BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[1][2]

ID: G1002
Associated Groups: T-APT-17
Version: 1.1
Created: 01 June 2022
Last Modified: 11 April 2024

Associated Group Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

BITTER has registered a variety of domains to host malicious payloads and for C2.[2]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

BITTER has used HTTP POST requests for C2.[1][2]

Enterprise T1568 Dynamic Resolution

BITTER has used DDNS for C2 communications.[2]

Enterprise T1573 Encrypted Channel

BITTER has encrypted their C2 communications.[2]

Enterprise T1203 Exploitation for Client Execution

BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.[1][2]

Enterprise T1068 Exploitation for Privilege Escalation

BITTER has exploited CVE-2021-1732 for privilege escalation.[3][4]

Enterprise T1105 Ingress Tool Transfer

BITTER has downloaded additional malware and tools onto a compromised host.[1][2]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

BITTER has disguised malware as a Windows Security update service.[1]

Enterprise T1095 Non-Application Layer Protocol

BITTER has used TCP for C2 communications.[2]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

BITTER has used a RAR SFX dropper to deliver malware.[2]

Enterprise T1588 .002 Obtain Capabilities: Tool

BITTER has obtained tools such as PuTTY for use in their operations.[2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.[1][2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

BITTER has used scheduled tasks for persistence and execution.[1]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

BITTER has registered domains to stage payloads.[2]

Enterprise T1204 .002 User Execution: Malicious File

BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.[1][2]

Mobile T1660 Phishing

BITTER has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.[5]