>samit_hota
Back to adversary profiles
G1002HighActive

BITTER (G1002): An Enduring South Asian Cyber Espionage Threat

Samit Hota·
Suspected Origin
Suspected South Asian (India-nexus)
Motivation
Espionage, Information Theft, Intelligence Gathering
Aliases
T-APT-17
Target Sectors
Government, Energy, Engineering, Military, Telecommunications, NGOs, Research Institutes, Civil Society
Associated Malware
ZxxZ, ArtraDownloader, Keylogger, WSCSPL Backdoor, MuuyDownloader, KugelBlitz, BDarkRAT, wmRAT, MiyaRAT, ProSpy, ToSpy, BitterRAT, Dracarys, OLMAPI32.dll
#threat-actor#g1002

Overview

BITTER (G1002), also tracked as T-APT-17 and APT-C-08, is a sophisticated cyber espionage threat group that has been actively conducting operations since at least 2013. Initially noted for its suspected South Asian origin, recent comprehensive analyses by Proofpoint, Threatray, and Lookout have strongly indicated ties to the Indian government, suggesting a state-backed hacking group tasked with intelligence gathering aligned with Indian interests.

The group’s primary motivation is cyber espionage and the exfiltration of sensitive information. BITTER has consistently targeted government, energy, and engineering organizations across South Asia, including Pakistan, China, Bangladesh, and Saudi Arabia. Its geographic scope has expanded to include Middle Eastern countries like the UAE, Egypt, and Lebanon, and broader EMEA (Europe, Middle East, and Africa) and APAC (Asia-Pacific) regions, sometimes targeting civil society figures such as journalists. BITTER is known for its versatility, developing malware for both mobile and desktop platforms.

Tactics & Techniques

BITTER predominantly relies on spear-phishing as its initial access vector, often employing highly targeted emails with malicious attachments. These lures frequently impersonate legitimate government, diplomatic entities, or organizations, and can contain weaponized RTF documents, Microsoft Excel spreadsheets, CHM files, or custom .xlam files designed to exploit known vulnerabilities. The group has also used shortened URLs distributed via SMS, WhatsApp, and social media platforms to deliver malicious applications.

Once a malicious document is opened, BITTER exploits various Microsoft Office vulnerabilities, including CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802, often leveraging the Equation Editor application to run embedded objects containing shellcode. They have also been observed exploiting CVE-2021-1732 for privilege escalation. More recently, BITTER has exploited unpatched WinRAR security issues via illicit RAR archives.

For persistence, the group commonly creates scheduled tasks that activate periodically, allowing for regular communication with command and control (C2) servers and the download of additional payloads. Malware is often disguised as legitimate Windows security update services to evade detection. BITTER utilizes domain fronting by registering a variety of domains to host malicious payloads and for C2, often employing DDNS and encrypting their C2 communications over TCP or HTTP POST requests. Their custom OLMAPI32.dll malware even uses RPC for server interaction. The group has shown an ability to selectively deliver subsequent payloads to “interested victims” by tracking victim information and establishing corresponding directories, hindering analysis by researchers. They engage in hands-on-keyboard activity for further host enumeration and deployment of additional tools.

Notable Campaigns

BITTER’s operational history stretches back to at least November 2013, with early campaigns primarily targeting Pakistan and China, and later expanding to Saudi Arabia by 2018.

In 2021, QiAnXin Threat Intelligence Center highlighted “Operation Magichm,” which involved the group’s consistent use of malicious CHM files for delivery. From August 2021, Cisco Talos observed an ongoing campaign targeting Bangladeshi government entities, including high-ranking officers of the Rapid Action Battalion (RAB) police unit, utilizing a new trojan named “ZxxZ”. Early 2021 also saw BITTER exploiting a Windows kernel zero-day, CVE-2021-1732, for privilege escalation.

More recently, on February 1, 2024, NSFOCUS reported a spear-phishing attack by BITTER against a Chinese government agency, using CHM attachments to create scheduled tasks and exfiltrate data. In June 2025, Proofpoint and Threatray detailed extensive cyber espionage campaigns, noting BITTER’s impersonation of Bangladeshi, Pakistani, Chinese, and South Korean government and diplomatic entities to deliver payloads like KugelBlitz and BDarkRAT.

A significant shift was observed in a campaign active from 2023 to 2025, revealed by Access Now and Lookout in April 2026. This campaign showed BITTER’s likely involvement in “hack-for-hire” operations targeting civil society figures, including prominent journalists, and potentially government officials in Middle Eastern countries like Egypt, Lebanon, and the UAE, using Android spyware such as ProSpy and ToSpy. In October 2025, Qianxin Threat Intelligence Centre identified novel tactics involving custom Microsoft Office .xlam files and illicit RAR archives that exploited WinRAR vulnerabilities to deploy a C# backdoor, targeting government, military, and power utility entities in China and Pakistan. As of July 2026, BITTER has been linked to multi-group espionage campaigns using lures related to Pakistani law enforcement, some sharing infrastructure with other India-nexus adversaries.

Associated Malware & Tools

BITTER has developed and continuously updated a diverse toolkit of custom malware and also incorporates readily available tools. Key custom malware families and tools associated with the group include:

  • ZxxZ / MuuyDownloader: A trojan that masquerades as a Windows Security update service, allowing remote code execution and the download of additional malware.
  • ArtraDownloader: A C++ downloader used to collect system information and download/execute remote files via HTTP requests.
  • Keylogger: A C++ module specifically designed to record keystrokes and clipboard content.
  • WSCSPL Backdoor: Delivered via ArtraDownloader, it collects machine information, executes remote instructions, and facilitates file download/execution.
  • KugelBlitz & BDarkRAT: Additional payloads, with BDarkRAT being a .NET trojan for system information gathering, shell command execution, and file management.
  • wmRAT & MiyaRAT: WmRAT is a legacy remote access trojan (RAT) for system data collection and file exfiltration, while MiyaRAT is a newer, more sophisticated RAT with advanced encryption and reverse shell capabilities.
  • ProSpy / ToSpy: Android spyware used in recent campaigns, capable of accessing and extracting files, contacts, SMS messages, geolocation, and enabling device microphones and cameras.
  • BitterRAT & Dracarys: Earlier RATs used by the group.
  • OLMAPI32.dll: A malicious DLL that uses RPC for server interaction, often loaded via a “white-and-black loading mechanism” employing legitimate Microsoft-signed programs like cnfnot32.exe.

In addition to its custom tools, BITTER has also been observed utilizing legitimate utilities like PuTTY in its operations.

Current Status

BITTER remains a highly active and evolving threat, continuously adapting its tactics, techniques, and procedures (TTPs). The group has shown a consistent operational tempo with activity observed as recently as July 2026, including links to multi-group espionage campaigns. Its focus continues to be cyber espionage against critical sectors such as government, military, and energy, with an expanding geographical reach beyond its traditional South Asian targets into the Middle East and broader APAC/EMEA regions. The demonstrated shift towards “hack-for-hire” operations and targeting civil society figures suggests an broadening of objectives or perhaps services offered. Organizations in BITTER’s target regions and sectors must maintain robust defensive postures, stay vigilant against sophisticated spear-phishing attempts, and ensure timely patching of systems, especially against known Microsoft Office and WinRAR vulnerabilities.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call