefu Labs also claims to provided its services to government institutions and intelligence agencies, such as the Border Security Force (BSF), DRDO, and CRPF.



Cyber Warfare Asia

Providing news related to state sponsored cyber warfare in Asia