Article Details

Bitter Hacker Group Expands Cyber Espionage to Turkey via Spear-Phishing and Malware. The threat actor known as Bitter has been assessed to be a state-backed hacking group that's tasked with gathering intelligence that aligns with the interests of the Indian government. That's according to new findings jointly published by Proofpoint and Threatray in an exhaustive two-part analysis. "Their diverse toolset shows consistent coding patterns across malware families, particularly in system information gathering and string obfuscation," researchers Abdallah Elshinbary, Jonas Wagner, Nick Attfield, and Konstantin Klinger said. Bitter, also known as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, T-APT-17, and TA397, has a history of focusing primarily on South Asian entities, with select intrusions also targeting China, Saudi Arabia, and South America. In December 2024, evidence emerged of the threat actor's targeting of Turkey using malware families such as WmRAT and MiyaRAT, indicating a gradual geographical expansion. Stating that Bitter frequently singles out an "exceedingly small subset of targets," Proofpoint said the attacks are aimed at governments, diplomatic entities, and defense organizations so as to enable intelligence collection on foreign policy or current affairs. Attack chains mounted by the group typically leverage spear-phishing emails, with the messages sent from providers like 163[.]com, 126[.]com, and ProtonMail, as well as compromised accounts associated with the governments of Pakistan, Bangladesh, and Madagascar. The threat actor has also been observed masquerading as government and diplomatic entities from China, Madagascar, Mauritius, and South Korea in these campaigns to entice recipients into malware-laced attachments that trigger the deployment of malware. "Based on the content and the decoy documents employed, it is clear that TA397 has no qualms with masquerading as other countries' governments, including Indian allies," the enterprise security company said. "While TA397's targets in these campaigns were Turkish and Chinese entities with a presence in Europe, it signals that the group likely has knowledge and visibility into the legitimate affairs of Madagascar and Mauritius and uses the material in spearphishing operations." Furthermore, Bitter has been found to engage in hands-on-keyboard activity in two distinct campaigns targeting government organizations to conduct further enumeration activities on the targeted hosts and drop additional payloads like KugelBlitz and BDarkRAT, a .NET trojan that was first documented in 2019. It features standard remote access trojan capabilities such as gathering system information, executing shell commands, downloading files, and managing files on the compromised host. Some of the other known tools in its arsenal are below - It's worth noting that ORPCBackdoor has been attributed by the Knownsec 404 Team to a threat actor called Mysterious Elephant, which it said overlaps with other Indian-aligned threat clusters, including SideWinder, Patchwork, Confucius, and Bitter. Analysis of the hands-on-keyboards activity highlights a "Monday to Friday working hours schedule in Indian Standard Timezone (IST)," which is also consistent with the time when WHOIS domain registrations and TLS certificate issuances take place. "TA397 is an espionage-focused threat actor that highly likely operates on behalf of an Indian intelligence organization," the researchers said. "There is a clear indication that most infrastructure-related activity occurs during standard business hours in the IST timezone."