Full Report
The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government. That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. "Their diverse toolset shows consistent coding patterns across malware families, particularly in
Analysis Summary
# Threat Actor: Bitter
## Attribution & Identity
The threat actor is assessed to be a **state-backed hacking group tasking with gathering intelligence aligning with the interests of the Indian government**.
**Known Aliases and Associated Groups:**
* APT-C-08
* APT-Q-37
* Hazy Tiger
* Orange Yali
* T-APT-17
* TA397
The ORPCBackdoor malware has also been attributed by the Knownsec 404 Team to an actor called Mysterious Elephant, which shows overlap with other India-aligned threat clusters including SideWinder, Patchwork, and Confucius.
## Activity Summary
Bitter has a history of espionage focused on collecting intelligence on foreign policy and current affairs. Recent activities identified in December 2024 show targeting of Turkey using WmRAT and MiyaRAT, indicating geographical expansion. The actor frequently singles out an "exceedingly small subset of targets." The group has also carried out hands-on-keyboard activity in campaigns targeting government organizations for further enumeration and deployment of payloads. Researchers note a scheduling pattern consistent with "Monday to Friday working hours schedule in Indian Standard Timezone (IST)" for infrastructure activity and manual operations.
## Tactics, Techniques & Procedures
- **System Information Gathering:** Consistent coding patterns across malware families are noted in system information gathering modules.
- **String Obfuscation:** Mentioned as a consistent coding pattern across their toolset.
- **Spear-Phishing:** Primary initial access vector, using lures masquerading as government/diplomatic entities.
- **Masquerading:** Impersonating government/diplomatic entities from China, Madagascar, Mauritius, and South Korea in spear-phishing campaigns.
- **Hands-on-Keyboard Activity:** Observed conducting enumeration activities and dropping additional secondary payloads on targeted hosts.
## Targeting
- **Sectors:** Governments, diplomatic entities, and defense organizations.
- **Geography:** Historically strong focus on **South Asian entities**. Select intrusions have targeted China, Saudi Arabia, and South America. Recent targeting noted in **Turkey**.
- **Victims:** Turkish and Chinese entities with a presence in Europe were recently targeted.
## Tools & Infrastructure
**Malware Families Used:**
* WmRAT
* MiyaRAT
* KugelBlitz (Shellcode loader deploying Havoc C2 framework)
* BDarkRAT (.NET trojan with RAT capabilities)
* ArtraDownloader (C++ downloader for system info gathering and remote file execution)
* Keylogger (C++ module for keystroke and clipboard recording)
* WSCSPL Backdoor (Delivered via ArtraDownloader, supports remote execution)
* MuuyDownloader (aka ZxxZ, trojan for remote code execution)
* Almond RAT (.NET trojan for data gathering and command execution)
* ORPCBackdoor (Uses RPC protocol for C2 communication)
* KiwiStealer (Stealer targeting specific file types modified recently)
**Infrastructure (C2, domains, IPs):**
* Spear-phishing emails originated from providers such as **163[.]com**, **126[.]com**, and **ProtonMail**.
* Compromised accounts associated with the governments of **Pakistan**, **Bangladesh**, and **Madagascar** were used for sending phishing lures.
## Implications
Bitter is a highly persistent **espionage-focused threat actor** serving the interests of the Indian intelligence services. Their willingness to expand geographical targeting (e.g., Turkey) and their use of sophisticated TTPs, including hands-on-keyboard operations and extensive malware reuse/development, indicate a mature and well-resourced operation dedicated to long-term intelligence collection against foreign policy concerns.
## Mitigations
- Enhance detection and filtering for spear-phishing emails originating from known cloud providers (163[.]com, 126[.]com, ProtonMail) when targeting sensitive government or defense personnel.
- Implement robust security controls to detect and prevent the common actions performed by their malware, such as system information gathering and file exfiltration mechanisms found in BDarkRAT or Almond RAT.
- Monitor internal networks for indicators of hands-on-keyboard activity, especially during standard Indian business hours (IST).
- Review security posture specifically related to defenses against remote access trojans and shellcode loaders (like KugelBlitz).