{
	"id": "b79262e0-c3d5-439c-911b-6b86e964f119",
	"created_at": "2026-04-06T00:16:09.897341Z",
	"updated_at": "2026-04-10T13:11:57.289427Z",
	"deleted_at": null,
	"sha1_hash": "17b7ad54a62f52e0a7eefd0507008543899b9f96",
	"title": "Suspected BITTER APT Continues Targeting Government of China and Chinese Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3018290,
	"plain_text": "Suspected BITTER APT Continues Targeting Government of China and\r\nChinese Organizations\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-05 15:06:35 UTC\r\nAnomali discovered a phishing site impersonating a login page for the Ministry of Foreign Affairs of the People's Republic\r\nof China email service.\r\nInitial DiscoveryThreat Infrastructure AnalysisSummaryReferencesAppendix A – Indicators of Compromise\r\nThe Anomali Threat Research Team discovered a phishing site impersonating a login page for the Ministry of Foreign\r\nAffairs of the People's Republic of China email service. When visitors attempt to login to the fraudulent page, they are\r\npresented with a pop-up verification message asking users to close their windows and continue browsing. Further analysis of\r\nthe threat actor’s infrastructure uncovered a broader phishing campaign targeting other government sites and state-owned\r\nenterprises in China. One of the domains uncovered during the investigation was identified by the Chinese security vendor\r\n“CERT 360” as being part of the “BITTER APT” campaign in May 2019. Anomali has identified further attempts by the\r\nactor to target the government. Based on the Let’s Encrypt certificate issuance date, we believe this campaign to be active\r\nfrom May 2019. We expect to see BITTER APT continuing to target the government of China by employing spoofed login\r\npages designed to steal user credentials and obtain access to privileged account information.\r\nInitial Discovery\r\nAnomali researchers identified a website designed to look like the Ministry of Foreign Affairs email login page. Further\r\ninvestigation revealed approximately 40 additional sites, all of which appear to be targeting the government of China and\r\nother organisations in China. All of the sites use Domain Validation (DV) certificates issued by “Let’s Encrypt”. The\r\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nPage 1 of 9\n\nsubdomains appear to have similar naming conventions, primarily targeting online mail logins and containing a verification\r\nor account validation theme.\r\nPhishing Site Details\r\nThe screenshot below is the initial site that was discovered and investigated. The sites hosted on the domain\r\n“btappclientsvc[.]net” was registered on May 30, 2019.\r\nPhishing site targeting Ministry of Foreign Affairs\r\nFigure 1 - Phishing site targeting Ministry of Foreign Affairs\r\nThe phishing site has been designed specifically to pose as the login page for the Ministry of Foreign Affairs\r\n(mail.mfa.gov.cn), it is possible the original page was cloned. Similar to the sites below, and in line with the subdomains\r\nidentified in this campaign. The phishing sites appear to be designed to steal the Ministry of Foreign Affairs (MFA) email\r\ncredentials. Once users input their credentials they are greeted with the message in Figure 2.\r\nMessage after user/victim logs into the site\r\nFigure 2 - Message after user/victim logs into the site\r\nPhishing site targeting the China National Aero-Technology Import \u0026 Export Corporation (CATIC)\r\nFigure 3 - Phishing site targeting the China National Aero-Technology Import \u0026 Export Corporation (CATIC)\r\nFigure 3 shows the spoof site designed to look like the China National Aero-Technology Import and Export Corporation\r\n(CATIC). This organisation is a state-owned organisation that deals with aviation products and supports the military and\r\ncommercial industries.\r\nPhishing site targeting the National Development and Reform Commission (NDRC)\r\nFigure 4 - Phishing site targeting the National Development and Reform Commission (NDRC)\r\nThe National Development and Reform Commission’s (NDRC) primary objective is to formulate and implement strategies\r\nof national economic and social development.\r\nPhishing site targeting the Ministry of Commerce of the People’s Republic of China (MOFCOM)\r\nFigure 5 - Phishing site targeting the Ministry of Commerce of the People’s Republic of China (MOFCOM)\r\nThe phishing site, displayed in figure 5, is being distributed through the use of URL shortener “TinyURL”. The URL\r\n“tinyurl[.]com/y4nvpj56” redirects to the URL\r\nwebmail.mofcom.gov.cn.accountverify.validation8u2904.jsbchkufd546.nxjkgdgfhh345s.fghese4.ncdjkbfkjh244e.nckjdbcj86hty1.cdjcksdcuh57hgy43.njkd\r\nThe Ministry of Commerce of the People’s Republic of China is responsible for cabinet-level policies on foreign trade. This\r\nincludes import and export decisions, market competition, and trade negotiations.\r\nThreat Infrastructure Analysis\r\nDuring our analysis, we identified six domains and over 40 subdomains impersonating the following:\r\nFour People’s Republic of China (PRC) government agencies\r\nSix state-owned enterprises\r\nOne Hong Kong-based auction house\r\nTwo email service providers (NetEase Inc. and Gmail)\r\nOf note, each subdomain impersonation contains a similar naming structure, which could be indicative of the same threat\r\nactor or group involved in this latest phishing campaign. The following highlights the naming similarities:\r\nA random sequence of letters and numbers\r\nEnding with the malicious domain name\r\nOne or two additional “l” characters added to the word “mail” e.g. “maill” or “mailll”\r\nThe use of the target’s legitimate domain name\r\nVariations of the words “accountvalidation” and “verify”\r\nThe below sections provide further details on each of the malicious domains:\r\nDomain 1 - btappclientsvc[.]net\r\nThe domain btappclientsvc[.]net was registered on May 30, 2019 with Registrar Internet Domain Service BS Corp. to a\r\nRegistrant Organization named IceNetworks Ltd.. Privacy protection service was used for the registration to keep the\r\nregistrant details private. Based on the Start of Authority (SOA) record, this domain is associated with email address\r\nreports@orangewebsite[.]com, which in turn is associated with Icelandic web hosting, VPS and dedicated server provider\r\nnamed OrangeWebsite.\r\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nPage 2 of 9\n\nThe domain is hosted on Iceland-based IP address 82.221.129[.]17 and assigned to the organization, Advania Island ehf\r\n(AS50613).\r\nDuring the past twelve months this IP was observed hosting phishing websites masquerading as organisations in various\r\nsectors including:\r\nFinance (Barclays, Credit Suisse, Keytrade Bank)\r\nPayment processing (PayPal)\r\nCryptocurrency (Bittrex)\r\nThe server hosting the domain btappclientsvc[.]net has a Let’s Encrypt-issued SSL/TLS certificate (SN:\r\n308431922980607599428388630560406258271383) installed with a validity period of 90 days from July 30, 2019 to\r\nOctober 28, 2019. Based on the certificate’s Subject Alternative Name (SAN), there were four distinct subdomains created\r\nto impersonate two People’s Republic of China (PRC) government agencies and one state-owned defense company:\r\nChina National Aero-Technology Import \u0026 Export Corporation (CATIC), a defense industry state-owned enterprise\r\nMinistry of Foreign Affairs of the People's Republic of China (MFA)\r\nThe National Development and Reform Commission, People's Republic of China (NDRC), a macroeconomic\r\nmanagement agency under the State Council\r\nThe figure below represents the fraudulent subdomains created to impersonate the PRC organizations and leveraged to\r\nmount a phishing campaign:\r\nThe three main targets for the domain created May 30th 2019 (CATIC, MFA \u0026 NDRC)\r\nFigure 6 - The three main targets for the domain created May 30th 2019 (CATIC, MFA \u0026 NDRC)\r\nDomain 2 - v3solutions4all[.]com\r\nSimilar to the first domain, v3solutions4all[.]com was also registered with Registrar Internet Domain Service BS Corp. on\r\nDecember 28, 2018 and is associated with Registrant Organization Icenetworks Ltd. Again, the SOA record reveals the use\r\nof the same Icelandic web hosting provider OrangeWebsite and email address reports@orangewebsite[.]com.\r\nThe domain v3solutions4all[.]com resolves to Iceland-based IP address 82.221.129[.]19 (AS50613 - Advania Island ehf).\r\nThis domain and IP address has been previously associated with the BITTER APT and targeting government agencies in\r\nChina with phishing attacks, based on reporting from 360-CERT.\r\nThe server hosting the domain v3solutions4all[.]com has installed a Let’s Encrypt-issued SSL/TLS certificate (SN:\r\n284039852848324733535582218696705431782795) with a validity period of 90 days from April 29, 2019 to July 28, 2019.\r\nBased on the certificate’s Subject Alternative Name (SAN), there were nine distinct subdomains created to impersonate one\r\nPRC government agency and two state-owned defense companies:\r\nMinistry of Foreign Affairs of the People's Republic of China (MFA)\r\nChina National Aero-Technology Import \u0026 Export Corporation (CATIC)\r\nChina National Electronics Import \u0026 Export Corporation (CEIEC), a state-owned enterprise, directed by the Central\r\nGovernment of China to implement international cooperation in critical areas of national security and economic\r\ndevelopment\r\nThe below represents the fraudulent subdomains created to impersonate PRC organizations and leveraged to mount a\r\nphishing campaign:\r\nThe three main targets for the domain created December 28th 2018 (CATIC, CEIEC and MFA)\r\nFigure 7 - The three main targets for the domain created December 28th 2018 (CATIC, CEIEC and MFA)\r\nDomain 3 - winmanagerservice[.]org\r\nThe domain winmanagerservice[.]org was registered on February 20, 2019 with Registrar OnlineNIC Inc. and is associated\r\nwith Registrant Organization International Widespread Services Limited. The domain name is likely a reference to Windows\r\nService Manager, which is a single point of administration for managing various aspects of Windows service; however, it is\r\nunclear as to the significance behind the chosen name.\r\nThe domain is hosted on 94.156.175[.]61 (AS206776 - Histate Global Corp.), located in Sofia, Bulgaria, and is also the host\r\nfor 105 suspicious-looking domains. Based on the domain’s SOA record, it was associated with Gmail account\r\ntechslogonserver{at}gmail[.]com from February 22, 2019 to May 13, 2019. This email is associated with one registrar from\r\n2016 who has an address in India (see Appendix A). The domain’s name server (NS) record identified it is assigned to name\r\nservers dns11.warez-host.com and dns12.warez-host.com, which are also servers used for suspicious and malicious sites.\r\nThe server hosting the domain winmanagerservice[.]org has installed a Let’s Encrypt-issued SSL/TLS certificate (SN:\r\n262081132907426754038710300383315550862850) with a validity period of 90 days from April 23, 2019 to July 22, 2019.\r\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nPage 3 of 9\n\nBased on the certificate’s Subject Alternative Name (SAN), there were nine distinct subdomains created to impersonate five\r\nunique PRC organizations:\r\nMinistry of Foreign Affairs of the People's Republic of China (MFA)\r\nChina National Aero-Technology Import \u0026 Export Corporation (CATIC)\r\nNetEase services: 126.com and 163.com\r\nPoly Auction Hong Kong Ltd., an auction house located in Hong Kong\r\nThe below graphic represents the fraudulent subdomains and leveraged to mount a phishing campaign:\r\nThe main targets for domain created February 20th 2019 (Polyauction house, MFA, CATIC, 163 and 126)\r\nFigure 8. The main targets for domain created February 20th 2019 (Polyauction house, MFA, CATIC, 163 and 126)\r\nDomain 4 - winmanagerservice[.]net\r\nThe domain winmanagerservice[.]net was registered on November 20, 2018 with Registrar NetEarth One Inc. using GDPR\r\nmasking to conceal the registrant’s information. At the time of this report, the domain did not resolve to an IP address,\r\nhowever, it is assigned to two name servers: ns1.bitcoin-dns[.]com and ns2.bitcoin-dns[.]com. This server also functions as\r\nthe name servers for a variety of malicious activities such as phishing, malware hosting and distribution, and carding shops.\r\nAn interesting subdomain created by the threat actor or group impersonates the State-owned Assets Supervision and\r\nAdministration Commission of the State Council (SASAC):\r\nmaill[.]sasac[.]gov[.]cn[.]accountverify.validation8u6453.jsbch876452.nxjkgdg096574.fghe5392.ncdjkbfkj873e65.nckjdbcj86hty1.cdjcksdcuh57hg\r\nAt the time of analysis, we were unable to retrieve a SASAC-themed phishing page but did find a historical screenshot taken\r\non November 20, 2018 of an open directory hosted at that contained a single CGI-bin folder.\r\nScreenshot of malicious domain winmanagerservice[.]net from 2018\r\nFigure 9 - Screenshot of malicious domain winmanagerservice[.]net from 2018\r\nA historical IP address resolution search of winmanagerservice[.]net identified it resolved to United States-based IP address\r\n162.222.215[.]96 (AS54020 - Admo.net LLC) from November 20, 2018 until February 22, 2019. This same search\r\nuncovered a historical Sender Policy Framework (SPF) record that specified United States-based IP address 162.222.215[.]2\r\n(AS 8100 QuadraNet Enterprises LLC) as authorized to send email traffic on behalf of winmanagerservice[.]net from\r\nDecember 10, 2018 to February 22, 2019.\r\nDomain 5 - cdaxpropsvc[.]net\r\nThe domain cdaxpropsvc[.]net was registered with Registrar OnlineNIC Inc. on March 21, 2019. It is associated with a\r\nUAE-based Registrant IWS Ltd of Registrant Organization International Widespread Services Limited using Registrant\r\nEmail info{at}iws[.]co. A reverse Whois lookup of this registrant email uncovered 122 domains created using this address\r\ndating back to June 08, 2014 and as recent as of August 1, 2019.\r\nThe domain is hosted on 94.156.175[.]61, located in Sofia, Bulgaria, and is also the host for 105 suspicious-looking\r\ndomains. Based on the domain’s SOA record, it is associated with Gmail account techslogonserver{at}gmail[.]com since\r\nMarch 22, 2019 and assigned to name servers dns11.warez-host.com and dns12.warez-host.com.\r\nAccording to historical SSL/TLS certificates for the server hosting the domain cdaxpropsvc[.]net, we found 12 subdomain\r\nimpersonations targeting four defense sector state-owned enterprises and free email service providers, NetEase and Gmail.\r\nAt the time of analysis, the subdomains did not host a website; however, based on the threat actor or group’s targeting\r\npatterns, it is highly likely that they were created to host faux login phishing pages designed to steal user’s credentials.\r\nChina National Aero-Technology Import \u0026 Export Corporation (CATIC)\r\nChina Great Wall Industry Corporation (CGWIC), the sole commercial organization authorized by the government of\r\nChina to provide commercial launch services, satellite systems and to carry out space technology cooperation\r\nChina National Nuclear Corporation (CNNC), a state-owned enterprise that generates and distributes nuclear power\r\nproducts and operates nuclear environmental engineering construction, nuclear military development, and other\r\nbusinesses\r\nChina Zhongyuan Engineering Corp (CZEC), contracts and constructs international nuclear engineering and civil\r\nengineering projects\r\nNetEase, Inc. service 163.com\r\nGmail\r\nThe below represents the fraudulent subdomains created to impersonate these organizations and leveraged to mount a\r\nphishing campaign:\r\nThe main targets for domain created March 21st 2019 (CATIC, CGWIC, CNNC, CZEC, 163 and Gmail)\r\nFigure 10 - The main targets for domain created March 21st 2019 (CATIC, CGWIC, CNNC, CZEC, 163 and Gmail)\r\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nPage 4 of 9\n\nDomain 6 - wangluojiumingjingli[.]org\r\nWhen investigating the IP address 82.221.129[.]18 and the domain wangluojiumingjingli[.]org, we found 2 subdomain\r\nimpersonations targeting government organisations in China: The Ministry of Commerce of the People's Republic of China\r\n(MOFCOM) and the Aviation Industry Corporation of China (AVIC). At the time of analysis, the aviation subdomain did not\r\nhost a website; however, based on the threat actor or group’s targeting patterns, it is highly likely that they were created to\r\nhost faux login phishing pages designed to steal user’s credentials.There was a screenshot of the spoof site targeting the\r\nMinistry of Commerce showing a faux email login page.\r\nThe main targets for domain created April 2019 (MOFCOM and AVIC)\r\nFigure 11 - The main targets for domain created April 2019 (MOFCOM and AVIC)\r\nThree of the domains were hosted on the same hosting provider; orangewebsite.com. This hosting provider is based in\r\nIceland and has particularly strong protocols for digital privacy and little to no internet censorship. The hosting provider also\r\naccepts Bitcoins as a payment method, which is likely to be the reason it is attractive to use for malicious purposes.\r\nSummary\r\nAs part of its ongoing research initiatives, the Anomali Threat Research Team has discovered a new phishing attack\r\nleveraging spoof sites that seem to be designed to steal email credentials from the target victims within the government of\r\nthe People’s Republic of China. By stealing email credentials, and accessing internal email content, it would be possible to\r\ngain insight into what decisions are being made within the target organisation and could lead to the theft of sensitive\r\ninformation. Although it is difficult to pinpoint the exact motivation of the attacker, it is highly likely this campaign is to\r\npursue some form of espionage. The victims of these campaigns are the members of staff for the organisations being\r\ntargeted. Most of the organisations being phished in these campaigns relate to economic trade, defence, aviation and foreign\r\nrelations. This suggests that the attackers are likely to be an actor or group operating under a mandate to understand what\r\nChina’s goals and decisions are likely to be internationally. “CERT 360” has reported on related indicators being attributed\r\nto BITTER APT; a South Asian country (suspected Indian APT in open source reporting). BITTER APT campaigns are\r\nprimarily targeting China, Pakistan and Saudi Arabia historically.\r\nReferences\r\n360CERT. (24 May 2019). Suspected BITTER organization's recent analysis of targeted attacks against China and\r\nPakistan. Retrieved on 02 August 2019\r\nCensys.io. (31 July 2019). TLS Certificate for btappclientsvc[.]net. Retrieved on 02 August 2019\r\nCensys.io. (29 April 2019). TLS Certificate for v3solutions4all[.]com. Retrieved on 02 August 2019\r\nCensys.io. (23 April 2019). TLS Certificate for winmanagerservice[.]org. Retrieved on 02 August 2019\r\nCensys.io. (22 July 2019). TLS Certificate for cdaxpropsvc[.]net. Retrieved on 02 August 2019\r\nCensys.io. (22 May 2019). TLS Certificate for cdaxpropsvc[.]net. Retrieved on 02 August 2019\r\nURLScan.io. (31 July 2019). Domain search on btappclientsvc[.]net. Retrieved on 02 August 2019\r\nURLScan.io. (08 January 2019). Domain search on v3solutions4all[.]com. Retrieved on 02 August 2019\r\nURLScan.io. (23 April 2019). Domain search on winmanagerservice[.]org. Retrieved on 02 August 2019\r\nURLScan.io. (12 June 2019). Open directory for www[.]gmailuserverifyservice.cdaxpropsvc[.]net. Retrieved on 02\r\nAugust 2019\r\nAppendix A – Indicators of Compromise\r\nIndicator of Compromise\r\n82.221.129[.]17\r\n82.221.129[.]18\r\n82.221.129[.]19\r\n94.156.175[.]61\r\nbtappclientsvc[.]net\r\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nPage 5 of 9\n\nwinmanagerservice[.]org\r\nwinmanagerservice[.]net\r\nv3solutions4all[.]com\r\ncdaxpropsvc[.]net\r\nwangluojiumingjingli[.]org\r\nmail.btappclientsvc.net\r\nmaill.catic.cn.accountvalidation.verifay.ysfts69887tgyu67tg6r.com.btappclientsvc.net\r\nmaill.ndrc.gov.cn.accountvalidation.verifay.vhj876uh786uy687.com.btappclientsvc.net\r\nmailll.mfa.gov.cn.accountvalidation.verifay.jk78huy688h67kjg7it8.com.btappclientsvc.net\r\nmail.v3solutions4all.com\r\nmaill.catic.cn.accountverify.validation8u2745.v3solutions4all.com\r\nmaill.ceiec.cn.accountverify.validation7h8k97hnku0j.com.v3solutions4all.com\r\nmaill.mfa.gov.cn.accountverify.validationgyy837rgyud2378rry.com.v3solutions4all.com\r\nmail.winmanagerservice.org\r\nmaill.126.com.cn.accountvalidation.vj65rfy785ru76.com.winmanagerservice.org\r\nmaill.163.com.cn.accountvalidation.bh34567gh67.com.winmanagerservice.org\r\nmaill.catic.cn.accountverify.validation567fg57f58g6.com.winmanagerservice.org\r\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nPage 6 of 9\n\nmaill.mfa.gov.cn.accountverify.validation8u77654.winmanagerservice.org\r\nmaill.polyauction.com.accountvalidation.security.jjh98iukhuj78.com.winmanagerservice.org\r\nmaill.mfa.gov.cn.accountverify.validation8u77654.winmanagerservice[.]org\r\nwebmail.avic.com.accountverify.validation8u7329.jsbchk82056.nxjkgdgf34523.fghe5103.ncdjkbfkjh5674e.nckjdbcj86hty1.cdjcksdcuh57hgy43.njkd75\r\nwebmail.mofcom.gov.cn.accountverify.validation8u2904.jsbchkufd546.nxjkgdgfhh345s.fghese4.ncdjkbfkjh244e.nckjdbcj86hty1.cdjcksdcuh57hgy43.nj\r\nmaill.sasac.gov.cn.accountverify.validation8u6453.jsbch876452.nxjkgdg096574.fghe5392.ncdjkbfkj873e65.nckjdbcj86hty1.cdjcksdcuh57hgy43.njkd87\r\nmaill.catic.cn.accountvalidation.verifay783g677hui.com.cdaxpropsvc.net\r\nmaill.cgwic.com.accountvalidation.verifay765hgy87.com.cdaxpropsvc.net\r\nmaill.cnnc.com.cn.accountvalidation.verifay2367bdg56.com.cdaxpropsvc.net\r\nmaill.czec.com.cn.accountvalidation.verifay728gh4dgy6378et6.com.cdaxpropsvc.net\r\nmaill.163.com.accountvalidation.verifay768ht7u6h.com.cdaxpropsvc.net\r\n325ece940de9fb486ef83b680ad00d385b64e435923d1bbc19cbcf33e220c2a2\r\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nPage 7 of 9\n\n6a10a699f0ef084f5070968ae3cc35075990778bf82dca7e0477eeaebbee4eb1\r\n5538badac0221b42f457920802b23ebd8ccf2c64b1fb827cd6458a7f9de2c6de\r\n940a1bd16be51cd264ee7e315841b8aa0b0b86d3392d4d08ca00151f01a5cd28\r\n823f85eb6d3465145bb34e570b870e39001c4ec61f7ca325f88a23edee75654f\r\nf456f2a2802242e1404ef9a586366820c4bd7f7f3b113209d56fc34dee2d75bf\r\n7bc4f48a4345f4a47dabbf686a714d3e4c9af9d9f26e73ca873f54a4f164b732\r\ntechslogonserver[a]gmail[.]com\r\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nPage 8 of 9\n\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z\r\nPage 9 of 9\n\nhttps://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z    \nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\nThe Iran Cyber Threat Machine Isn’t Slowing Down-Here’s What CISOs Need to Know Now\nSource: https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z    \n  Page 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z"
	],
	"report_names": [
		"suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations#When:19:24:00Z"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434569,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17b7ad54a62f52e0a7eefd0507008543899b9f96.pdf",
		"text": "https://archive.orkl.eu/17b7ad54a62f52e0a7eefd0507008543899b9f96.txt",
		"img": "https://archive.orkl.eu/17b7ad54a62f52e0a7eefd0507008543899b9f96.jpg"
	}
}