🇮🇳

HAZY TIGER

APT Group Information theft and espionage 26 zero-day CVEs ETDA ✓

Also Known As 5 names

APT-C-08 Bitter Orange Yali T-APT-17 TA397

Target Countries 14

Countries highlighted in red

Bangladesh Bhutan China Germany India Iraq Madagascar Myanmar Pakistan Saudi Arabia Thailand Turkey United States Vietnam

Sectors Targeted

Government Advertising Agencies 54181 Energy Motion Picture and Video Production 51211 Engineering Travel Agencies 561510 Graphic Design Services 54143

Details

Origin 🇮🇳 IN

Last Updated 17 Dec 2024

Malware Families 2

bitter_rat

zwShell

MITRE ATT&CK 122

T1001 T1003 T1005 - Data from Local System T1007 T1008 T1011 T1012 - Query Registry T1016 - System Network Configuration Discovery T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.013 T1033 - System Owner/User Discovery T1036 - Masquerading T1036.004 T1041 - Exfiltration Over C2 Channel T1047 - Windows Management Instrumentation T1048 T1049 T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 T1056.001 T1056.003 - Web Portal Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.005 - Visual Basic T1060 T1064 T1068 T1069.002 T1070 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1078 - Valid Accounts T1081 T1082 - System Information Discovery T1083 - File and Directory Discovery T1085 T1087 T1090 - Proxy T1095 T1102 - Web Service T1105 - Ingress Tool Transfer T1106 T1110 T1112 T1113 - Screen Capture T1114 T1114.001 T1115 T1119 T1120 T1124 T1127 - Trusted Developer Utilities Proxy Execution T1129 T1130 T1132 T1132.001 - Standard Encoding T1133 T1136 T1137 - Office Application Startup T1140 - Deobfuscate/Decode Files or Information T1170 T1176 T1190 T1193 T1199 - Trusted Relationship T1203 T1204 - User Execution T1204.001 - Malicious Link T1204.002 - Malicious File T1213.003 T1217 T1218 - Signed Binary Proxy Execution T1221 T1485 T1486 T1489 T1490 - Inhibit System Recovery T1497 T1497.003 T1498 - Network Denial of Service T1503 T1518 T1529 T1530 T1531 T1539 T1543 T1547 - Boot or Logon Autostart Execution T1550 T1552 T1553 - Subvert Trust Controls T1555 T1559 T1559.002 T1560 T1561 T1562 - Impair Defenses T1562.001 T1564 - Hide Artifacts T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1568 T1569 - System Services T1571 T1573 T1573.001 - Symmetric Cryptography T1574 T1574.002 - DLL Side-Loading T1583 T1583.001 - Domains T1587 T1588 T1588.002 T1589.002 - Email Addresses T1595 T1608 T1608.001

Related Zero-Days 26

CVE-2018-0802 CVE-2018-8174 CVE-2020-1472 CVE-2021-1732 CVE-2021-28310 CVE-2022-30190 CVE-2022-42475 CVE-2023-36884 CVE-2023-38831 CVE-2023-4966 CVE-2025-10585 CVE-2025-20333 CVE-2025-20362 CVE-2025-2783 CVE-2025-41244 CVE-2025-4664 CVE-2025-5419 CVE-2025-55182 CVE-2025-59287 CVE-2025-6218 CVE-2025-62215 CVE-2025-62221 CVE-2025-6554 CVE-2025-6558 CVE-2025-8088 CVE-2025-9242

Known Names 4 entries

Bitter Forcepoint

T-APT-17 Tencent

TA397 Proofpoint

G1002 MITRE

Observed Target Countries 5

Based on ETDA data — countries highlighted in red

Bangladesh China India Pakistan Saudi Arabia

Description

(Forcepoint) Forcepoint Security Labs recently encountered a strain of attacks that appear to target Pakistani nationals. We named the attack “BITTER” based on the network communication header used by the latest variant of remote access tool (RAT) used. Our investigation indicates that the campaign has existed since at least November 2013 but has remained active until today.

Tools Used 3

ArtraDownloader BitterRAT Dracarys

Operations 10

2013-11 Spear-phishing emails are used to target prospective BITTER victims. The campaign predominantly used the older, relatively popular Microsoft Office exploit, CVE-2012-0158, in order to download and execute a RAT binary from a website. https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan

2016-06 Recently, 360 Threat Intelligence Center found a series of targeted attacks against Pakistan targets. Attacker exploited one vulnerability (CVE-2017-12824) of InPage to craft bait documents (.inp). https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/

2018-09 Starting in September 2018 and continuing through the beginning of 2019, BITTER launched a wave of attacks targeting Pakistan and Saudi Arabia. This is the first reported instance of BITTER targeting Saudi Arabia. Details surrounding these attacks and the three ArtraDownloader variants observed are described below. https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/

2019-05 The Anomali Threat Research Team discovered a phishing site impersonating a login page for the Ministry of Foreign Affairs of the People’s Republic of China email service. When visitors attempt to login to the fraudulent page, they are presented with a pop-up verification message asking users to close their windows and continue browsing. https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z

2020-12 Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/

2021-08 Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims. https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html

2022-05 Bitter APT continues to target Bangladesh https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh/

2022-08 Bitter APT group using “Dracarys” Android Spyware https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/

2023-04 Bitter Group Distributes CHM Malware to Chinese Organizations https://asec.ahnlab.com/en/51043/

2024-11 Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats

Reports & References 3

https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/ https://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two

ETDA Profile

Bitter

Origin

[South Asia]

First Seen 2013

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G1002/

View on ETDA APT Groups ↗