Threat Intelligence Tarot
cups · 9
Private sector (suspected Gulf state contractor)
G1060★★★★★
risk 4/5
✦ The Persona Collective ✦
Bahamut
Bahamut APT
Middle East activistsJournalistsReligious groupsSouth Asian governments
Active since ~2016 · Targeted surveillance, Dissident monitoring, Mobile device compromise
The Persona Collective built fake news websites, maintained social media identities for years, and used them to gain the trust of journalists and activists before deploying mobile spyware. It is the most elaborate persona operation ever documented by a private surveillance contractor.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆Fake news websites to build credibility for persona approach
- ◆iOS and Android spyware disguised as legitimate apps
- ◆Fake dating apps and VPN apps used as mobile implants
- ◆Targeted Sikh community, journalists, and Middle Eastern activists
Defenses
- ▸Mobile device management with app allowlistingNIST SP 800-124 ↗
- ▸iOS and Android app source verification - official stores onlyCIS Mobile Security
- ▸Journalist and activist digital security trainingAccess Now Digital Security
- ▸Social engineering awareness for persona-based approachesNIST SP 800-50 ↗
Reversed: Their Weakness
Bahamut's extensive fake infrastructure - the news websites, the Twitter accounts, the VPN apps - created a sprawling digital footprint that Bellingcat, CitizenLab, and BlackBerry researchers mapped comprehensively, providing an unusually complete picture of a private intelligence contractor's operations.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.