{
	"id": "b5a8a545-34dd-4bbc-bb26-f3388f7034cb",
	"created_at": "2026-04-06T00:13:22.336997Z",
	"updated_at": "2026-04-10T13:13:04.737179Z",
	"deleted_at": null,
	"sha1_hash": "279c17b69962a16f5377cf1ebb9e47744b6c1568",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63397,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 18:29:40 UTC\n APT group: Bitter\nNames\nBitter (Forcepoint)\nT-APT-17 (Tencent)\nTA397 (Proofpoint)\nG1002 (MITRE)\nCountry [South Asia]\nMotivation Information theft and espionage\nFirst seen 2013\nDescription\n(Forcepoint) Forcepoint Security Labs recently encountered a strain of attacks that\nappear to target Pakistani nationals. We named the attack “BITTER” based on the\nnetwork communication header used by the latest variant of remote access tool\n(RAT) used.\nOur investigation indicates that the campaign has existed since at least November\n2013 but has remained active until today.\nObserved\nSectors: Energy, Engineering, Government.\nCountries: Bangladesh, China, India, Pakistan, Saudi Arabia.\nTools used ArtraDownloader, BitterRAT, Dracarys.\nOperations performed\nNov 2013\nSpear-phishing emails are used to target prospective BITTER victims.\nThe campaign predominantly used the older, relatively popular\nMicrosoft Office exploit, CVE-2012-0158, in order to download and\nexecute a RAT binary from a website.\nJun 2016\nRecently, 360 Threat Intelligence Center found a series of targeted\nattacks against Pakistan targets. Attacker exploited one vulnerability\n(CVE-2017-12824) of InPage to craft bait documents (.inp).\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3566178c-4075-46be-bd5c-d4eccf7fa8c0\nPage 1 of 3\n\nSep 2018\nStarting in September 2018 and continuing through the beginning of\n2019, BITTER launched a wave of attacks targeting Pakistan and\nSaudi Arabia. This is the first reported instance of BITTER targeting\nSaudi Arabia. Details surrounding these attacks and the three\nArtraDownloader variants observed are described below.\nMay 2019\nThe Anomali Threat Research Team discovered a phishing site\nimpersonating a login page for the Ministry of Foreign Affairs of the\nPeople’s Republic of China email service. When visitors attempt to\nlogin to the fraudulent page, they are presented with a pop-up\nverification message asking users to close their windows and continue\nbrowsing.\nDec 2020\nWindows kernel zero-day exploit (CVE-2021-1732) is used by\nBITTER APT in targeted attack\nAug 2021\nCisco Talos has observed an ongoing malicious campaign since\nAugust 2021 from the Bitter APT group that appears to target users in\nBangladesh, a change from the attackers' usual victims.\nMay 2022\nBitter APT continues to target Bangladesh\nAug 2022\nBitter APT group using “Dracarys” Android Spyware\nApr 2023\nBitter Group Distributes CHM Malware to Chinese Organizations\nNov 2024\nHidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage\nRATs\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3566178c-4075-46be-bd5c-d4eccf7fa8c0\nPage 2 of 3\n\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3566178c-4075-46be-bd5c-d4eccf7fa8c0\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=3566178c-4075-46be-bd5c-d4eccf7fa8c0\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=3566178c-4075-46be-bd5c-d4eccf7fa8c0"
	],
	"report_names": [
		"showcard.cgi?u=3566178c-4075-46be-bd5c-d4eccf7fa8c0"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "acd789fa-d488-47f3-b9cc-fdb18b1fa375",
			"created_at": "2023-01-06T13:46:39.332092Z",
			"updated_at": "2026-04-10T02:00:03.290017Z",
			"deleted_at": null,
			"main_name": "HAZY TIGER",
			"aliases": [
				"T-APT-17",
				"APT-C-08",
				"Orange Yali",
				"TA397"
			],
			"source_name": "MISPGALAXY:HAZY TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "86fd71d3-06dc-4b73-b038-cedea7b83bac",
			"created_at": "2022-10-25T16:07:23.330793Z",
			"updated_at": "2026-04-10T02:00:04.545236Z",
			"deleted_at": null,
			"main_name": "APT 17",
			"aliases": [
				"APT 17",
				"ATK 2",
				"Beijing Group",
				"Bronze Keystone",
				"Deputy Dog",
				"Elderwood",
				"Elderwood Gang",
				"G0025",
				"G0066",
				"Operation Aurora",
				"Operation DeputyDog",
				"Operation Ephemeral Hydra",
				"Operation RAT Cook",
				"SIG22",
				"Sneaky Panda",
				"TEMP.Avengers",
				"TG-8153",
				"Tailgater Team"
			],
			"source_name": "ETDA:APT 17",
			"tools": [
				"9002 RAT",
				"AGENT.ABQMR",
				"AGENT.AQUP.DROPPER",
				"AGENT.BMZA",
				"AGENT.GUNZ",
				"Agent.dhwf",
				"AngryRebel",
				"BlackCoffee",
				"Briba",
				"Chymine",
				"Comfoo",
				"Comfoo RAT",
				"Darkmoon",
				"DeputyDog",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Fexel",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Gresim",
				"HOMEUNIX",
				"HiKit",
				"HidraQ",
				"Homux",
				"Hydraq",
				"Jumpall",
				"Kaba",
				"Korplug",
				"Linfo",
				"MCRAT.A",
				"McRAT",
				"MdmBot",
				"Mdmbot.E",
				"Moudour",
				"Mydoor",
				"Naid",
				"Nerex",
				"PCRat",
				"PNGRAT",
				"Pasam",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trojan.Naid",
				"Vasport",
				"Wiarp",
				"Xamtrav",
				"Zox",
				"ZoxPNG",
				"ZoxRPC",
				"gresim",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434402,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/279c17b69962a16f5377cf1ebb9e47744b6c1568.pdf",
		"text": "https://archive.orkl.eu/279c17b69962a16f5377cf1ebb9e47744b6c1568.txt",
		"img": "https://archive.orkl.eu/279c17b69962a16f5377cf1ebb9e47744b6c1568.jpg"
	}
}