Bitter APT Expands Cyberespionage Campaigns with Sophisticated Tools and Targets
The advanced persistent threat (APT) group Bitter (also known as TA397, APT-C-08, Orange Yali, and Hazy Tiger), linked to the Indian government, has intensified its cyberespionage operations. According to a joint analysis by Proofpoint and Threatray, the group has launched spear-phishing attacks impersonating government and diplomatic entities from Bangladesh, Pakistan, China, and South Korea, aiming to deploy malicious payloads.
Bitter’s recent campaigns have leveraged multiple tools, including:
- KugelBlitz and BDarkRAT payloads for system compromise.
- ArtraDownloader, which deploys the WSCSPL backdoor for system data exfiltration.
- Almond RAT and MuuyDownloader trojans for remote access and persistence.
- ORPCBackdoor, previously associated with the Mysterious Elephant threat actor—another group tied to Indian APTs SideWinder and Confucius.
- KiwiStealer, an information-stealing malware designed to harvest sensitive data.
The findings highlight Bitter’s evolving tactics, combining social engineering with a diverse arsenal of malware to conduct targeted espionage. The group’s infrastructure and toolset suggest continued alignment with state-sponsored objectives.
Source: https://www.scworld.com/brief/expanding-bitter-apt-operation-exposed
Bangladeshi Government TPRM report: https://www.rankiteo.com/company/government-of-the-people-s-republic-of-bangladesh
Chinese Government TPRM report: https://www.rankiteo.com/company/chinese-academy-of-sciences
"id": "govchi1766628286",
"linkid": "government-of-the-people-s-republic-of-bangladesh, chinese-academy-of-sciences",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Government/Diplomacy',
'location': 'Bangladesh',
'name': 'Bangladeshi government entities',
'type': 'Government'},
{'industry': 'Government/Diplomacy',
'location': 'Pakistan',
'name': 'Pakistani government entities',
'type': 'Government'},
{'industry': 'Government/Diplomacy',
'location': 'China',
'name': 'Chinese government entities',
'type': 'Government'},
{'industry': 'Government/Diplomacy',
'location': 'South Korea',
'name': 'South Korean government entities',
'type': 'Government'}],
'attack_vector': ['Spear-phishing', 'Malicious intrusions'],
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': ['System data',
'Sensitive information']},
'description': 'More expansive cyberespionage campaigns have been launched by '
'the advanced persistent threat operation Bitter, associated '
'with the Indian government. The group, also known as TA397, '
'APT-C-08, Orange Yali, and Hazy Tiger, deployed '
'spear-phishing attacks impersonating Bangladeshi, Pakistani, '
'Chinese, and South Korean governments and diplomatic '
'entities, as well as malicious intrusions to deliver '
'KugelBlitz and BDarkRAT payloads. The campaign involved '
'multiple tools, including ArtraDownloader, WSCSPL backdoor, '
'Almond RAT, MuuyDownloader trojans, ORPCBackdoor, and '
'KiwiStealer information-stealing malware.',
'impact': {'data_compromised': 'System data, sensitive information'},
'motivation': 'Cyberespionage',
'references': [{'source': 'The Hacker News'},
{'source': 'Proofpoint and Threatray joint analysis'},
{'source': 'Knownsec 404 Team'}],
'threat_actor': 'Bitter (TA397, APT-C-08, Orange Yali, Hazy Tiger)',
'title': 'Bitter APT Cyberespionage Campaigns',
'type': 'Cyberespionage'}