Indian Hack-for-Hire Group Targets US, China, and More for Over 10 Years

Hack-for-Hire Group in India

An Indian hack-for-hire group has targeted the US, China, Myanmar, Pakistan, Kuwait, and other countries as part of a wide-ranging espionage, surveillance, and disruption operation for more than a year. decade.

the Appin Software Security (aka Appin Security Group), according to an in-depth analysis from SentinelOne, began as an educational startup offering offensive security training programs, while carrying out covert hacking operations since at least 2009.

In May 2013, ESET disclosed a series of cyber attacks targeting Pakistan with information-stealing malware. While the activity is attributed to a cluster tracked as Hangover (aka Patchwork or Zinc Emerson), the evidence shows that the infrastructure is owned and controlled by Appin.

“The group conducts hacking operations against high-net-worth individuals, government organizations, and other businesses involved specific legal disputes,” SentinelOne security Tom Hegel SAYS in a comprehensive analysis published last week.

“Appin’s hacking operations and overall organization can be seen many times as informal, clumsy, and technically crude; however, their operations have proven to be very successful for their customers, which affects world affairs with significant success.”


The findings are based on non-public data obtained by Reuters, which called out Appin for orchestrating data theft attacks on an industrial scale against political leaders, international executives, sports figures, and others. The company, in response, dropped its connection to the hack-for-hire business.

One of the core services offered by Appin is a tool called “MyCommando” (aka GoldenEye or Commando) that allows its customers to log in to view and download campaign-specific data and update status, communicate securely, and choose from a variety of task options with variety. from open-source research to social engineering to trojan campaigns.

The targeting of China and Pakistan is confirmation that a mercenary group of Indian origin has been roped in to carry out state-sponsored attacks. Appin was also identified as being behind the macOS spyware known as KitM in 2013.

Additionally, SentinelOne said it has also identified instances of domestic targeting with the intent to steal login credentials to email accounts belonging to Sikhs in India and the US

Hack-for-Hire Group in India

“In an unrelated campaign, the group also used the domain speedaccelator(.)com for an FTP server, hosting malware used in their malicious phishing emails, one of which was used by an individual in India which was later targeted by the ModifiedElephant APT,” said Hegel. . It’s worth noting that ModifiedElephant’s Patchwork links were previously recognized by Secureworks.

Besides using a large infrastructure from a third party for data exfiltration, command-and-control (C2), phishing, and setting up decoy sites, the shadow private-sector offensive actor (PSOA) allegedly relies on private spyware. and take advantage of services provided by private vendors such as Vervata, Vupen, and Core Security.

In another unusual tactic, Appin allegedly used a California-based freelancing platform called Elance (now called Upwork) to purchase malware from external software developers, while also using in-house ones. employee to create a custom collection of hacking tools. .

“The research findings highlight the team’s exceptional strength and a proven track record of successfully executing attacks for a variety of clients,” Hegel said.


The development comes as Aviram Azari, an Israeli private investigator, was sentenced in the US to nearly seven years in federal prison on charges of computer hacking, wire fraud, and aggravated identity theft. is related to a global hack-for-hire scheme between November. 2014 to September 2019. Azari was arrested in September 2019.

“Azari owns and operates an intelligence firm in Israel,” the Department of Justice (DoJ) SAYS last week. “Clients hired Azari to manage ‘Projects’ that were described as intelligence gathering efforts but were, in fact, hacking campaigns that specifically targeted certain groups of victims.”

Aviram is also accused of using mercenary hackers in India, a company called BellTroX Infotech (aka Amanda or Dark Basin), to help clients gain an advantage in court battles through spear-phishing attacks and ultimately gain access to victims’ accounts and steal information.

BellTrox was founded by Sumit Gupta in May 2013. Reuters exposed in June 2022 that before launching the company, Gupta worked at Appin.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment