Trend Micro Exposes Void Balaur Cyber Mercenary Group

Sicherheit (Pexels, allgemeine Nutzung)[German]It's a trend that's been around for a while: fit IT professionals are hiring cyber mercenaries to carry out cyber attacks. Trend Micro has now exposed a cyber mercenary group called "Void Balaur." New research details the modus operandi of the contract hacking group. Motivated by espionage and financial interests, these contract hackers have targeted more than 3,500 companies and individuals since 2015.  Among the victims are human rights activists, journalists, politicians, and technical executives in telecommunications companies.


Background: Void Balaur

The report from Japanese security vendor Trend Micro sheds light on the activities of a group of actors calling themselves "Rockethack", which Trend Micro refers to as "Void Balaur" – named after an evil, multi-headed creature from Eastern European folklore.

Since at least 2018, the group has been advertising exclusively in Russian-language forums, receiving invariably positive reviews. It focuses on two forms of activity: hacking email and social media accounts and selling highly sensitive personal and business information. These include telecommunications, airline passenger, bank and passport data.

Void Balaur charges prices for such activities ranging from about $20 for a stolen credit history to $69 for traffic camera recordings to $800 for call recordings

Worldwide targets

Global targets include telecommunications providers in Russia, ATM manufacturers, financial service providers, health insurance companies and fertility clinics – companies that store highly sensitive and potentially lucrative information. The group is also targeting journalists, human rights activists, politicians, scientists, doctors, technical officers at telecommunications companies, and users of cryptocurrencies.

(Source: Trend Micro)


Over the years, their activities have become increasingly brazen. Targets include the former head of an intelligence agency, seven sitting ministers, and a dozen members of parliament in European countries.

Some of their targets – including religious leaders, diplomats and journalists – also overlap with the notorious Pawn Storm group (APT28, Fancy Bear).

Trend Micro findings

Trend Micro associates thousands of indicators with Void Balaur, which is also available to enterprises as part of its comprehensive threat intelligence. Most often, the group uses phishing tactics, sometimes including data-mining malware such as Z*Stealer or DroidWatcher.

In addition, the group offers to hack email accounts without user interaction. However, it is unclear how it manages to do this – for example, with the help of insiders or via a compromised email provider.

Advice for enterprises

Organizations should consider the following steps to protect themselves from cyber mercenaries like Void Balaur:

  • Use reliable email services from a reputable provider with high privacy standards.
  • Use multi-factor authentication for your email and social media accounts via an app or Yubikey instead of a one-time SMS passcode.
  • Use apps with end-to-end encryption for your communications.
  • Use encryption like PGP (Pretty Good Privacy) for sensitive communications.
  • Delete messages you no longer need to minimize the amount of data that can potentially be stolen.
  • Use drive encryption on all endpoints.
  • Turn off laptops and computers when not in use.
  • Implement a cybersecurity platform approach through which the entire attack chain can be detected and responded to accordingly. 

"Cyber mercenaries are an unfortunate manifestation of today's cybercrime," said Feike Hacquebord, senior threat researcher at Trend Micro. "Given the high demand for their services and the fact that nation states provide sanctuary to some actors, they are unlikely to disappear from the scene anytime soon. The best defense is to raise awareness of the threat through reports like this one, and also to promote security best practices."

Trend Micro has published reports such as Void Balaur and the Rise of the Cybermercenary Industry and The y The Far-Reaching Attacks of the Void Balur Cybermercenary Group with details.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *