The threat actor known as Bitter has been assessed to be a state-backed hacking group that’s tasked with gathering intelligence that aligns with the interests of the Indian government.
That’s according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis.
“Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation,” researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said.
Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities, with select intrusions also targeting China, Saudi Arabia, and South America.
In December 2024, evidence emerged of the threat actor’s targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion.
Stating that Bitter frequently singles out an “exceedingly small subset of targets,” Proofpoint said the attacks are aimed at governments, diplomatic entities, and defense organizations so as to enable intelligence collection on foreign policy or current affairs.
Attack chains mounted by the group typically leverage spear-phishing emails, with the messages sent from providers like 163[.]com, 126[.]com, and ProtonMail, as well as compromised accounts associated with the governments of Pakistan, Bangladesh, and Madagascar.
The threat actor has also been observed masquerading as government and diplomatic entities from China, Madagascar, Mauritius, and South Korea in these campaigns to entice recipients into malware-laced attachments that trigger the deployment of malware.
 |
| Overview of Bitter’s infection chains |
“Based on the content and the decoy documents employed, it is clear that TA397 has no qualms with masquerading as other countries’ governments, including Indian allies,” the enterprise security company said.
“While TA397’s targets in these campaigns were Turkish and Chinese entities with a presence in Europe, it signals that the group likely has knowledge and visibility into the legitimate affairs of Madagascar and Mauritius and uses the material in spearphishing operations.”
Furthermore, Bitter has been found to engage in hands-on-keyboard activity in two distinct campaigns targeting government organizations to conduct further enumeration activities on the targeted hosts and drop additional payloads like KugelBlitz and BDarkRAT, a .NET trojan that was first documented in 2019.
It features standard remote access trojan capabilities such as gathering system information, executing shell commands, downloading files, and managing files on the compromised host.
 |
| Bitter’s Malware Families |
Some of the other known tools in its arsenal are below –
- ArtraDownloader, a downloader written in C++ that collects system information and uses HTTP requests to download and execute a remote file
- Keylogger, a C++ module used in various campaigns to record keystrokes and clipboard content
- WSCSPL Backdoor, a backdoor that’s delivered via ArtraDownloader and supports commands to get machine information, execute remote instructions, and download and run files
- MuuyDownloader (aka ZxxZ), a trojan that allows remote code execution of payloads received from a remote server
- Almond RAT, a .NET trojan that offers basic data gathering functionality and the ability to execute arbitrary commands and transfer files
- ORPCBackdoor, a backdoor that uses the RPC protocol to communicate with a command-and-control (C2) server and runs operator-issued instructions
- KiwiStealer, a stealer that searches for files matching a predefined set of extensions, are smaller than 50 MB, and have been modified within the past year, and exfiltrates them to a remote server
- KugelBlitz, a shellcode loader that’s used to deploy the Havoc C2 framework
It’s worth noting that ORPCBackdoor has been attributed by the Knownsec 404 Team to a threat actor called Mysterious Elephant, which it said overlaps with other India-aligned threat clusters, including SideWinder, Patchwork, Confucius, and Bitter.
Analysis of the hands-on-keyboards activity highlights a “Monday to Friday working hours schedule in Indian Standard Timezone (IST),” which is also consistent with the time when WHOIS domain registrations and TLS certificate issuances take place.
“TA397 is an espionage-focused threat actor that highly likely operates on behalf of an Indian intelligence organization,” the researchers said. “There is a clear indication that most infrastructure-related activity occurs during standard business hours in the IST timezone.”
