Home > List all groups > Bitter

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Bitter

NamesBitter (Forcepoint)
T-APT-17 (Tencent)
Country[South Asia]
MotivationInformation theft and espionage
First seen2013
Description(Forcepoint) Forcepoint Security Labs recently encountered a strain of attacks that appear to target Pakistani nationals. We named the attack “BITTER” based on the network communication header used by the latest variant of remote access tool (RAT) used.

Our investigation indicates that the campaign has existed since at least November 2013 but has remained active until today.
ObservedSectors: Energy, Engineering, Government.
Countries: China, Pakistan, Saudi Arabia.
Tools usedArtraDownloader, BitterRAT.
Operations performedNov 2013Spear-phishing emails are used to target prospective BITTER victims. The campaign predominantly used the older, relatively popular Microsoft Office exploit, CVE-2012-0158, in order to download and execute a RAT binary from a website.
Jun 2016Recently, 360 Threat Intelligence Center found a series of targeted attacks against Pakistan targets. Attacker exploited one vulnerability (CVE-2017-12824) of InPage to craft bait documents (.inp).
Sep 2018Starting in September 2018 and continuing through the beginning of 2019, BITTER launched a wave of attacks targeting Pakistan and Saudi Arabia. This is the first reported instance of BITTER targeting Saudi Arabia. Details surrounding these attacks and the three ArtraDownloader variants observed are described below.
May 2019The Anomali Threat Research Team discovered a phishing site impersonating a login page for the Ministry of Foreign Affairs of the People’s Republic of China email service. When visitors attempt to login to the fraudulent page, they are presented with a pop-up verification message asking users to close their windows and continue browsing.

Last change to this card: 01 May 2020

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key