Trend Micro uncovers cyber mercenary group Void Balaur which targets politicians, religious leaders

The latest research from cybersecurity firm Trend Micro reveals that hacker-for-hire group Void Balaur has targeted at least 3,500 individuals and organizations, including human rights activists, journalists, politicians, and senior telco engineers.

“Cyber mercenaries is an unfortunate consequence of today’s vast cybercrime economy,” said Feike Hacquebord, senior threat researcher for Trend Micro. “Given the insatiable demand for their services and harboring of some actors by nation-states, they’re unlikely to go away anytime soon. The best form of defense is to raise industry awareness of the threat in reports like this one and encourage best practice cybersecurity to help thwart their efforts.”

Trend Micro named this group of actors after an evil multi-headed creature from Eastern European folklore. The group, however, calls themselves “Rockethack.”

Trend Micro blocks 41 billion cyber threats as attacks surged in 1H21
Trend Micro warns of ransomware targeting industrial control systems

According to the cybersecurity firm, Void Balaur was found on Russian-language forums “has accrued unanimously positive reviews.”

The Trend Micro research discovered that the group breaks into emails and social media accounts and sell highly sensitive information including financial data to make money.


“Void Balaur’s charges for such activities range from around $20 for a stolen credit history or traffic camera shots at $69 to over $800 for phone call records with cell tower locations,” Trend Micro said. “Global targets include telecommunications companies in Russia, ATM machines vendors, financial services companies, medical insurers, and IVF clinics—organizations known to store highly sensitive and potentially lucrative information. The group also targets journalists, human rights activists, politicians, scientists, doctors, telco engineers, and cryptocurrency users.”

Its efforts have become increasingly bold over the years, according to the research, with targets including the former head of an intelligence agency, seven active government ministers, and a dozen members of parliaments in European countries. Some of its targets, including religious leaders, diplomats, and journalists, also overlap with the notorious Pawn Storm group (APT28, Fancy Bear).

Trend Micro has associated thousands of indicators with Void Balaur, which are also available to organizations as part of the comprehensive threat intelligence. It most commonly deploys phishing tactics to achieve its ends, sometimes including info-stealing malware such as Z*Stealer or DroidWatcher.

The group also offers to hack email accounts without user interaction, although it’s unclear how this is achieved, that is with the help of insiders or via a breached email provider.

Trend Micro advises businesses and organizations to take the following steps to help defend against cyber mercenaries like Void Balaur:

  • Use robust email services from a reputable provider with high privacy standards
  • Use multi-factor authentication for your email and social media accounts via an app or Yubikey rather than one-time SMS passcode
  • Use apps with end-to-end encryption in your communications
  • Use encryption like PGP for sensitive communications
  • Permanently delete messages you no longer need to minimize exposure
  • Use drive encryption on all computing devices
  • Turn off laptops and computers when not in use
  • Utilize a cybersecurity platform approach that can detect and respond across the entire attack chain