Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Google Blocks Dozens of Malicious Domains Operated by Hack-for-Hire Groups

Google’s Threat Analysis Group (TAG) on Thursday disclosed it had acted to block as many as 36 malicious domains operated by hack-for-hire groups from India, Russia, and the U.A.E.

In a manner analogous to the surveillanceware ecosystem, hack-for-hire firms equip their clients with capabilities to enable targeted attacks aimed at corporates as well as activists, journalists, politicians, and other high-risk users.

Where the two stand apart is that while customers purchase the spyware from commercial vendors and then deploy it themselves, the operators behind hack-for-hire attacks are known to conduct the intrusions on their clients’ behalf in order to obscure their role.

“The hack-for-hire landscape is fluid, both in how the attackers organize themselves and in the wide range of targets they pursue in a single campaign at the behest of disparate clients,” Shane Huntley, director of Google TAG, said in a report.

“Some hack-for-hire attackers openly advertise their products and services to anyone willing to pay, while others operate more discreetly selling to a limited audience.”

A recent campaign mounted by an Indian hack-for-hire operator is said to have targeted an IT company in Cyprus, an education institution in Nigeria, a fintech company in the Balkans, and a shopping company in Israel, indicating the breadth of victims.

The Indian outfit, which Google TAG said it’s been tracking since 2012, has been linked to a string of credential phishing attacks with the goal of harvesting login information associated with government agencies, Amazon Web Services (AWS), and Gmail accounts.

The campaign involves sending spear-phishing emails containing a rogue link that, when clicked, launches an attacker-controlled phishing page designed to siphon credentials entered by unsuspecting users. Targets included government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain.

Google TAG attributed the Indian hack-for-hire actors to a firm called Rebsec, which, according to its dormant Twitter account, is short for “Rebellion Securities” and is based in the city of Amritsar. The company’s website, down for “maintenance” as of writing, also claims to offer corporate espionage services.

A similar set of credential theft attacks targeting journalists, European politicians, and non-profits has been linked to a Russian actor dubbed Void Balaur, a cyber mercenary group first documented by Trend Micro in November 2021.

Over the past five years, the collective is believed to have singled out accounts at major webmail providers like Gmail, Hotmail, and Yahoo! and regional webmail providers like,,, and

Lastly, TAG also detailed the activities of a group based in the U.A.E. and has connections to the original developers of a remote access trojan called njRAT (aka H-Worm or Houdini).

The phishing attacks, as previously uncovered by Amnesty International in 2018, entail using password reset lures to steal credentials from targets in government, education, and political organizations in the Middle East and North Africa.

Following the account compromise, both the threat actors have a pattern of maintaining persistence by granting an OAuth token to a legitimate email application like Thunderbird, generating an App Password to access the account via IMAP, or linking the victim’s Gmail account to an adversary-owned account on a third-party mail provider.

The findings come a week after Google TAG revealed details of an Italian spyware company named RCS Lab, whose “Hermit” hacking tool was used to target Android and iOS users in Italy and Kazakhstan.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of…