The threat actor known as Bitter is rated as a state support hacking group tasked with collecting intelligence consistent with the interests of the Indian government.
This is based on new surveys published jointly by Proofpoint and Threatray in a thorough, two-part analysis.
“These diverse toolsets demonstrate consistent coding patterns across the malware family, particularly in system information collection and string obfuscation,” said researchers Abdallah Elsinbery, Jonas Wagner, Nick Atfield and Constantine Klinger.
Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-Papt-17, and TA397, has a history of focusing primarily on South Asian organizations, with choice invasions that are also targeting China, Saudi Arabia and South America.
In December 2024, evidence of targeting turkey threat actors using malware families such as WMRAT and Miyarat revealed, indicating a gradual geographical expansion.
The bitters say they frequently elect “a very small subset of targets,” and assaults target governments, diplomatic entities and defence organizations, allowing information gathering on foreign policy or current affairs.
Attack chains attached by the group usually utilize spear phishing emails and are sent along with messages sent from providers such as 163(.)com, 126(.)com, and Proton Mail, as well as compromised accounts related to the governments of Pakistan, Bangladesh and Madagascar.
Threat leaders have also been observed in these campaigns, pose as governments and diplomatic groups in China, Madagascar, Mauritius and South Korea to seduce recipients with attachments covered in malware that cause the deployment of malware.
 |
| Overview of Bitter infection chain |
“Based on the content and decoy documents adopted, it is clear that TA397 does not disguise itself as governments in other countries, including Indian allies,” the Enterprise Security Company said.
“The targets of TA397 in these campaigns were Turkish and Chinese organizations in Europe, indicating that the group has knowledge and visibility into the legitimate work of Madagascar and Mauritius, and uses materials in spear lessons.”
Additionally, Bitter has been found to engage in keyboard activities in two different campaigns targeting government organizations to drop further enumerations on target hosts such as Kugelblitz and Bdarkrat, which were first documented in 2019.
It has standard remote access trojan features such as collecting system information, running shell commands, downloading files, and managing files on compromised hosts.
 |
| Bitter’s Malware Family |
Some of the other known tools in that arsenal are below –
- artradownloaderA downloader written in C++ that collects system information and downloads and executes remote files using HTTP requests.
- KeyloggerC++ modules used in various campaigns to record keystrokes and clipboard content
- WSCSPL Backdoorbackdoor that supports commands delivered via artradownloader, retrieve machine information, execute remote instructions, download and execute files
- muuydownloader (also known as Zxxz), a Trojan that allows remote code execution of payloads received from remote servers
- Almondrat.NET Trojan provides basic data collection functions and the ability to run any command to transfer files
- orpcbackdoora backdoor that communicates with command and control (C2) servers using the RPC protocol and executes operator-issued instructions.
- KiwistealerSteelers searching for files matching a predefined extension set are smaller than 50 MB and changed within the past year and remove them to a remote server
- KugelblitzShellcode loader used for deployment of Havoc C2 framework
It should be noted that Orpcbackdoor comes from a Sec 404 team known to threat actors called mysterious elephants, who overlap with other Indian-lined threat clusters such as Sidewinder, Patchwork, Confucius, and Bitter.
The analysis of hands-on keyboard activity highlights “working hours schedule from Monday to Friday in India’s Standard Time Zone (IST).”. This coincides with the time when WHOIS domain registration and TLS certificate issuance occurs.
“TA397 is a threat actor focused on espionage, which is highly likely to operate on behalf of India’s intelligence reporting agency,” the researcher said. “There are clear indications that most infrastructure-related activities will occur during standard opening hours in the IST time zone.”
