{
	"id": "75b5747b-3ab1-4d9e-88d7-cd08d106cb4d",
	"created_at": "2026-04-06T00:08:56.825741Z",
	"updated_at": "2026-04-10T13:11:39.952107Z",
	"deleted_at": null,
	"sha1_hash": "46d2e6de15b3362ecdf293e2356bb68d6e1fd643",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 984134,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-05 22:50:15 UTC\r\nOverview\r\nQiAnXin Threat Intelligence Center has been continuously tracking numerous APT attack collections in the\r\ndirection of South Asia, and published several systematic technical reports: Operation Magichm[1],Operation\r\nAngi[2],operation Tejas[3], etc. The tactics of these groups have hardly changed much from 2019 to the present,\r\nand the attack technology The upper limit is low, but the phishing mode by casting a wide net can still affect\r\ngovernment and enterprise customers to a certain extent.\r\nHow to avoid killing is the Bitter group (APT-Q-37) has always been the primary goal of the struggle for, putting\r\naside the initial attack payload chm, lnk and other outdated technologies, only the subsequent issuance of wmrat\r\nand .net Trojans are very difficult to bypass the characteristics of the checking and killing function, the attackers in\r\nthis year has been to try a variety of methods: in June, through the powershell loading havoc frame In July, the\r\nsteganography plugin, which was in use in 2018, was directly issued, and the effect was not very satisfactory, and\r\nultimately distributing a brand new trojan horse, MiyaRat, in September. it was still was successfully captured by\r\nus.\r\nWe recommend our clients to deploy QAX Endpoint Detection and Response (EDR) in both office area and server\r\narea, which can realize the discovery and blocking of generic threats such as chm and lnk with the cloud checking\r\nfunction enabled.\r\nMiyaRat Directive Analysis\r\nhttps://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nPage 1 of 9\n\nThe basic information about the new Trojan used by Bitter is as follows, and the PDB shows that the Trojan has\r\nbeen named \"Miya\" by the attackers, and the current version is 1.1.\r\n- -\r\nMD5 6edc889abbc186fbd5e187818d916dee\r\nFilename mspnx.exe\r\nFile Size 410.00 KB (419840 bytes)\r\nPDB Path C:\\DRIVE_Y\\EDRIVE\\repos\\Miyav1.1_client_msi\\Release\\Miya1.1_client.pdb\r\nThe Trojan is released by an MSI file with the following MSI file information:\r\n- -\r\nMD5 5ff5e38943a134847e762f480dc84e09\r\nFilename mspnx.msi\r\nFile Size 466.00 KB (477184 bytes)\r\nDownload Link hxxp://locklearhealthapp.com/mspnx.msi\r\nThe Trojan first decrypts the C2 domain name \"samsnewlooker.com\".\r\nDecryption is done by subtracting the key bytes, and the key used for decryption is set to \"doobiedoodoozie\".\r\nhttps://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nPage 2 of 9\n\nThe main function of the Trojan is in the function sub_406960, which calls WSAConnectByNameW to connect to\r\nport 56172 of the C2 server.\r\nCollects a series of information to send to the C2 server, including: disk information, machine name, username,\r\npath to Trojan horse file, %userprofile% environment variable, and system version.\r\nAfter sending the collected information, the Trojan enters a cyclic process of waiting to receive commands from\r\nthe C2 server. Functions supported by the Trojan include: file information enumeration, command execution, file\r\nhttps://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nPage 3 of 9\n\nupload and download, and screenshot. The commands involved in this Trojan horse are described in the following.\r\nThe Trojan horse commands are organized as follows:\r\n- -\r\nCommand\r\nCode\r\nFunctionality\r\nGDIR\r\nEnumerates files and subdirectories in the specified directory without traversing\r\nsubdirectories.\r\nDELz Delete the specified file\r\nGFS Recursively enumerates all files in a given directory.\r\nSH1cmd Creating a shell for command execution\r\nSH1, SH2 Passing commands into the shell\r\nSFS\r\nConnect to the specified port of the C2 server to perform file transfer operations, and the\r\nsecondary command UPL1 uploads the file and DWNL downloads the file.\r\nGSS capture an image displayed on a computer screen\r\nSH1exit_client Exiting the Trojan horse process\r\n(1) GDIR\r\nLists files and subdirectories in a specified directory, similar to the Windows dir command or the Linux ls\r\ncommand. The enumeration information includes file and subdirectory names, last modification time and file size.\r\nDirectory enumeration information ends with \"[END]~! @\".\r\n(2) DELz\r\nDeletes the specified file.\r\nhttps://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nPage 4 of 9\n\n(3) GFS\r\nRecursively enumerates all files in the specified directory, including the path and size of each file. The total size of\r\nall files is included in the first line of the message sent to the C2 server, and the output is identified by \"@@GFS\".\r\n(4) SH1cmd\r\nCreates a cmd.exe process as a shell that executes the cmd commands passed in by the pipeline and returns the\r\nexecution results to the C2 server.\r\nhttps://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nPage 5 of 9\n\n(5) SH1 \u0026 SH2\r\nThe SH1 and SH2 commands function almost identically, writing the cmd instructions carried by the arguments to\r\nthe command pipe for shell execution.\r\n(6) SFS\r\nThe SFS directive is used to upload and download files, but the directive does not directly perform file transfer\r\noperations. The parameter of this directive is the port number, and WSAConnectByNameW is called in the\r\nsub_404640 (MwFileOp) function to connect to another specified port of the same C2 server, with which the\r\nTrojan performs the file transfer.\r\nhttps://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nPage 6 of 9\n\nMwFileOp function has two secondary instructions \"UPL1\" and \"DWNL\", respectively, to complete the file\r\nupload and download operations.\r\n- -\r\nFile Transfer Command Specification\r\nUPL1 UPL1\r\nDWNL DWNL ,filesize==\r\nDuring the file download process, if the C2 server sends \"CANCEL2\", the Trojan horse can end the file download\r\nin advance, without waiting for the receipt of the specified number of file data.\r\n(7) GSS\r\nGet screenshot, the parameter of this command can choose the resolution of the saved image of the screenshot.\r\nThe output message is displayed with \"~! @SSS\" and \"~! @SSS\" and \"~!\r\nhttps://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nPage 7 of 9\n\n(8) SH1exit_client\r\nExit the Trojan horse process.\r\nSummarize\r\nCurrently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence\r\nCenter, including the QiAnXin Threat Intelligence Platform (TIP), QAX Endpoint Detection and Response (EDR)\r\n, SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, already\r\nsupport the accurate detection of such attacks.\r\nIOC\r\nMD5:\r\n6edc889abbc186fbd5e187818d916dee\r\nhttps://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nPage 8 of 9\n\nb45c97ae0af336048529b8a3ef1749a5\r\n0b8a556b9ce94a0559f153bf62ba2693\r\nd9159838e82ea73effc18ef5b958dacd\r\n26ed92fef383dfea8c40e4fd38668379\r\nCC:\r\n23.26.55.9:443 (havoc)\r\nsamsnewlooker.com\r\n96.9.215.155:56172\r\nwmiapcservice.com\r\n185.106.123.198:40269\r\nlocklearhealthapp.com\r\nURL:\r\nhttps://maxnursesolutions.com/cssvr.jpg\r\nhttps://nurekleindesign.com/toronto.bin\r\nhttps://viyoappmapper.com/flv.ol\r\nhttps://locklearhealthapp.com/mspnx.msi\r\nhttps://locklearhealthapp.com/mayred.msi\r\nReference Links\r\n[1]. https://ti.qianxin.com/blog/articles/%22operation-magichm%22:CHM-file-release-and-subsequent-operation-of-BITTER-organization/ [2]. https://www.secrss.com/articles/31785 [3].\r\nhttps://ti.qianxin.com/blog/articles/operation-tejas-a-dead-elephant-curled-up-in-the-kunlun-mountains/\r\nSource: https://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nhttps://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://ti.qianxin.com/blog/articles/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en/"
	],
	"report_names": [
		"bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434136,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/46d2e6de15b3362ecdf293e2356bb68d6e1fd643.pdf",
		"text": "https://archive.orkl.eu/46d2e6de15b3362ecdf293e2356bb68d6e1fd643.txt",
		"img": "https://archive.orkl.eu/46d2e6de15b3362ecdf293e2356bb68d6e1fd643.jpg"
	}
}