When phishing smells like a secret service — Bitter is back in the game, and the smell is clearly Indian.
You may not even need to reply — everything has already been sent where it needs to go.The hacker group Bitter, also known as TA397, has once again been linked to operations aligned with the interests of Indian intelligence services. This is reported in a joint report by Proofpoint and Threatray, which presents new details about the group’s tactics, arsenal, and geographic reach.
Bitter operates as a spy structure, primarily focused on gathering information relevant to foreign policy and the defense sector. The group has been active since 2013 and is also known by code names such as APT-C-08, APT-Q-37, Hazy Tiger, Orange Yali, and T-APT-17. Previously, its activity focused on South Asian countries, but in recent months, its areas of interest have expanded to other regions, including Turkey, China, South America, and the Middle East.
In the winter of 2024, the group was observed targeting Turkish entities using malicious programs WmRAT and MiyaRAT. These attacks involved disguising themselves as diplomatic structures of other countries, including China, Madagascar, Mauritius, and South Korea. Phishing emails with malware-laden attachments were sent from popular services such as “163[.]com”, “126[.]com”, and ProtonMail, as well as from compromised government accounts in Pakistan, Bangladesh, and Madagascar.
Researchers emphasize that TA397 uses a very limited list of targets and carefully prepares for each campaign. Attacks are directed at diplomatic institutions, ministries of defense, and other government organizations. The lures often involve authentic documents, sometimes taken from the actual document workflow of India’s allied states—suggesting possible insider information.
Particular attention in the report is paid to activities indicating manual control of infected systems. During two documented campaigns, Bitter operators, after gaining access, conducted in-depth reconnaissance followed by the delivery of additional malware components—specifically, KugelBlitz and BDarkRAT. The latter is a .NET trojan that collects system information, executes commands, and manages files.
Analysis of Bitter’s malware code and architecture shows consistent patterns characteristic of their entire infrastructure. This is especially evident in the methods of gathering system information and in string obfuscation techniques.
Some of the group’s key tools include:
- ArtraDownloader — a C++ module that gathers system information and downloads remote files via HTTP;
- Keylogger — a C++ program that captures keystrokes and clipboard contents;
- WSCSPL Backdoor — a backdoor that transmits system information and executes operator commands;
- MuuyDownloader (ZxxZ) — a trojan for remote command execution;
- Almond RAT — a .NET trojan that allows execution of arbitrary commands and file transfers;
- ORPCBackdoor — a backdoor using the RPC protocol for communication with a command server;
- KiwiStealer — a tool for stealing files based on criteria like last modified within a year, under 50MB, and with certain extensions;
- KugelBlitz — a shellcode loader designed to launch the Havoc C2 framework.
According to Knownsec 404 Team, ORPCBackdoor overlaps with the activity of another Indian group—Mysterious Elephant. The report also notes that TA397’s infrastructure and activities align with the working days of the Indian time zone, with domain registrations and TLS certificate issuances mostly occurring on weekdays.
Taken together, experts conclude that TA397 is highly likely to be acting in the interests of Indian intelligence. The technical level of operations, strict adherence to schedules, and choice of target documents confirm the existence of organized support and long-term planning.
