analyst @ nohacky :~/threat-actors $
cat / threat-actors / bitter-t-apt-17
analyst@nohacky:~/bitter-t-apt-17.html
active threat profile
type Nation-State
threat_level High
status Active
origin South Asia — India-nexus (assessed)
last_updated 2025-03-27
BI
bitter-t-apt-17

BITTER / T-APT-17

also known as: TA397 APT-C-08 APT-Q-37 Hazy Tiger Orange Yali G1002

A South Asian espionage group assessed by Proofpoint with high likelihood as operating on behalf of an Indian intelligence organization, conducting long-running campaigns against Pakistan, China, Bangladesh, and Saudi Arabia. Known for targeting an exceedingly narrow set of high-value government, defense, and diplomatic targets, BITTER has operated continuously since at least 2013 and demonstrated expanding geographic reach and a maturing custom toolset through 2025.

attributed origin South Asia — India (assessed)
suspected sponsor Indian Intelligence Organization
first observed 2013
primary motivation Espionage / Intelligence Collection
primary targets Government, Defense, Diplomatic, Telecom, Energy
known campaigns 8+ confirmed
mitre att&ck group G1002
target regions South Asia, EMEA, APAC, South America
threat level High

Overview

BITTER is a sophisticated, state-assessed cyber espionage actor that has maintained persistent operations since at least 2013. The group is tracked under multiple designations across vendors — Proofpoint calls it TA397, Tencent tracks it as APT-C-08, and it is also referred to as T-APT-17, Hazy Tiger, and Orange Yali. In June 2025, Proofpoint and Threatray published a joint two-part analysis assessing with high likelihood that TA397 operates on behalf of the Indian state, based on targeting patterns, infrastructure timestamps, and observed hands-on-keyboard activity timed to Indian Standard Time (IST) working hours.

The group's hallmark is extreme selectivity. Rather than broad opportunistic campaigns, BITTER targets an exceedingly narrow subset of individuals within specific organizations — typically personnel in core positions with access to strategic intelligence, military documents, or critical infrastructure systems. This precision is supported by a steadily maturing custom malware ecosystem: the group has evolved from early commodity tools to purpose-built remote access trojans including BitterRAT, WmRAT, MiyaRAT, and BDarkRAT, with tooling that appears to remain under active development as of 2025.

Infrastructure analysis provides a strong forensic fingerprint: domain registration, TLS certificate issuance via Let's Encrypt, and passive DNS timestamps consistently map to IST business hours. The group also shares tooling overlaps with other suspected India-aligned threat clusters, including Mysterious Elephant (APT-K-47) and Confucius, suggesting a broader shared infrastructure or development ecosystem within the same national intelligence apparatus.

active campaign — may 2025

On May 7, 2025 — during active military escalation between India and Pakistan under Operation Sindoor — EclecticIQ confirmed BITTER targeted Pakistan Telecommunication Company Limited (PTCL) workers via spear-phishing, delivering WmRAT. The campaign targeted 5G infrastructure engineers, DevOps specialists, project managers, and satellite communication experts. Stolen credentials from Pakistan's Counter Terrorism Department were used to lend credibility to the phishing emails, and the attack timing is assessed as deliberately opportunistic, exploiting the military conflict to maximize intelligence value.

Target Profile

BITTER's targeting is geopolitically structured and extremely selective. The group focuses on individuals in positions with direct access to strategic, military, or infrastructure intelligence — rather than whole organizations or broad sectors.

  • Government and diplomatic entities: Long-standing primary focus. Targeted government ministries, diplomatic organizations, and public sector bodies across Pakistan, China, Bangladesh, and Saudi Arabia. The group impersonates allied and neutral governments to construct credible lures, and has no qualms about masquerading as Indian government entities when targeting regional adversaries.
  • Defense organizations: Military institutions and defense contractors across South Asia and EMEA. The November 2024 Turkish campaign targeted a defense sector organization. Exfiltrated documents confirmed to include a strategic military document from a Bangladeshi military organization.
  • Telecommunications: The May 2025 PTCL campaign demonstrated active targeting of national telecommunications operators, specifically individuals with access to 5G infrastructure and satellite communications — consistent with intelligence collection on national communications resilience.
  • Energy and engineering: MITRE ATT&CK and FortiGuard document targeting of energy and engineering organizations in the group's target geography, aligned with collection of industrial and infrastructure intelligence.
  • Research institutes and NGOs: Academic and research institutions, particularly those with defense, policy, or science connections, have been targeted across South and Southeast Asia.
  • Expanding geographic footprint: While operations have historically concentrated in South Asia, the group has progressively expanded into EMEA (Turkey, Saudi Arabia), APAC (China, Bangladesh), and has been observed targeting entities in South America.

Tactics, Techniques & Procedures

BITTER demonstrates consistent core TTPs across campaigns while regularly experimenting with delivery mechanisms to evade detection. Scheduled tasks and spear-phishing are the group's structural constants; delivery file formats rotate frequently as detection catches up to each method.

mitre id technique description
T1566.001 Spear-Phishing Attachment Core delivery vector. RAR archives contain decoy PDFs alongside malicious LNK or CHM files. Lures are geopolitically tailored — World Bank infrastructure project documents, government correspondence, and conference invitations have all been used. Emails are sent from compromised legitimate government accounts to maximize authenticity.
T1059.001 PowerShell Base64-encoded PowerShell blobs are stored in NTFS Alternate Data Streams (ADS) within RAR archives. When the LNK file is executed, it triggers these hidden PowerShell commands to establish persistence and beacon to staging infrastructure without visible execution indicators.
T1053.005 Scheduled Task / Job The group's most consistent persistence mechanism across all documented campaigns. Scheduled tasks — such as DsSvcCleanup — beacon to staging domains every 15–18 minutes transmitting victim machine data. Operators manually review this data before deploying second-stage payloads to targets deemed high value.
T1564.004 NTFS Alternate Data Streams Malicious PowerShell code is hidden within ADS inside RAR archives under stream names such as "Participation." These streams are invisible to standard Windows extraction tools like WinRAR but visible through 7-Zip, allowing the payload to evade casual inspection of the archive contents.
T1219 Remote Access Tools WmRAT and MiyaRAT are the current primary C++ implants. Both support file exfiltration, arbitrary command execution, screenshot capture, geolocation data collection, and directory enumeration. MiyaRAT additionally supports reverse shell commands and is selectively deployed against high-value targets only.
T1082 System Information Discovery Before deploying second-stage payloads, operators manually enumerate the target system via hands-on-keyboard activity: listing running processes, enumerating the ProgramData directory, and using WMIC to identify antivirus products. This deliberate triage avoids burning payloads on low-value or monitored systems.
T1078 Valid Accounts Phishing emails in the May 2025 PTCL campaign were sent from a compromised Counter Terrorism Department email account at Islamabad Police Headquarters, using stolen credentials to add authenticity. The group has a documented pattern of using compromised government accounts as sending infrastructure.
T1218.001 Compiled HTML File (CHM) Throughout the first half of 2024, BITTER used Microsoft Compiled Help Files (CHM) inside RAR archives as a primary mechanism for creating scheduled tasks on target machines, before transitioning to LNK files with NTFS ADS in late 2024.
T1068 Exploitation for Privilege Escalation CVE-2021-1732 (Win32k privilege escalation) is documented in BITTER's exploit arsenal alongside Office document exploitation via CVE-2017-11882 and CVE-2018-0802 (Equation Editor) used for initial code execution from weaponized documents.
T1071.001 Web Protocols C2 WmRAT communicates with C2 infrastructure via HTTPS (port 443) using HTTP GET requests. Victim machine information is Base64-encoded before transmission. C2 domains use Let's Encrypt certificates with registration patterns tied to IST business hours.

Known Campaigns

Confirmed or highly attributed operations linked to BITTER / TA397 across a documented operational history spanning over a decade.

Early Operations — Pakistan and China Targeting 2013–2019

BITTER's earliest documented campaigns focused on government, military, and energy organizations in Pakistan and China. Initial tooling included BitterRAT and ArtraDownloader distributed via spear-phishing with weaponized Office documents exploiting CVE-2017-11882 and CVE-2018-0802 (Equation Editor vulnerabilities). Anomali documented targeting of Pakistan, and later Bangladesh, with government-themed lures. Tencent Research Institute and 360 Threat Intelligence provided early attribution under the APT-C-08 and T-APT-17 designations.

Bangladesh Expansion 2022

Cisco Talos documented BITTER targeting Bangladesh with government-themed lures in a campaign adding the country to the group's confirmed target list alongside Pakistan and China. The campaign used malicious Office macro documents and maintained the group's consistent pattern of public sector and government targeting. The ZxxZ malware family was observed in this period, representing a new downloader component in the BITTER arsenal.

Chinese Government Agency Intrusion 2024

On February 1, 2024, BITTER launched a spear-phishing attack on a Chinese government agency, documented by NSFOCUS. A core employee received an email on January 23 disguised as correspondence from a superior department. The CHM attachment created a scheduled task that beaconed every 18 minutes to northgenstudios[.]com and downloaded Havoc Trojan payloads. The agency detected abnormal external connections during incident response, triggering the NSFOCUS investigation that reconstructed the full attack chain and attributed it to BITTER via historical sample correlation.

Turkish Defense Sector — WmRAT and MiyaRAT Deployment 2024

Proofpoint documented a November 18, 2024 spear-phishing attack against a Turkish defense sector organization, sent from a compromised government email account. The lure — "PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR" — referenced a real World Bank infrastructure initiative in Madagascar, chosen to align with the target organization's public sector focus. The RAR archive contained a decoy PDF, an LNK file, and NTFS Alternate Data Streams carrying base64-encoded PowerShell. Execution created the DsSvcCleanup scheduled task beaconing to jacknwoods[.]com every 17 minutes. BITTER operators manually reviewed the resulting system enumeration data before deploying WmRAT and MiyaRAT via MSI installer. MiyaRAT's selective deployment in this campaign suggests the target was classified as high priority.

Multi-Government Espionage — October 2024 to April 2025 2024–2025

Proofpoint's June 2025 joint report with Threatray covered a sustained campaign series targeting government organizations linked to China, Pakistan, and neighboring states. Operations demonstrated hands-on-keyboard activity timed to IST working hours, with operators manually correcting failed payload deliveries in real time — including failed retrievals and subsequent recovery via SMB shares mounted as "tempy." Documents found on the actor's SMB share included a scanned Bangladeshi government tax document and a strategic military document from a Bangladeshi military organization, confirming active exfiltration. The group experimented with Microsoft Search Connector (MSC) file formats and exploited CVE-2024-43572 (GrimResource) for remote code execution, reflecting continued investment in novel delivery technique research.

PTCL Targeting During Operation Sindoor 2025

On May 7, 2025, during active India-Pakistan military operations, EclecticIQ confirmed BITTER targeted Pakistan Telecommunication Company Limited (PTCL) workers via an IQY attachment with a malicious Excel macro delivering WmRAT. The email was sent using compromised credentials from Pakistan's Counter Terrorism Department. Targeted personnel included 5G infrastructure engineers, DevOps specialists, project managers, and satellite communication experts — positions with direct relevance to national communications resilience during a military conflict. C2 infrastructure analysis linked the campaign to the jacknwoods[.]com domain documented by Proofpoint in December 2024, confirming continuity of infrastructure across campaigns.

Tools & Malware

BITTER maintains a custom-built malware ecosystem that has evolved steadily over the group's operational history. Tooling shares consistent coding patterns across families, particularly in system information gathering routines and string obfuscation techniques, suggesting a small and consistent development team.

  • BitterRAT: The group's original custom remote access trojan, used in early campaigns across Pakistan and China. Provides standard remote access capabilities and served as the foundation for later tooling evolution.
  • ArtraDownloader: A downloader component used to stage and retrieve second-stage payloads. Observed across multiple campaigns as part of the initial access and staging phase of the infection chain.
  • ZxxZ: A downloader observed in 2022 Bangladesh targeting campaigns. Named for a distinctive string pattern in its code. Functions as a loader fetching next-stage implants from attacker-controlled infrastructure.
  • WmRAT: A C++ remote access trojan currently in active operational use. Capabilities include system information collection, file exfiltration, arbitrary command execution via cmd.exe or PowerShell, screenshot capture, geolocation data retrieval, and file and directory enumeration. Communicates with C2 over HTTPS using Base64-encoded GET requests. String content is XOR-encrypted to hinder analysis.
  • MiyaRAT: A newer C++ RAT assessed as the more sophisticated of the two current primary tools. Shares WmRAT's core capability set but adds reverse shell functionality and advanced directory enumeration. Proofpoint assesses MiyaRAT is reserved for high-value targets given its observed selective and sparse deployment across campaigns.
  • BDarkRAT / MuuyDownloader: Additional implants observed in the 2024–2025 campaign series, representing continued expansion of the group's proprietary tooling ecosystem. Assessed as under active development as of 2025.
  • Havoc Trojan: An open-source command-and-control framework observed in the February 2024 Chinese government agency intrusion, indicating the group's willingness to supplement custom tooling with commodity frameworks for specific campaigns.

Indicators of Compromise

Publicly available IOCs from documented recent campaigns. Verify currency before operational use.

warning

IOCs rotate rapidly after public disclosure. These are provided for threat hunting context and historical reference. Cross-reference against current threat intelligence feeds before applying as blocking rules in production environments.

indicators of compromise — 2024–2025 campaigns
domain jacknwoods[.]com (staging — Turkish defense + PTCL campaigns)
domain northgenstudios[.]com (CHM campaign — Chinese gov agency, 2024)
domain dtzappaccount[.]com (Havoc C2 — Chinese gov agency, 2024)
domain tradesmarkets[.]greenadelhouse[.]com (WmRAT C2 — PTCL campaign)
ip 45.66.248.66 (Havoc C2 — Chinese gov agency, 2024)
ip 185.244.151.84 (shared — jacknwoods[.]com infrastructure)
scheduled task DsSvcCleanup (Turkish defense campaign — beacons every 17 min)
lure filename PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk

Mitigation & Defense

BITTER's documented TTPs point to clear defensive controls. The group's consistency in using scheduled tasks and spear-phishing as its structural constants means defenders can build durable detection around these behaviors regardless of how delivery file formats rotate.

  • Email gateway controls — RAR and archive inspection: BITTER consistently delivers payloads inside RAR archives. Configure email security gateways to sandbox archive attachments and scan contents including LNK, CHM, MSC, and IQY files. Block or quarantine LNK files in archives outright where there is no legitimate business need.
  • NTFS Alternate Data Stream detection: The group hides malicious PowerShell in ADS within archive files. Endpoint detection rules should monitor for ADS creation and execution events. Standard Windows extraction tools do not expose ADS — 7-Zip or forensic tools are required for manual inspection.
  • Scheduled task monitoring: Alert on scheduled task creation (Windows Event ID 4698) with unusual names or communication patterns. BITTER's tasks beacon on fixed 15–18 minute intervals — anomaly detection on outbound HTTP/HTTPS with precise periodic timing is effective for catching this behavior.
  • PowerShell hardening: Enable Script Block Logging (Event ID 4104) and Transcription logging to capture base64-encoded PowerShell execution. Constrained Language Mode limits the group's ability to execute arbitrary PowerShell payloads from weaponized attachments.
  • Patch Office Equation Editor vulnerabilities: CVE-2017-11882 and CVE-2018-0802 remain in BITTER's documented exploit set. Ensure all Office installations are current and disable Equation Editor where it has no business function (mitigated by default in Office 2016 and later with January 2018 patches).
  • Compromised account detection: The group uses compromised legitimate government email accounts as sending infrastructure. DMARC, DKIM, and SPF enforcement at the receiving gateway can flag alignment failures on emails purporting to originate from government domains. User awareness training should emphasize that sender identity is not sufficient authentication.
  • Hunt for IST-aligned C2 activity: BITTER's C2 infrastructure registration, certificate issuance, and hands-on-keyboard activity all correlate with UTC+5:30 business hours. Monitoring for C2 interaction patterns that align with this timezone can help prioritize triage of suspicious outbound connections.
  • Restrict WMIC and msiexec abuse: The group uses WMIC for antivirus enumeration pre-payload and msiexec to install RAT payloads silently (/qn /norestart). Application control policies should alert on msiexec running from user-writable paths and restrict WMIC access for non-administrative accounts.
analyst note

BITTER's June 2025 Proofpoint/Threatray report represents the strongest public attribution of this actor to Indian state interests to date, moving from "South Asian nexus assessed" to "highly likely Indian state-backed." Tool-sharing overlaps with Mysterious Elephant and Confucius suggest a broader Indian intelligence ecosystem rather than an isolated actor. The group's willingness to target Turkey — a NATO member with Pakistani defense ties — and to operationalize campaigns during active India-Pakistan military escalation in May 2025 signals both expanding geographic ambition and willingness to conduct offensive cyber operations during live kinetic conflict windows.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile