top of page


November 24-30, 2022 | Issue 29 - Counterintelligence and Cyber (CICYBER)

Keanna Grelicha, CICYBER Team

Shachi Gokhale, Editor; Jennifer Loy, Chief of Staff


Date: November 24, 2022

Location: Global

Parties involved: Slovak, cybersecurity firm; Bahamut, cyber espionage group; Google Play Store; Signal; Telegram; WhatsApp; Facebook Messenger; social media apps; Android users

The event: Slovak reported an attribution linking Bahamut to an espionage campaign that targets Android devices with malicious Virtual Private Network (VPN) applications (apps) designed to extract sensitive data. This data can include personal identifiable information (PII), files, contact lists, phone call recordings, locations, and messages from social media apps like Signal, Telegram, Facebook Messenger, and WhatsApp. Since January 2022, Bahamut has weaponized at least eight VPN apps on the Google Play Store. The hackers use fake websites tailored for specific targets to advertise the apps hoping they will release an activation key the hackers can use to enable the malware in the VPN.[2]

Analysis & Implications:

  • The use of VPN applications to access servers almost certainly threatens the security of other global companies that require an activation key to enter certain apps like Outlook Mail. Other hackers will very likely use similar malicious techniques to exploit known networks to expand the list of targets to additional social media apps, very likely growing the campaign. Without companies monitoring software vulnerabilities that extend from the VPN connections, future cyberattacks could very likely allow hackers to steal critical data or user PII to sell it to other threat actors or use it for ransom.

  • The ability of these malicious apps to be pushed toward Android users very likely increases the threat of the same espionage campaign targeting other smartphones like iPhone users. Threats of malicious apps leading to the expansion of espionage and intrusions operations will almost certainly put user PII at risk of theft, likely leading to identity fraud. Other phone companies will very likely increase fraudulent detection systems within their app stores to decrease the possibility of malicious apps broadcasting to their users. As phone companies implement measures within the phones’ software updates to detect malicious entities, it will likely deter hackers from continuing this campaign.

Date: November 24, 2022

Location: USA

Parties involved: Black Basta, ransomware gang; US-based companies; information technology (IT) specialists

The event: Black Basta began a malware campaign using Qakbot malware to target 25 US-based companies where the cyber group compromised networks by creating entry points to move laterally. This movement allows hackers to search them to harvest credentials, encrypt network data, and set a ransom. The espionage campaign begins with a spear-phishing email containing a malicious file that releases the Qakbot and connects to the hackers’ remote server to set up controls within the network. The hackers have taken less than two hours to harvest administrative privileges and deploy the malware in less than 12 hours.[3]

Analysis & Implications:

  • The names of the US companies were very likely not released to prevent reputational damage as their clients would likely perceive them as having limited malware security protocols within the networks. This perception would very likely lead to clients leaving the organizations or seeking financial compensation for the possible release and theft of their data. The companies will very likely try to increase their security measures by implementing employee training regarding phishing threats and increasing network security with updated malware and network intrusion scans. These measures will likely aid in benefiting their security reputation and could likely positively impact client decision-making to remain with the companies.

  • The timeframe the hackers took to obtain credentials and deploy the malware will very likely lead the IT specialists of the companies to build additional architectural network security protocols to prevent malware intrusion. This will very likely allow the companies to implement real-time malware detection and prevention scans to assist mitigation of the ongoing malware campaign. The sooner the IT specialists within the companies can set the parameters, the less likely the hackers will be able to encrypt additional data to announce a ransom.


[2] Bahamut Cyber Espionage Hackers Targeting Android Users with Fake VPN Apps, The Hacker News, November 2022,

[3] Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware, The Hacker News, November 2022,


bottom of page