analyst @ nohacky :~/threat-actors $
cat / threat-actors / bitter-t-apt-17
analyst@nohacky:~/bitter-t-apt-17.html
active threat profile
type Nation-State
threat_level High
status Active
origin South Asia — India-nexus (assessed)
last_updated 2026-04-18
BI
bitter-t-apt-17

BITTER / T-APT-17

also known as: TA397 APT-C-08 APT-Q-37 Hazy Tiger Orange Yali G1002

A South Asian espionage group assessed by Proofpoint with high likelihood as operating on behalf of an Indian intelligence organization, conducting long-running campaigns against Pakistan, China, Bangladesh, and Saudi Arabia. Known for targeting a tightly scoped set of high-value government, defense, and diplomatic individuals rather than broad sectors, BITTER has operated continuously since at least 2013 and demonstrated expanding geographic reach and a maturing custom toolset through 2025.

attributed origin South Asia — India (assessed)
suspected sponsor Indian Intelligence Organization
first observed 2013
primary motivation Espionage / Intelligence Collection
primary targets Government, Defense, Diplomatic, Telecom, Energy
known campaigns 9+ confirmed
mitre att&ck group G1002
target regions South Asia, EMEA, APAC, South America
threat level High

Overview

BITTER is a sophisticated, state-assessed cyber espionage actor that has maintained persistent operations since at least 2013. The group is tracked under multiple designations across vendors — Proofpoint calls it TA397, Tencent tracks it as APT-C-08, and it is also referred to as T-APT-17, Hazy Tiger, and Orange Yali. In June 2025, Proofpoint and Threatray published a joint two-part analysis assessing with high likelihood that TA397 operates on behalf of the Indian state, based on targeting patterns, infrastructure timestamps, and observed hands-on-keyboard activity timed to Indian Standard Time (IST) working hours.

"TA397 has been operating on behalf of an Indian intelligence organization."
Proofpoint & Threatray — The Bitter End, Part One (June 2025)

The group's hallmark is extreme selectivity. Rather than broad opportunistic campaigns, BITTER targets an exceedingly narrow subset of individuals within specific organizations — typically personnel in core positions with access to strategic intelligence, military documents, or critical infrastructure systems. This precision is supported by a steadily maturing custom malware ecosystem: the group has evolved from early custom downloaders to purpose-built remote access trojans including BitterRAT, WmRAT, MiyaRAT, and BDarkRAT, with tooling that appears to remain under active development as of 2025.

Infrastructure analysis provides a strong forensic fingerprint: domain registration, TLS certificate issuance via Let's Encrypt, and passive DNS timestamps consistently map to IST business hours. The group also shares tooling overlaps with other suspected India-aligned threat clusters, including Mysterious Elephant (APT-K-47) and Confucius, suggesting a broader shared infrastructure or development ecosystem within the same national intelligence apparatus. For comparison, similar multi-group ecosystem patterns are well-documented in Russian intelligence operations — see the profiles for APT28 / Fancy Bear and APT29 / Cozy Bear.

attribution confidence progression — 2013 to present
2013–2016
South Asian actor — origin unknown
2017–2020
South Asia nexus — India/Pakistan ambiguous
2021–2023
India nexus — assessed probable
Jun 2025
India state-backed — highly likely
Apr 2026
Dual-track + hack-for-hire model
APR 2026 — Current assessment:
The April 2026 Lookout/Access Now disclosure of the ProSpy/MENA civil society campaign — combined with infrastructure links to the Indian firm Appin flagged by SC Media — advances the assessment to a probable dual-track model: direct state collection against government and military targets running in parallel with contracted or outsourced operations against civil society clients. Confidence in Indian state backing is the highest it has been in the group's documented history.

One of the clearest windows into the group's operational tradecraft came when Proofpoint researchers, during an active intrusion, observed BITTER operators mount an SMB share named tempy after a first payload delivery attempt failed. By enumerating the share, researchers found the exact WmRAT and MiyaRAT binaries documented in the December 2024 Turkish defense campaign — confirming infrastructure and payload reuse across targets. The share also contained two documents assessed as exfiltrated from prior victims: a scanned official government tax document from Bangladesh, and a strategic military document from a Bangladeshi military organization. Both were withheld from public publication for safety and anonymity reasons.

active campaign — may 2025

On May 7, 2025 — during active military escalation between India and Pakistan under Operation Sindoor — EclecticIQ confirmed BITTER targeted Pakistan Telecommunication Company Limited (PTCL) workers via spear-phishing, delivering WmRAT. The campaign targeted 5G infrastructure engineers, DevOps specialists, project managers, and satellite communication experts. Stolen credentials from Pakistan's Counter Terrorism Department were used to lend credibility to the phishing emails, and the attack timing is assessed as deliberately opportunistic, exploiting the military conflict to maximize intelligence value.

Target Profile

BITTER's targeting is geopolitically structured and extremely selective. The group focuses on individuals in positions with direct access to strategic, military, or infrastructure intelligence — rather than whole organizations or broad sectors.

target geography × sector matrix
Confirmed Assessed Suspected
Pakistan — confirmed
China — confirmed
Bangladesh — confirmed
Saudi Arabia — confirmed
Turkey — assessed
South America — suspected
Pakistan — confirmed
China — confirmed
Bangladesh — confirmed (exfiltrated military doc documented)
Saudi Arabia — assessed
Turkey — confirmed (Nov 2024 defense campaign)
Pakistan — confirmed (PTCL, May 2025)
China — assessed
Pakistan — confirmed
China — assessed
Saudi Arabia — assessed
Pakistan — confirmed
China — assessed
Bangladesh — confirmed
MENA (Egypt, Lebanon, Bahrain, UAE) — confirmed via ProSpy, 2024–2026
  • Government and diplomatic entities: Long-standing primary focus. Targeted government ministries, diplomatic organizations, and public sector bodies across Pakistan, China, Bangladesh, and Saudi Arabia. The group impersonates allied and neutral governments to construct credible lures, and has no qualms about masquerading as Indian government entities when targeting regional adversaries.
  • Defense organizations: Military institutions and defense contractors across South Asia and EMEA. The November 2024 Turkish campaign targeted a defense sector organization. Exfiltrated documents confirmed to include a strategic military document from a Bangladeshi military organization.
  • Telecommunications: The May 2025 PTCL campaign demonstrated active targeting of national telecommunications operators, specifically individuals with access to 5G infrastructure and satellite communications — consistent with intelligence collection on national communications resilience. For a parallel case of nation-state telecom targeting, see Salt Typhoon's breach of nine U.S. carriers.
  • Energy and engineering: MITRE ATT&CK and FortiGuard document targeting of energy and engineering organizations in the group's target geography, aligned with collection of industrial and infrastructure intelligence.
  • Research institutes and NGOs: Academic and research institutions, particularly those with defense, policy, or science connections, have been targeted across South and Southeast Asia.
  • Expanding geographic footprint: While operations have historically concentrated in South Asia, the group has progressively expanded into EMEA (Turkey, Saudi Arabia), APAC (China, Bangladesh), and has been observed targeting entities in South America.
  • Civil society, journalists, and opposition figures (2023–present): A significant departure from BITTER's historical target profile. Beginning no later than 2023, a campaign attributed by Lookout to a hack-for-hire operation with BITTER infrastructure ties targeted journalists, activists, and opposition politicians in Egypt, Lebanon, Bahrain, and the UAE. Victims include prominent Egyptian journalists in exile and a high-profile Lebanese journalist. Researchers from Access Now, Lookout, and SMEX assessed the operation as likely contracted espionage rather than direct state collection, representing either a genuine expansion of the group's targeting or an outsourcing model where BITTER's infrastructure and tooling is made available to third-party clients.

Tactics, Techniques & Procedures

BITTER demonstrates consistent core TTPs across campaigns while regularly experimenting with delivery mechanisms to evade detection. Scheduled tasks and spear-phishing are the group's structural constants; delivery file formats rotate frequently as detection catches up to each method.

bitter attack chain — click each stage to trace the full execution path
Spear-phish
initial access
📦
RAR + ADS
weaponized lure
LNK / CHM exec
execution
🕐
Sched. task
persistence
🔍
Manual triage
discovery
💻
WmRAT / MiyaRAT
c2 + collection
📤
Exfiltration
impact

mitre id technique
Core delivery vector. RAR archives contain decoy PDFs alongside malicious LNK or CHM files. Lures are geopolitically tailored — World Bank infrastructure project documents, government correspondence, and conference invitations have all been used. Emails are sent from compromised legitimate government accounts to maximize authenticity.
Base64-encoded PowerShell blobs are stored in NTFS Alternate Data Streams (ADS) within RAR archives. When the LNK file is executed, it triggers these hidden PowerShell commands to establish persistence and beacon to staging infrastructure without visible execution indicators.
The group's most consistent persistence mechanism across all documented campaigns. Scheduled tasks — such as DsSvcCleanup — beacon to staging domains every 15–18 minutes transmitting victim machine data. Operators manually review this data before deploying second-stage payloads to targets deemed high value.
Malicious PowerShell code is hidden within ADS inside RAR archives under stream names such as "Participation." These streams are invisible to standard Windows extraction tools like WinRAR but visible through 7-Zip, allowing the payload to evade casual inspection of the archive contents.
WmRAT and MiyaRAT are the current primary C++ implants. Both support file exfiltration, arbitrary command execution, screenshot capture, geolocation data collection, and directory enumeration. MiyaRAT additionally supports reverse shell commands and is selectively deployed against high-value targets only.
Before deploying second-stage payloads, operators manually enumerate the target system via hands-on-keyboard activity: listing running processes, enumerating the ProgramData directory, and using WMIC to identify antivirus products. This deliberate triage avoids burning payloads on low-value or monitored systems.
Phishing emails in the May 2025 PTCL campaign were sent from a compromised Counter Terrorism Department email account at Islamabad Police Headquarters, using stolen credentials to add authenticity. The group has a documented pattern of using compromised government accounts as sending infrastructure.
Throughout the first half of 2024, BITTER used Microsoft Compiled Help Files (CHM) inside RAR archives as a primary mechanism for creating scheduled tasks on target machines, before transitioning to LNK files with NTFS ADS in late 2024.
CVE-2021-1732 (Win32k privilege escalation) is documented in BITTER's exploit arsenal alongside Office document exploitation via CVE-2017-11882 and CVE-2018-0802 (Equation Editor) used for initial code execution from weaponized documents.
WmRAT communicates with C2 infrastructure via HTTPS (port 443) using HTTP GET requests. The victim's computer name and username are included in the beacon URI. This specific PHP URI pattern — script.php?param=$env:COMPUTERNAME*$env:USERNAME — has remained consistent across years of TA397 campaigns and constitutes a high-confidence detection fingerprint alongside Let's Encrypt certificates on attacker-controlled staging servers. C2 domains rotate but the URL construction pattern does not.
Sending infrastructure includes Chinese freemail services (163[.]com, 126[.]com), ProtonMail, and compromised government accounts from Pakistan, Bangladesh, and Madagascar. The group impersonates allies of the assessed sponsor state — Madagascar and Mauritius are active Indian strategic partners with shared naval exercise programs — while targeting third parties, demonstrating that BITTER has genuine visibility into those governments' affairs. Topical lures are timed to real-world events: the December 2024 South Korea martial law crisis produced a campaign using the subject line "SituationNote : SouthKorea_Martial law Seoul Embassy Advisory" crafted to blend with legitimate embassy advisory traffic.

Known Campaigns

Confirmed or highly attributed operations linked to BITTER / TA397 across a documented operational history spanning over a decade.

operational timeline — click any event to expand context

2013–2019

BITTER's earliest documented campaigns focused on government, military, and energy organizations in Pakistan and China. Initial tooling included BitterRAT and ArtraDownloader distributed via spear-phishing with weaponized Office documents exploiting CVE-2017-11882 and CVE-2018-0802 (Equation Editor vulnerabilities). Anomali documented targeting of Pakistan, and later Bangladesh, with government-themed lures. Tencent Research Institute and 360 Threat Intelligence provided early attribution under the APT-C-08 and T-APT-17 designations.

Bangladesh Expansion 2022

Cisco Talos documented BITTER targeting Bangladesh with government-themed lures in a campaign adding the country to the group's confirmed target list alongside Pakistan and China. The campaign used malicious Office macro documents and maintained the group's consistent pattern of public sector and government targeting. The ZxxZ malware family was observed in this period, representing a new downloader component in the BITTER arsenal.

Chinese Government Agency Intrusion 2024

On February 1, 2024, BITTER launched a spear-phishing attack on a Chinese government agency, documented by NSFOCUS. A core employee received an email on January 23 disguised as correspondence from a superior department. The CHM attachment created a scheduled task that beaconed every 18 minutes to northgenstudios[.]com and downloaded Havoc Trojan payloads. The agency detected abnormal external connections during incident response, triggering the NSFOCUS investigation that reconstructed the full attack chain and attributed it to BITTER via historical sample correlation.

Turkish Defense Sector — WmRAT and MiyaRAT Deployment 2024

Proofpoint documented a November 18, 2024 spear-phishing attack against a Turkish defense sector organization, sent from a compromised government email account. The lure — "PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR" — referenced a real World Bank infrastructure initiative in Madagascar, chosen to align with the target organization's public sector focus. The RAR archive contained a decoy PDF, an LNK file, and NTFS Alternate Data Streams carrying base64-encoded PowerShell. Execution created the DsSvcCleanup scheduled task beaconing to jacknwoods[.]com every 17 minutes. BITTER operators manually reviewed the resulting system enumeration data before deploying WmRAT and MiyaRAT via MSI installer. MiyaRAT's selective deployment in this campaign suggests the target was classified as high priority.

Multi-Government Espionage — October 2024 to April 2025 2024–2025

Proofpoint's June 2025 joint report with Threatray covered a sustained campaign series targeting government organizations linked to China, Pakistan, and neighboring states. Operations demonstrated hands-on-keyboard activity timed to IST working hours, with operators manually correcting failed payload deliveries in real time — including failed retrievals and subsequent recovery via SMB shares mounted as "tempy." Documents found on the actor's SMB share included a scanned Bangladeshi government tax document and a strategic military document from a Bangladeshi military organization, confirming active exfiltration. The group was also observed experimenting with two distinct novel delivery file types during this period: Microsoft Search Connector Description files (.searchConnector-ms), noted by Virus Bulletin researchers in February 2024, and Microsoft Saved Console files (.msc) exploiting CVE-2024-43572 (GrimResource) for code execution via a cross-site scripting flaw in apds.dll within mmc.exe. Both represent deliberate investment in delivery techniques that bypass detections built around the group's more established RAR/LNK/CHM chain.

PTCL Targeting During Operation Sindoor 2025

On May 7, 2025, during active India-Pakistan military operations, EclecticIQ confirmed BITTER targeted Pakistan Telecommunication Company Limited (PTCL) workers via an IQY attachment with a malicious Excel macro delivering WmRAT. The email was sent using compromised credentials from Pakistan's Counter Terrorism Department. Targeted personnel included 5G infrastructure engineers, DevOps specialists, project managers, and satellite communication experts — positions with direct relevance to national communications resilience during a military conflict. C2 infrastructure analysis linked the campaign to the jacknwoods[.]com domain documented by Proofpoint in December 2024, confirming continuity of infrastructure across campaigns.

"The timing of the attack aligns with increased military tensions in the region."
EclecticIQ — PTCL Targeted by Bitter APT During Heightened Regional Conflict (May 2025)
MENA Civil Society — ProSpy Hack-for-Hire Operation 2023–2026

Disclosed publicly in April 2026 through a joint investigation by Access Now, Lookout, and SMEX. The campaign targeted journalists, activists, and opposition politicians in Egypt, Lebanon, Bahrain, and the UAE — the first confirmed operation in which BITTER-linked infrastructure was used against civil society targets rather than government, military, or critical infrastructure. Two prominent Egyptian journalists (Mostafa Al-A'sar and Ahmed Eltantawy, both government critics previously imprisoned) and an unnamed Lebanese journalist were among confirmed targets. Android users were served ProSpy spyware disguised as Signal, WhatsApp, Zoom, ToTok, and Botim. iPhone users were targeted via Apple ID phishing designed to gain access to iCloud backups. In at least one case, the Lebanese journalist's Apple account was fully compromised and a virtual device added for persistent access — the full account takeover documented in real time by SMEX took approximately 30 seconds from credential submission. Lookout linked the campaign to BITTER via shared infrastructure (com-ae[.]net, previously associated with Dracarys) and code-level similarities between ProSpy and Dracarys — identical worker-class naming conventions, numbered C2 commands, and PHP-based infrastructure. Researchers assessed the operation as most likely a hack-for-hire arrangement, noting that the targeting of civil society is inconsistent with BITTER's known collection requirements, raising the possibility that the group's tooling and infrastructure is being contracted to third-party clients.

"Most likely a hack-for-hire operation with ties to BITTER APT."
Lookout Threat Intelligence — Beyond BITTER: MENA Civil Society (April 2026)

Tools & Malware

BITTER maintains a custom-built malware ecosystem that has evolved across more than a decade of operations. Threatray's June 2025 analysis with Proofpoint identified a consistent obfuscation evolution arc: early families (ArtraDownloader, WSCSPL Backdoor) used simple character addition or subtraction to encode strings; intermediate families (MuuyDownloader, WmRAT, MiyaRAT) added XOR encryption with per-string or per-variant keys; the most recent .NET families (BDarkRAT, AlmondRAT) use AES-256-CBC with keys and IVs derived via PBKDF2 — an identical implementation shared across both. This progression reflects deliberate iterative hardening rather than wholesale tooling replacement, with the same reconnaissance pattern (computer name, username, OS details) appearing across virtually every family.

malware arsenal — select a tool to compare capabilities and deployment profile
WmRAT
MiyaRAT
BDarkRAT
AlmondRAT
KiwiStealer
ProSpy
ORPCBackdoor
language
C++
deployment
Standard targets
c2 protocol
HTTPS (port 443) — HTTP GET; beacon URI encodes COMPUTERNAME + USERNAME
obfuscation
XOR-encrypted C2 address in .rdata; fake PNG header on payload delivery; junk thread creation + Sleep() anti-sandbox
first observed
2023 (Proofpoint documentation)
status
Active — confirmed May 2025 PTCL campaign
capabilities
file exfiltration directory enumeration screenshot capture arbitrary command exec geolocation retrieval file upload / download
language
C++
deployment
High-value targets only
c2 protocol
HTTPS; C2 commands obfuscated — only first character exposed per command identifier
obfuscation
v5.0 (May 2025): character subtraction with hardcoded binary key + single-byte XOR for C2 comms — defeats prior YARA signatures
first observed
2023 (Proofpoint); v5.0 documented May 2025
status
Active — confirmed May 2025 PTCL campaign (v5.0)
capabilities (superset of WmRAT)
file exfiltration directory enumeration screenshot capture arbitrary command exec geolocation retrieval reverse shell
language
.NET
also tracked as
SplinterRAT (naming divergence from .NET namespace variation)
c2 obfuscation
AES-256-CBC with key/IV via PBKDF2 — identical implementation to AlmondRAT, suggesting shared programmer
lineage
Code traced to DarkAgentRAT (open-source .NET RAT, 2011) by Threatray
regression note
Early 2025 variant reverted to hex-encoded C2 addresses from prior AES approach — unusual regression, possible evasion hypothesis
status
Active development confirmed 2025
capabilities
remote access directory listing file transfer shell command exec
language
.NET
first observed
2022
c2 obfuscation
AES-256-CBC / PBKDF2 — byte-for-byte identical to BDarkRAT implementation; strong cross-family attribution fingerprint
attribution value
Shared encryption implementation with BDarkRAT is the primary technical link connecting the two families to a single developer
capabilities
directory listing file transfer shell command exec
role
Dedicated file stealer — not a full RAT
first observed
2024
c2 obfuscation
URI obfuscated via string reversal + ROT2 (Caesar cipher, shift +2)
exfiltration filter
Files under 50 MB, modified within past 12 months, matching target extensions; logs to local winlist.log
c2 pattern
HTTP POST — victim username and computer name appended to URI
target extensions
selective exfil only Office documents PDFs archives images
language
Kotlin (Android)
masquerades as
Signal, WhatsApp, Zoom, ToTok, Botim
c2 pattern
REST-style endpoints: /v3/images, /v3/videos (cf. Dracarys r3/ — generation evolution marker)
first sample
August 2024; 11 samples recovered by Lookout; active development evident across sample set
ios vector
Apple ID phishing → iCloud backup access; virtual device added for persistent account access (no malware installed on device)
capabilities (worker-class architecture)
iCloud backup access file exfiltration by MIME new-files-only exfil ToTok backup harvest contacts / SMS location tracking call logs camera / mic access
form factor
DLL backdoor — disguised as OLEMAPI32.DLL with product name "Microsoft Outlook"
c2 protocol
RPC (Remote Procedure Call) — not HTTP/HTTPS; evades standard network traffic analysis
exports
17 export functions documented in captured sample
shared with
Mysterious Elephant (APT-K-47) and Confucius — primary technical evidence for shared Indian intelligence ecosystem hypothesis
attribution significance
Cross-group tooling overlap is the strongest indicator that BITTER, Mysterious Elephant, and Confucius share development resources or infrastructure
  • BitterRAT: The group's original custom remote access trojan, observed in early campaigns across Pakistan and China. Provides standard remote access capabilities. The name "BitterRAT" led to the threat actor designation across multiple vendor tracking systems.
  • ArtraDownloader: A C++ downloader first observed in 2016. Uses simple character addition or subtraction encoding — no XOR — to transmit system data to C2 servers. Collects and sends computer name, username, and OS details. Different campaign variants show distinct methods of concatenating the C2 payload, providing a fingerprinting opportunity across samples.
  • ZxxZ / MuuyDownloader: A downloader family with multiple documented variants spanning 2021–2025. The "ZxxZ" designation comes from a separator string used to delimit collected system data in C2 beacons. A second variant (first seen 2021) swaps this separator for a dollar sign ($) and subtracts 5 from each character in its string encoding instead of using the standard routine. A third variant (2022) uses a single XOR key for all strings rather than per-string keys. A 2025 sample uses unique XOR keys per string or Base64 encoding — defeating YARA rules written against earlier variants. Proofpoint tracks this family as MuuyDownloader; Qi-Anxin uses the same designation.
  • WmRAT: A C++ remote access trojan currently in active operational use. The C2 server address is stored in the .rdata section of the binary as an XOR-encrypted string, making static analysis without decryption unreliable. In the May 2025 PTCL campaign variant, EclecticIQ analysts recovered the C2 address by identifying the XOR-encrypted blob in the binary and decrypting it using CyberChef. The payload itself was delivered disguised as a PNG file (vcswin.png) — with a fake PNG header prepended to the PE. The delivery script strips the fake header, reconstructs the MZ header in memory, and executes the resulting binary silently as vcswin.exe. WmRAT implements anti-analysis measures including junk thread creation and frequent Sleep() calls to frustrate dynamic analysis and sandbox detonation. Communicates with C2 over HTTPS (port 443) using HTTP GET requests; the victim's computer name and username are included in the beacon URI. Capabilities: system information collection, file and directory enumeration, file upload/download, arbitrary command execution via cmd.exe or PowerShell, screenshot capture, and geolocation data retrieval.
  • MiyaRAT: A C++ RAT assessed as the more capable of the two current primary tools, deployed selectively against targets Bitter operators manually classify as high value. Shares WmRAT's core capability set but adds reverse shell functionality. The May 2025 v5.0 variant (SHA-256: c2c92f...e9f0a) expanded use of a character subtraction algorithm with a hardcoded binary key for string decryption, and introduced single-byte XOR for C2 communication — with C2 commands obfuscated to expose only their first characters. Threatray confirmed that traditional YARA rules written against prior MiyaRAT variants failed to detect v5.0 due to these implementation changes, even though the command set and core functionality are unchanged.
  • BDarkRAT: A .NET RAT also tracked as SplinterRAT by some vendors — the naming divergence stems from varying .NET namespaces found across samples. Threatray's analysis traced BDarkRAT's code lineage directly to DarkAgentRAT, an open-source .NET RAT published in 2011. The C2 address is encrypted using AES-256-CBC with key and IV derived via PBKDF2 — the identical implementation used in AlmondRAT, suggesting both were developed by the same programmer. An early 2025 variant (SHA-256: e599c5...28c782) reverted from AES-encrypted C2 addresses to hex-encoded addresses, a regression to an earlier variant's behavior.
  • AlmondRAT: A .NET RAT first observed in 2022, sharing substantial code structure with BDarkRAT including the identical AES-256-CBC / PBKDF2 encryption implementation for stored strings. Provides directory listing, file transfer, and shell command execution. In some variants the C2 address and command strings are stored in encrypted form; the encryption implementation is byte-for-byte identical to BDarkRAT's, providing a cross-family attribution fingerprint.
  • KiwiStealer: A file stealer first identified in 2024. The hardcoded C2 URI is obfuscated using string reversal combined with a modified Caesar cipher (ROT2 — each character shifted by two positions). Exfiltrates only files under 50 MB in size that have been modified within the past year, targeting a defined set of file extensions. Iterates through specific directories and logs exfiltrated filenames with timestamps to a local file named winlist.log. Data is exfiltrated via HTTP POST requests that include the victim's username and computer name appended to the C2 URI.
  • ORPCBackdoor: A DLL backdoor discovered by Knownsec 404, disguised as OLEMAPI32.DLL with the product name set to "Microsoft Outlook" to blend with legitimate Outlook DLLs. Uniquely among BITTER's known tools, ORPCBackdoor uses RPC (Remote Procedure Call) for C2 communication rather than HTTP/HTTPS — making it harder to detect via standard network traffic analysis. The captured sample exposes 17 export functions. ORPCBackdoor is shared with Mysterious Elephant (APT-K-47) and Confucius, and is the primary technical evidence cited for the overlapping Indian intelligence ecosystem hypothesis. It is assessed as most likely targeting Outlook user environments given its DLL name and placement strategy.
  • Havoc Trojan: An open-source C2 framework observed in the February 2024 Chinese government agency intrusion. Its inclusion alongside custom tooling indicates the group supplements its arsenal with commodity frameworks for specific campaigns, likely to shift attribution burden or reduce development overhead for lower-priority targets.
  • Dracarys: An Android spyware tool first reported by Meta in August 2022, targeting users in New Zealand, India, Pakistan, and the United Kingdom via trojanized messaging and utility apps. Exfiltrates data to C2 endpoints under the path prefix r3/. Linked to ProSpy development via shared infrastructure domain com-ae[.]net, identical worker-class naming conventions, and numbered C2 commands — the transition from r3/ to v3/ endpoints being the primary structural difference between the two generations.
  • ProSpy: A feature-rich Android spyware developed in Kotlin, with the earliest known sample dating to August 2024. Masquerades as Signal, WhatsApp, ToTok, Botim, and Zoom. Uses worker classes to handle discrete collection and exfiltration tasks, each schedulable independently or triggerable on demand via numbered C2 commands (0–9). Exfiltration uses REST-style endpoints under /v3/images, /v3/videos, and similar paths. File system traversal targets files by MIME type: Office documents (.docx, .xlsx, .pptx), PDFs, JavaScript files, common archive formats (.zip, .rar, .tar, .7z, .jar, .apk, .json), images, audio, and video. A dedicated NewFilesWorker class exfiltrates only files modified after a specified date. A backup worker scans for files ending in .ttkmbackup (ToTok backup extension) to capture messaging app backups. Eleven samples were recovered by Lookout; active development is evidenced by new worker class additions across the sample set.
  • ToSpy: A second Android spyware strain documented by ESET in October 2025, targeting users in the UAE alongside ProSpy. Grouped with ProSpy by Lookout for attribution purposes due to shared infrastructure and campaign overlap, though tracked under a separate designation by ESET.

Indicators of Compromise

Publicly available IOCs from documented recent campaigns. Verify currency before operational use.

warning

IOCs rotate rapidly after public disclosure. These are provided for threat hunting context and historical reference. Cross-reference against current threat intelligence feeds before applying as blocking rules in production environments.

indicators of compromise — 2024–2025 campaigns
domain jacknwoods[.]com (staging — Turkish defense + PTCL campaigns)
domain northgenstudios[.]com (CHM campaign — Chinese gov agency, 2024)
domain dtzappaccount[.]com (Havoc C2 — Chinese gov agency, 2024)
domain tradesmarkets[.]greenadelhouse[.]com (WmRAT C2 — PTCL campaign)
ip 45.66.248.66 (Havoc C2 — Chinese gov agency, 2024)
ip 185.244.151.84 (shared — jacknwoods[.]com infrastructure)
scheduled task DsSvcCleanup (Turkish defense campaign — beacons every 17 min)
lure filename PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR.pdf.lnk (Turkish defense lure — Proofpoint, Dec 2024)
indicators of compromise — prospy mena campaign (2024–2026)
domain com-ae[.]net (shared infrastructure — ProSpy and Dracarys campaigns)
domain totok-pro[.]ai-ae[.]io (ProSpy distribution — fake ToTok update)
domain sgnlapp[.]info (ProSpy C2 / staging)
domain treasuresland[.]cc (ProSpy C2 / staging)
domain encryption-plug-in-signal.com-ae[.]net (initial access — fake Signal encryption plugin)
c2 pattern REST endpoints /v3/images, /v3/videos — ProSpy data exfiltration paths
social eng. Fake LinkedIn persona "Haifa Kareem" — used to approach Egyptian journalist target

Mitigation & Defense

BITTER's documented TTPs point to clear defensive controls. The group's consistency in using scheduled tasks and spear-phishing as its structural constants means defenders can build durable detection around these behaviors regardless of how delivery file formats rotate.

  • Email gateway controls — RAR and archive inspection: BITTER consistently delivers payloads inside RAR archives. Configure email security gateways to sandbox archive attachments and scan contents including LNK, CHM, MSC, and IQY files. Block or quarantine LNK files in archives outright where there is no legitimate business need.
  • NTFS Alternate Data Stream detection: The group hides malicious PowerShell in ADS within archive files. Endpoint detection rules should monitor for ADS creation and execution events. Standard Windows extraction tools do not expose ADS — 7-Zip or forensic tools are required for manual inspection.
  • Scheduled task monitoring: Alert on scheduled task creation (Windows Event ID 4698) with unusual names or communication patterns. BITTER's tasks beacon on fixed 15–18 minute intervals — anomaly detection on outbound HTTP/HTTPS with precise periodic timing is effective for catching this behavior.
  • PowerShell hardening: Enable Script Block Logging (Event ID 4104) and Transcription logging to capture base64-encoded PowerShell execution. Constrained Language Mode limits the group's ability to execute arbitrary PowerShell payloads from weaponized attachments.
  • Patch Office Equation Editor vulnerabilities: CVE-2017-11882 and CVE-2018-0802 remain in BITTER's documented exploit set. Ensure all Office installations are current and disable Equation Editor where it has no business function (mitigated by default in Office 2016 and later with January 2018 patches).
  • Compromised account detection: The group uses compromised legitimate government email accounts as sending infrastructure. DMARC, DKIM, and SPF enforcement at the receiving gateway can flag alignment failures on emails purporting to originate from government domains. User awareness training should emphasize that sender identity is not sufficient authentication.
  • Hunt for IST-aligned C2 activity: BITTER's C2 infrastructure registration, certificate issuance, and hands-on-keyboard activity all correlate with UTC+5:30 business hours. Monitoring for C2 interaction patterns that align with this timezone can help prioritize triage of suspicious outbound connections.
  • Restrict WMIC and msiexec abuse: The group uses WMIC for antivirus enumeration pre-payload and msiexec to install RAT payloads silently (/qn /norestart). Application control policies should alert on msiexec running from user-writable paths and restrict WMIC access for non-administrative accounts.
  • Android device hygiene for high-risk targets: The ProSpy campaign demonstrates BITTER-linked actors deploying mobile malware against civil society, journalists, and diplomatic personnel. Organizations in at-risk sectors should prohibit sideloading of APKs from unverified sources, enforce MDM policies, and provide targeted users with guidance on recognizing Signal QR code linking abuse — a technique used in this campaign to silently link a victim's Signal account to an attacker-controlled device without installing malware.
  • Apple account hardening: The MENA campaign used Apple ID phishing to access iCloud backups as a lower-cost alternative to commercial spyware. Enforcing hardware security keys as the second factor for Apple ID accounts eliminates this attack path. Users in targeted sectors should be trained to recognize Apple Support impersonation via iMessage and WhatsApp, and should treat any out-of-band request to verify Apple credentials as high-suspicion.
analyst note

BITTER's June 2025 Proofpoint/Threatray report represented the strongest public attribution of this actor to Indian state interests to date, advancing the assessment from a tentative South Asian nexus to a highly likely Indian state-backed determination. The April 2026 disclosure of the ProSpy/MENA campaign adds a significant new dimension: for the first time, BITTER-linked infrastructure and tooling has been documented against civil society — journalists and opposition figures in Egypt, Lebanon, Bahrain, and the UAE. The hack-for-hire framing, combined with possible links to the Indian firm Appin (flagged by SC Media), suggests the group may be operating a dual-track model: direct state collection against government and military targets, and outsourced or contracted operations against civil society clients. Tool-sharing overlaps with Mysterious Elephant and Confucius continue to suggest a broader Indian intelligence ecosystem. The group's willingness to operate during active India-Pakistan military escalation (May 2025, Operation Sindoor) and to expand into civil society targeting signals both growing operational tempo and a diversifying business model.

Frequently Asked Questions

Common questions about BITTER / TA397 based on publicly available threat intelligence.

faq

What is BITTER / T-APT-17?
BITTER (also tracked as T-APT-17, TA397, APT-C-08, Hazy Tiger, and Orange Yali) is a sophisticated cyber espionage group assessed as operating on behalf of Indian state intelligence since at least 2013. The group conducts highly selective spear-phishing campaigns against government, military, defense, and telecommunications targets in Pakistan, China, Bangladesh, Saudi Arabia, and Turkey. In June 2025, Proofpoint and Threatray assessed with high likelihood that BITTER operates on behalf of the Indian state, based on IST-aligned infrastructure timestamps, operator working hours, and exfiltrated document evidence.

faq

What malware does BITTER use?
BITTER's current primary tools are WmRAT and MiyaRAT — C++ remote access trojans active as of 2025. MiyaRAT is reserved for highest-value targets and adds reverse shell capability. The broader ecosystem includes BitterRAT, ArtraDownloader, ZxxZ/MuuyDownloader, BDarkRAT, AlmondRAT, KiwiStealer, ORPCBackdoor, and the Android spywares Dracarys, ProSpy, and ToSpy. See the Tools & Malware section for the full comparison.

faq

How does BITTER deliver its malware?
The core delivery chain: a spear-phishing email from a compromised government account → a RAR archive containing a decoy PDF, a malicious LNK file, and base64-encoded PowerShell hidden in NTFS Alternate Data Streams → LNK execution triggers PowerShell to create a scheduled task → the task beacons to staging infrastructure every 15–18 minutes → operators triage the victim before deploying WmRAT or MiyaRAT via MSI installer. Earlier campaigns used CHM files in place of LNK+ADS.

faq

Is BITTER linked to the Indian government?
As of mid-2025, Proofpoint and Threatray assess with high likelihood that BITTER / TA397 operates on behalf of the Indian state. Evidence includes infrastructure registration and TLS certificate issuance aligned with IST (UTC+5:30) business hours, hands-on-keyboard activity timed to IST, targeting patterns consistent with Indian strategic intelligence requirements, and tool-sharing overlaps with other India-assessed clusters including Mysterious Elephant and Confucius. The April 2026 ProSpy/MENA disclosure adds a possible contracted espionage dimension with suggested links to the Indian firm Appin.

faq

What is the BITTER ProSpy MENA campaign?
Disclosed in April 2026 by Access Now, Lookout, and SMEX, the ProSpy/MENA campaign is a hack-for-hire operation linked to BITTER infrastructure that targeted journalists, activists, and opposition politicians in Egypt, Lebanon, Bahrain, and the UAE. Android users received ProSpy spyware disguised as Signal, WhatsApp, Zoom, ToTok, and Botim. iPhone users were targeted via Apple ID phishing for iCloud backup access. It is the first confirmed BITTER-linked operation against civil society, and is assessed as likely contracted rather than direct state collection.

faq

How can defenders detect BITTER activity?
Key detection signals: scheduled task creation (Event ID 4698) with unusual names beaconing every 15–18 minutes; outbound HTTP GET requests matching script.php?param=COMPUTERNAME*USERNAME; Let's Encrypt certificates on newly registered staging domains; base64-encoded PowerShell (Event ID 4104); msiexec from user-writable paths; WMIC antivirus queries preceding payload delivery; C2 interaction patterns aligned with UTC+5:30 business hours. See the full Mitigation & Defense section for actionable controls.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile