Weak Technical commonality found between Bahamut APT and DoNot APT

Cyber Warfare Asia
3 min readMar 20, 2023

In today’s world cyber espionage has become an important tool for every nation. Researchers have been trying to uncover such Advance Persistent Technical (APT) reports to know who will behind this cyber attack.

Bahamut APT — Cyfirma

Recently, Bangalore-based cybersecurity company Cyfirma detected a cyber-attack on an intelligence operative in India and presented a report stating “APT Bahamut Attacks Indian Intelligence Operative using Android Malware”. The threat actor is known for conducting their cyber espionage strikes in the Middle Eastern region and South Asian region.

The attacker asked the victim to download the app to share the file in encrypted form. The threat actor kept the engagement going for the past few days and suddenly took advantage of earned trust to make the victim install the app. However, this attack was detected on time and dismantled before it could leave any damage.

Cyfirma researchers analyse the file sample named “SafeShare.apk”. However, this is the first time; researchers observed Bahamut using a fake Secure File sharing app in their strategic social engineering attack.

DoNot APT

The DoNot Team (a.k.a APT-C-35) is advanced persistent threat actors who’ve been active since at least 2016. They’ve targeted many attacks against individuals and organizations in South Asia. DoNot are reported to be the main developers and users of Windows and Android spyware frameworks.

The hackers’ targets include countries in South Asia, in particular, state sector of Pakistan. In 2019, they have also seen targeting Bangladesh, Thailand, Sri Lanka, the Philippines, and outside of Asia, in places like Argentina, the United Arab Emirates, and Great Britain.

According to the report dated Oct 2021, the researchers mapped the infrastructure used by the attackers to deliver the Android spyware. A search for the bulk.fun domain on the VirusTotal malware database returned additional samples of the same Android spyware. One named Kashmir_Voice_v4.8.apk and another named SafeShareV67.apk.

Commonality between Bahamut APT and DoNot APT

Both the APTs have the same target countries i.e South Asia and Middle Eastern region. They have also using similar methodology while conducting cyber attack i.e using similar Android Sample file named “SafeShare.apk.”

DoNot APT
Bahamut APT — Cyfirma

This indicates that both the APTs THREAT actor working for India as they target those countries which were the adversaries of India.

Though in research it may be conclude a weak commonalities but this is an opening point to identify the key threat actor that can be common in these cases. There is a high possibility that both these operations mentioned in these two APTs were run by same threat actor. Investigations still continue to get a concrete conclusion on it.

--

--

Cyber Warfare Asia

Providing news related to state sponsored cyber warfare in Asia