Live Training | What's New in Lumu Defender

Register Now

Already have an account? Sign in

Sign in

Main Menu

Group

G1002

Bitter APT

Aliases

T-APT-17

Type

Cyberespionage group

Target

Energy, Engineering Sectors, Government

Malware

ArtraDownloader, BitterRAT, Android RATs

Country

South Asia (suspected) South Asia (suspected)

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Search for Bitter APT

Who is BITTER APT?

BITTER is a cyberespionage group active since 2013. It is believed to be from South Asia.

The group spies on high-value targets in Asia and the Middle East. Their goal is long-term intelligence gathering.

Common Tactics and Tools

BITTER’s main method for initial infection is spear-phishing. The group sends emails with malicious Microsoft Office attachments. These files exploit known software bugs, like CVE-2017-11882. When a user opens the document, it triggers a chain of events to install malware.

BITTER targets both Windows and Android devices.

  • ArtraDownloader: A first-stage downloader that is often delivered via the initial malicious document. It then downloads and installs stronger malware like BitterRAT.
  • BitterRAT: The group’s signature custom malware for Windows. This Remote Access Trojan (RAT) lets attackers execute commands, log keystrokes, and steal files.
  • Mobile malware: BITTER uses Android RATs, often disguised as secure chat applications. With these tools, they steal contacts, text messages, and call logs from mobile devices.

How to Defend Against BITTER APT

Defense against BITTER requires strong email security and hardened endpoints. This counters their main attack methods.

  • Enhance email security: Use advanced email gateways to scan and block malicious attachments. Focus on attachments that use known exploits.
  • Prioritize software patching: Keep software like Microsoft Office patched. This closes the security holes BITTER uses to get in.
  • Enforce mobile security policies: Use a device management tool to block app installations from untrusted stores.
  • Restrict malicious scripts: Use application control to block or monitor unnecessary scripts like PowerShell. Attackers often use these scripts to run malware after a compromise.
  • Manage your attack surface: Has your organization got compromised credentials or emails? Know what your organization looks like from the outside. Use an attack surface management tool, like Lumu Discover, to find and fix these weak points before attackers do.

Related Resources

View all threat actors

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.