Google blocks dozens of malicious domains controlled by hack-for-hire groups


Google’s Threat Analysis Group (TAG) announced on Thursday that it has taken action to block as many as 36 malicious domains operated by hack-for-hire groups from India, Russia and the UAE.

In a manner analogous to the surveillanceware ecosystem, hack-for-hire companies equip their customers with capabilities to enable targeted attacks targeting businesses as well as activists, journalists, politicians and other high-risk users.

Where the two differ is that while customers buy the spyware from commercial vendors and then deploy it themselves, the operators behind hack-for-hire attacks are known to carry out the breaches on behalf of their customers to obscure their role.

“The hack-for-hire landscape is fluid, both in the way the attackers organize themselves and the wide array of goals they pursue in a single campaign on behalf of disparate clients,” said Shane Huntley, director of Google TAG . said in a report.

“Some hack-for-hire attackers openly advertise their products and services to anyone willing to pay, while others operate more discreetly and sell to a limited audience.”

A recent campaign by an Indian hack-for-hire operator allegedly targeted an IT company in Cyprus, an educational institution in Nigeria, a fintech company in the Balkans and a retail company in Israel, pointing to the magnitude of the victims.

The Indian outfit, which Google TAG said has been tracking since 2012, has been linked to a series of credential phishing attacks aimed at collecting credentials linked to government agencies, Amazon Web Services (AWS), and Gmail accounts.

The campaign involves sending spear-phishing emails containing a fraudulent link that, when clicked, opens an attacker-controlled phishing page designed to siphon off unsuspecting users’ credentials. Targets included the government, healthcare and telecom sectors in Saudi Arabia, the United Arab Emirates and Bahrain.

Google TAG attributed the Indian hack-for-hire actors to a company called Rebsec, which, according to its dormant Twitter accountis an abbreviation for “Rebellion Effectsand is located in the city of Amritsar websitenot available for “maintenance” at the time of writing, also claims to offer corporate espionage services.

A similar series of credentials theft targeting journalists, European politicians and non-profit organizations has been linked to a Russian actor named Void Balaur, a cyber mercenary group first documented by Trend Micro in November 2021.

Over the past five years, the collective is said to have singled out accounts with major webmail providers such as Gmail, Hotmail and Yahoo! and regional webmail providers such as,, and

Finally, TAG also described the activities of a group based in the UAE with connections to the original developers of a remote access trojan called njRAT (also known as H-worm or Houdini

The phishing attacks, as previously discovered by Amnesty International in 2018, using password reset bait to steal credentials from targets in government, education and political organizations in the Middle East and North Africa.

After compromising the account, the threat actor maintains persistence by granting an OAuth token to a legitimate email application such as Thunderbird, causing a App password to access the account via IMAP, or by associating the victim’s Gmail account with an opponent’s account with a third-party email provider.

The findings come a week after Google TAG revealed details of an Italian spyware company called RCS Lab, whose hacking tool “Hermit” was used to attack Android and iOS users in Italy and Kazakhstan.