{
	"id": "d63f69d9-4856-44e8-b4dd-64075d5c543a",
	"created_at": "2026-04-06T00:07:41.778318Z",
	"updated_at": "2026-04-10T03:33:56.929927Z",
	"deleted_at": null,
	"sha1_hash": "9ca5938ba3c4a617ff1c4230bd142e28f7db4225",
	"title": "BITTER: a targeted attack against Pakistan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1219562,
	"plain_text": "BITTER: a targeted attack against Pakistan\r\nPublished: 2016-10-21 · Archived: 2026-04-05 20:57:32 UTC\r\nIntroduction\r\nForcepoint Security Labs™ recently encountered a strain of attacks that appear to target Pakistani nationals. We\r\nnamed the attack \"BITTER\" based on the network communication header used by the latest variant of remote\r\naccess tool (RAT) used:\r\nOur investigation indicates that the campaign has existed since at least November 2013 but has remained active\r\nuntil today. This post intends to share the results of our research.\r\nInfection Vector\r\nSpear-phishing emails are used to target prospective BITTER victims. The campaign predominantly used the\r\nolder, relatively popular Microsoft Office exploit, CVE-2012-0158, in order to download and execute a RAT\r\nbinary from a website. Below is an example of a spear-phishing email they used earlier this month. The recipient\r\nis an individual from a government branch in Pakistan, while the sender purports to be coming from another\r\ngovernment branch of Pakistan:\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 1 of 11\n\nOther attachment filenames they used that also contained the CVE-2012-0158 exploit are as follows:\r\nRequirement List.doc\r\nCyber Espionage Prevention.doc\r\nNew email guidelines.doc\r\nGazala-ke-haseen-nagme.doc\r\nRules.xls\r\nIn one instance, they used a RAR SFX dropper that drops both their RAT and a picture of a Pakistani woman as a\r\ndecoy. A quick Google image search on the dropped picture indicates that the picture was grabbed from Pakistani\r\ndating sites.\r\nRAT Component\r\nBITTER used RATs that are compiled using Microsoft Visual C++ 8.0. They use a few iterations of their RAT\r\nwith the main difference being the RAT's command and control (C2) communication method. Earlier variants\r\ncommunicated to its C2 via an unencrypted HTTP POST. Below is an example of an older variant's phone home\r\nrequest:\r\nNewer ones, on the other hand, use encrypted TCP connection such as the one shown in the introduction above.\r\nBoth older and newer variants are used simultaneously today in the campaign.\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 2 of 11\n\nThe RAT version (SHA1 d7a770233848f42c5e1d5f4b88472f7cb12d5f3d) that they used in their latest campaign is\r\ncapable of executing the following backdoor capabilities, essentially allowing the attackers to gain full remote\r\ncontrol over a victim's PC:\r\nGet system information - computer name, current user name, and operating system\r\nEnumerate logical drives\r\nEnumerate and log files and their corresponding timestamps\r\nOpen a remote command shell\r\nList processes with active UDP connections\r\nManipulate running processes\r\nManipulate files\r\nDownload a file\r\nIn addition, the vast majority of their RAT binaries contained the following digital signature with a non-trusted CA\r\nRoot certificate:\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 3 of 11\n\nThe following table shows the timeline of appearance of BITTER RATs, based on their compilation timestamps,\r\nalong with their embedded PDB paths:\r\nIt is important to note that some of these RATs are distributed at a later time than their compilation date.\r\nCommand and Control\r\nBITTER used free dynamic DNS (DDNS) and dedicated server hosting services in order to set up their C2s. The\r\ndownload site where the exploit documents download the RAT binaries are, in most cases, different from the\r\nactual RAT C2. However, both of them are typically registered using a Gmail email address and a spoofed identity\r\npurporting to be either from United Kingdom or Great Britain. Below is an example of a spoofed registrant\r\ninformation for the C2, spiralbook71[.]com:\r\nA list of all related malicious domains we managed to collect are as follows:\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 4 of 11\n\nThe email address witribehelp@gmail.com\r\n points to an empty Google Plus profile with the name \"WhatsApp\r\nSupport\". Interestingly, however, the account is connected to another Google Plus account with the handle \"Love\r\nPakistan\":  \r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 5 of 11\n\nIntent\r\nWhile cyber-espionage is a common motivation for targeted attacks, this is often hard to conclude unless a\r\nforensic investigation is conducted on the actual victims' machines. In some cases, specific capabilities in RATs\r\nprovides us with clues on what the attackers' true intents are.\r\nOne of the backdoor capabilities mentioned above is the logging of files and files' time stamps from the victim's\r\nmachine. Furthermore, an older variant of their RAT from 2014 that has the\r\nSHA1 3ab4ce4b3a44c96d6c454efcece774b33335dda2 are found to look for more specific file types. After\r\nidentifying the logical drives from a victim PC, this RAT variant proceeds to enumerate files and check if they\r\nmatch any of the hard coded document and archive file extensions below:\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 6 of 11\n\nWhile it is hard to conclude based only on these artifacts, the nature of these targeted file types suggests that the\r\nattackers may be after sensitive documents.\r\nOther Tools Used\r\nIn December 2015 one of the campaign's download sites hosted a binary at scholars90[.]website/putty. The\r\ndownloaded file is a free SSH and Telnet client application called \"PuTTY\", which has been used in the past in\r\nother targeted attacks.\r\nIn addition, the same RAT variant previously mentioned (SHA1 3ab4ce4b3a44c96d6c454efcece774b33335dda2)\r\nconnects to the C2 info2t[.]com/m2s.php. This has also served as a C2 for at least two AndroRAT variants in the\r\npast. The following diagram shows these relationships:\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 7 of 11\n\nAndroRAT is an open source remote administration tool for Android. Its GitHub repository lists the following\r\ncapabilities:\r\nGet contacts (and all theirs informations)\r\nGet call logs\r\nGet all messages\r\nLocation by GPS/Network\r\nMonitoring received messages in live\r\nMonitoring phone state in live (call received, call sent, call missed..)\r\nTake a picture from the camera\r\nStream sound from microphone (or other sources..)\r\nStreaming video (for activity based client only)\r\nDo a toast\r\nSend a text message\r\nGive call\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 8 of 11\n\nOpen an URL in the default browser\r\nDo vibrate the phone\r\nThe AndroRAT variant with SHA1 7d47ae3114f08ecf7fb473b7f5571d70cf2556da disguises itself as the Islam\r\nAdhan Alarm - an Android app that alerts to prayer times of Islam, which is the state religion of Pakistan. The\r\nvariant with SHA1 645a6e53116f1fd7ece91549172480c0c78df0f, on the other hand, disguises itself as Kashmir\r\nNews app. Kashmir is the northernmost geographical region of South Asia and is a disputed territory between\r\nIndia and Pakistan.\r\nProtection Statement\r\nStage 2 (Lure) - Spear-phishing e-mails associated with this attack are identified and blocked.\r\nStage 5 (Dropper File) - Related RATs are prevented from being downloaded.\r\nStage 6 (Call Home) - Communication between the RAT and command and control are blocked.\r\nConclusion\r\nMany targeted attacks continue to be discovered today. It is interesting to see that while these attacks are not\r\nalways sophisticated in nature, the same characteristic allows them to stay under the radar by blending in with\r\ncommon attacks in the wild. BITTER is able to achieve this by using available online services such as free DDNS,\r\ndedicated server hosting and Gmail to setup their C2s. Such setup is exhibited by today's common malware.\r\nIt is worth noting that in all the artifacts collected in this research, none of the English words that were used had\r\nspelling errors, suggesting that the actors behind BITTER are proficient in the English language. Furthermore, as\r\ndiscussed above, all the artifacts we have seen are consistent with Pakistan being the target of this group. There\r\nmay be other targets that have not been discovered yet or BITTER may be a branch of a larger campaign with\r\nbroader targets, but only time will tell whether any of these are correct.\r\nIndicators of Compromise\r\nRAT (SHA1)\r\n42cdfe465ed996c546c215a8e994a82fea7dc24c\r\n3ab4ce4b3a44c96d6c454efcece774b33335dda2\r\n1990fa48702c52688ce6da05b714a1b3e634db76\r\n93e98e9c4cf7964ea4e7a559cdd2720afb26f7f7\r\nc3a39dc22991fcf2455b8b6b479eda3009d6d0fd\r\n37e59c1b32684cedb341584387ab75990749bde7\r\n52485ae219d64daad6380abdc5f48678d2fbdb54\r\n137a7dc1c33dc04e4f00714c074f35c520f7bb97\r\ne57c88b302d39f4b1da33c6b781557fed5b8cece\r\n0172526faf5d0c72122febd2fb96e2a01ef0eff8\r\ne7e0ba30878de73597a51637f52e20dc94ae671d\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 9 of 11\n\nfa8c800224786bab5a436b46acd2c223edda230e\r\nc75b46b50b78e25e09485556acd2e9862dce3890\r\n72fa5250069639b6ac4f3477b85f59a24c603723\r\nf898794563fa2ae31218e0bb8670e08b246979c9\r\n2b873878b4cfbe0aeab32aff8890b2e6ceed1804\r\nd7a770233848f42c5e1d5f4b88472f7cb12d5f3d\r\nddf5bb366c810e4d524833dcd219599380c86e7a\r\n23b28275887c7757fa1d024df3bd7484753bba37\r\n6caae6853d88fc35cc150e1793fef5420ff311c6\r\n1a2ec73fa90d800056516a8bdb0cc4da76f82ade\r\nff73d3c649703f11d095bb92c956fe52c1bf5589\r\nRAT Dropper (SHA1)\r\nc0fcf4fcfd024467aed379b07166f2f7c86c3200\r\n0116b053d8ed6d864f83351f306876c47ad1e227\r\n4be6e7e7fb651c51181949cc1a2d20f61708371a\r\n998d401edba7a9509546511981f8cd4bff5bc098\r\n21ef1f7df01a568014a92c1f8b41c33d7b62cb40\r\nc77b8de689caee312a29d30094be72b18eca778d\r\nAndroRAT (SHA1)\r\n7d47ae3114f08ecf7fb473b7f5571d70cf2556da\r\n645a6e53116f1fd7ece91549172480c0c78df0f\r\nRAT download sites\r\nkart90.website/sysdll\r\nrange7.com/svcf.exe\r\nscholars90.website/ifxc\r\nscholars90.website/ifxc\r\nscholars90.website/cnhost.exe\r\nkart90.website/cnhost\r\nfrontier89.website/wmiserve\r\nreloadguide71.com/winter/iofs\r\ncreed90.com/ismr\r\nwester.website/uwe\r\nchinatel90.com/min\r\nwester.website/nqw\r\nscholars90.website/splsrv\r\nRAT C2s\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 10 of 11\n\nranadey.net78.net/Muzic/exist.php\r\ninfo2t.com\r\nrange7.com/m2s_reply_u2.php\r\nwww.queryz4u.com\r\nwww.sportszone71.com/games/hill.php\r\nmicronet.no-ip.co.uk\r\nwww.inspire71.com/warzone/hill.php\r\nspiralbook71.com/warzone/hill.php\r\ngovsite.ddns.net\r\nrandomvalue90.com/warzone/hill.php\r\nmarvel89.com/ahead.php\r\ncloudupdates.servehttp.com\r\npickup.ddns.net\r\nmarvel89.com/msuds.php\r\nupdateservice.redirectme.net\r\npickup.ddns.net\r\ndestiny91.com/truen/adfsdsqw.php\r\nmedzone71.com/medal/adfsdsqw.php\r\nnexster91.com/winter/war.php\r\nSource: https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nhttps://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"
	],
	"report_names": [
		"bitter-targeted-attack-against-pakistan"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434061,
	"ts_updated_at": 1775792036,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ca5938ba3c4a617ff1c4230bd142e28f7db4225.pdf",
		"text": "https://archive.orkl.eu/9ca5938ba3c4a617ff1c4230bd142e28f7db4225.txt",
		"img": "https://archive.orkl.eu/9ca5938ba3c4a617ff1c4230bd142e28f7db4225.jpg"
	}
}