HQ/EMEAFind out how we can help your business
The Bitter advanced persistent threat (APT) group, a suspected South Asian cyber-espionage collective, has been linked to a targeted attack against a Turkish defence sector organisation in November 2024. This campaign involved the deployment of two sophisticated malware strains, WmRAT and MiyaRAT, both written in C++ and designed for data exfiltration and surveillance.
Researchers disclosed that the attack relied on alternate data streams (ADS) embedded within a RAR archive to execute its payload. The archive contained a deceptive shortcut (LNK) file, which, when launched, created a scheduled task on the victim’s device. This mechanism facilitated the retrieval of additional malicious payloads, enabling the attackers to maintain persistent access.
Bitter APT, also tracked under aliases such as TA397, APT-C-08, APT-Q-37, Hazy Tiger, and Orange Yali, has been active since at least 2013.
Historically, the group has carried out attacks targeting organisations in China, Pakistan, India, Saudi Arabia, and Bangladesh, leveraging tools such as BitterRAT, ArtraDownloader, and ZxxZ. Their operations have also included Android malware, such as PWNDROID2 and Dracarys, which were identified in earlier reports by BlackBerry and Meta.
The recent campaign demonstrated the use of a phishing lure themed around public infrastructure projects in Madagascar. The attackers included a decoy file within the RAR archive, referencing a World Bank initiative, alongside a shortcut file masquerading as a PDF document. A PowerShell code-containing ADS file was concealed inside the package. As malicious scripts ran in the background, the attackers were able to deliver a convincing decoy paper.
ADS, a feature of the NTFS file system, enables hidden data to be attached to files without altering their visible size or appearance. In this instance, one data stream retrieved a decoy file from the World Bank’s website, while another contained a Base64-encoded PowerShell script to activate the decoy and establish a scheduled task. This scheduled task communicated with the attacker-controlled domain to download the final-stage payloads.
Both WmRAT and MiyaRAT exhibit advanced remote access capabilities, such as gathering system information, manipulating files, capturing screenshots, and running commands via cmd.exe or PowerShell. MiyaRAT, in particular, appears to be reserved for high-value targets due to its selective deployment.
This campaign reflects Bitter’s focus on intelligence gathering, likely in support of South Asian governmental interests. The group’s persistent use of advanced techniques highlights the ongoing threat posed by state-linked cyber espionage operations.
