Researchers Detail Bitter APT’s Evolving Tactics as Its Geographic Scope Expands - The Hacker News

Researchers Detail Bitter APT’s Evolving Tactics as Its Geographic Scope Expands Ravie LakshmananJun 05, 2025Threat Intelligence / Network Security The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government. That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. "Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation," researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said. Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities, with select intrusions also targeting China, Saudi Arabia, and South America. In December 2024, evidence emerged of the threat actor's targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion. Stating that Bitter frequently singles out an "exceedingly small subset of targets," Proofpoint said the attacks are aimed at governments, diplomatic entities, and defense organizations so as to enable intelligence collection on foreign policy or current affairs. Attack chains mounted by the group typically leverage spear-phishing emails, with the messages sent from providers like 163[.]com, 126[.]com, and ProtonMail, as well as compromised accounts associated with the governments of Pakistan, Bangladesh, and Madagascar. The threat actor has also been observed masquerading as government and diplomatic entities from China, Madagascar, Mauritius, and South Korea in these campaigns to entice recipients into malware-laced attachments that trigger the deployment of malware. Overview of Bitter's infection chains "Based on the content and the decoy documents employed, it is clear that TA397 has no qualms with masquerading as other countries' governments, including Indian allies," the enterprise security company said. "While TA397's targets in these campaigns were Turkish and Chinese entities with a presence in Europe, it signals that the group likely has knowledge and visibility into the legitimate affairs of Madagascar and Mauritius and uses the material in spearphishing operations." Furthermore, Bitter has been found to engage in hands-on-keyboard activity in two distinct campaigns targeting government organizations to conduct further enumeration activities on the targeted hosts and drop additional payloads like KugelBlitz and BDarkRAT, a .NET trojan that was first documented in 2019. It features standard remote access trojan capabilities such as gathering system information, executing shell commands, downloading files, and managing files on the compromised host. Bitter's Malware Families Some of the other known tools in its arsenal are below - ArtraDownloader, a downloader written in C++ that collects system information and uses HTTP requests to download and execute a remote file Keylogger, a C++ module used in various campaigns to record keystrokes and clipboard content WSCSPL Backdoor, a backdoor that's delivered via ArtraDownloader and supports commands to get machine information, execute remote instructions, and download and run files MuuyDownloader (aka ZxxZ), a trojan that allows remote code execution of payloads received from a remote server Almond RAT, a .NET trojan that offers basic data gathering functionality and the ability to execute arbitrary commands and transfer files ORPCBackdoor, a backdoor that uses the RPC protocol to communicate with a command-and-control (C2) server and runs operator-issued instructions KiwiStealer, a stealer that searches for files matching a predefined set of extensions, are smaller than 50 MB, and have been modified within the past year, and exfiltrates them to a remote server KugelBlitz, a shellcode loader that's used to deploy the Havoc C2 framework It's worth noting that ORPCBackdoor has been attributed by the Knownsec 404 Team to a threat actor called Mysterious Elephant, which it said overlaps with other India-aligned threat clusters, including SideWinder, Patchwork, Confucius, and Bitter. Analysis of the hands-on-keyboards activity highlights a "Monday to Friday working hours schedule in Indian Standard Timezone (IST)," which is also consistent with the time when WHOIS domain registrations and TLS certificate issuances take place. "TA397 is an espionage-focused threat actor that highly likely operates on behalf of an Indian intelligence organization," the researchers said. "There is a clear indication that most infrastructure-related activity occurs during standard business hours in the IST timezone." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Advanced Persistent Threat, cyber espionage, cybersecurity, Espionage, Incident response, Malware, network security, Remote Access Trojan, Spear-Phishing, Threat Intelligence Trending News Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security Load More ▼ Popular Resources [Guide] Learn How to Govern AI Agents With Proven Market Guidance Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats