{
	"id": "38352772-3cd5-4193-b8f4-de1c3c9b39f9",
	"created_at": "2026-04-06T00:22:01.715964Z",
	"updated_at": "2026-04-10T03:33:56.997379Z",
	"deleted_at": null,
	"sha1_hash": "d7e9f49173fc2cad5d070361cdbf67b7d382db0b",
	"title": "The Bitter End: Unraveling Eight Years of Espionage Antics – Part Two | Threatray",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9745601,
	"plain_text": "The Bitter End: Unraveling Eight Years of Espionage Antics – Part Two |\r\nThreatray\r\nArchived: 2026-04-05 16:45:42 UTC\r\nBy Abdallah Elshinbary and Jonas Wagner in collaboration with Proofpoint's Nick Attfield and Konstantin Klinger.\r\nThis is a two-part blog series, detailing research undertaken in collaboration with Proofpoint. Part one of this blog series\r\ncan be found on their website here.\r\nKey findings\r\nBitter's malware has significantly evolved since 2016, moving from basic downloaders to more capable RATs. The\r\ngroup primarily uses simple and home-grown payloads delivered via their infection chain, rather than relying on\r\nadvanced anti-analysis techniques within the payloads itself.\r\nTheir diverse toolset shows consistent coding patterns across malware families, particularly in system information\r\ngathering and string obfuscation. This strongly suggests a common developer base.\r\nSeveral of their recent malware families continue to undergo active development in 2025, with new variants\r\nappearing in recent campaigns.\r\nPayload Arsenal\r\nIn this second part of our blog series on the Bitter espionage group, we turn our focus to the engine of their operations: a\r\ndiverse and continually evolving payload arsenal. Since their first known malware surfaced in 2016, Bitter's toolset has\r\nexpanded from basic downloaders to sophisticated backdoors and full-featured Remote Access Trojans (RATs). This section\r\ndissects the technical capabilities, evolutionary paths, and shared development traits of Bitter's malware, offering insights for\r\ndetection, attribution and a comprehensive understanding of their operational sophistication.\r\nTimeline and activity (in red, if known) of the different payloads deployed by Bitter.\r\nOur exploration will proceed chronologically through each malware family, detailing its core functionality, distinctive code\r\npatterns, obfuscation techniques, command-and-control (C2) communication, and any identified variants. This analysis\r\ndraws from both OSINT sources and our own research. We offer new insights on novel variants of MuuyDownloader,\r\nBDarkRAT and MiyaRAT, the latter two being observed in campaigns that Proofpoint documented in the first part of the\r\nblog post series.\r\nKey to Bitter's mode of operation is their reliance on the infection chain for payload delivery during hands-on activities,\r\nrather than employing complex anti-analysis measures or packers within the malware itself.\r\nAcross their arsenal, we observe consistent code patterns, notably in how they gather system information and decode\r\nobfuscated strings using simple character addition or subtraction. It's also noteworthy that some malware families exhibit\r\ncode pattern variations between different versions while retaining identical core functionality.\r\nA central theme revealed by our analysis is Bitter's sustained use of a core suite of custom-developed tools in C/C++ and\r\n.NET. These tools frequently undergo iterative development, marked by significant shifts in obfuscation strategies and C2\r\ncommunication protocols over the years. Furthermore, we will present evidence of shared development methodologies\r\nacross malware families that might otherwise appear distinct, pointing to a cohesive development effort. These discernible\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 1 of 39\n\npatterns not only fingerprint the group's modus operandi but also highlight their resourcefulness and evolution throughout\r\ntheir extensive operational history.\r\nBy providing a granular dissection of Bitter's payloads, we aim to give the most comprehensive insights to date into the\r\nactors tradecraft and equip defenders with a deeper understanding of the threats posed by this group. Such insights are\r\ncrucial for crafting more effective detection signatures and for anticipating and tracking their future tactical shifts.\r\nArtraDownloader\r\nThe first known family used by Bitter is ArtraDownloader. First appearing in 2016 and received its name in 2019 based on a\r\nPDB string found within the samples. ArtraDownloader is a simple downloader written in C++\r\n ( ef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57 , seen in 2018).\r\nThe downloader starts by collecting system information, which includes username, computer name, and the operating\r\nsystem.\r\nArtraDownloader collecting system information.\r\nThis collected information is then used to generate a victim’s unique identifier.\r\nArtraDownloader building victim unique ID.\r\nThe unique identifier and collected system information is then encoded (by adding 1 to each byte) and sent to the C2 server.\r\nAfter the initial C2 request, ArtraDownloader expects a response containing the identifier \"DFCB=\" . This identifier allows it\r\nto extract an encoded payload filename. ArtraDownloader then sends another C2 request to download the payload, saves it\r\nto disk, and executes it using ShellExecuteA.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 2 of 39\n\nArtraDownloader sending system information to C2 and receiving encoded payload name.\r\nArtraDownloader establishes persistence on the victim's machine by copying itself to a hardcoded path and adding its new\r\nlocation to the Run registry key.\r\nArtraDownloader setting up persistence on the victim’s machine.\r\nImportant strings are obfuscated with a simple encoding algorithm where each character is decoded by subtracting 1.\r\nTwo additional variants of ArtraDownloader were discovered in the wild. These variants primarily differ in their string\r\nobfuscation methods and HTTP request formats.\r\nIn the second variant ( 0b2a794bac4bf650b6ba537137504162520b67266449be979679afbb14e8e5c0 , seen in 2019), strings are\r\ndecoded by subtracting 3 from each character, rather than 1 as in the first variant.\r\nLike the original variant, this version collects similar system information, encodes it by adding 1 to each byte, then transmits\r\nit to the C2 server using a different format. This variant also expects a different identifier ( \"AXE: #\" ) from the C2 server to\r\nextract the payload name.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 3 of 39\n\nSecond ArtraDownloader variant sending system information to C2 and receiving payload name.\r\nThe third variant ( f0ef4242cc6b8fa3728b61d2ce86ea934bd59f550de9167afbca0b0aaa3b2c22 , seen in 2018) uses a string\r\ndecoding method that subtracts 13 from each character.\r\nThis variant collects various system information, but unlike the other two variants, it doesn’t encode the payload sent to the\r\nC2 server. The third variant also expects a distinct identifier ( \"Yes file\" ) from the C2 server to extract the payload name.\r\nThird ArtraDownloader variant sending system information to C2 and receiving payload name.\r\nArtraDownloader has been observed deploying a simple keylogger, WSCSPL backdoor and a .NET RAT known as\r\nBDarkRAT.\r\nKeylogger\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 4 of 39\n\nBitter has been known to deploy a simple C++ keylogger module in different campaigns. The keylogger\r\n( f619eb9a6255f6adcb02d59ed20f69d801a7db1f481f88e14abca2df020c4d26 , seen in 2017) creates paths for two log files in\r\nthe \"%APPDATA\" directory.\r\nBitter keylogger creating log files on the victim’s machine.\r\nThe keylogger then starts a new thread to set up a hook for monitoring keyboard input events. It also has the capability to\r\ncapture clipboard contents. The keystrokes are encoded by adding 20 to each character before being written to a temporary\r\nlog file.\r\nOnce the temporary log file reaches 1KB in size, its contents are transferred to a permanent log file. The temporary file is\r\nthen deleted and recreated to continue capturing new data.\r\nBitter keylogger writing keystrokes to the log file.\r\nStrings are obfuscated with a simple encoding algorithm where each character is decoded by subtracting 13.\r\nThe keylogger lacks exfiltration capabilities, requiring deployment alongside another module (such as the WSCSPL\r\nbackdoor) to handle the exfiltration of collected logs.\r\nWSCSPL Backdoor\r\nWSCSPL is a backdoor written in C that emerged in 2016 as ArtraDownloader's next-stage payload. Like ArtraDownloader,\r\nthe backdoor ( a241cfcd60942ea401d53d6e02ec3dfb5f92e8f4fda0aef032bee7bb5a344c35 , seen in 2018) collects system\r\ninformation including username, computer name, and operating system.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 5 of 39\n\nWSCSPL collecting system information.\r\nThe collected information is concatenated and encoded before sending it to the C2 server. WSCSPL receives a numerical\r\nvalue from the C2 server that indicates which command to execute. The backdoor supports several commands, each\r\nexecuted in its own thread, notably:\r\nGetting the machine information\r\nGetting drives info\r\nDownloading and executing files\r\nExecuting remote commands\r\nStrings are obfuscated and encoded with a simple algorithm, which decodes them by adding 34 to each character.\r\nWSCSPL decoding strings.\r\nBDarkRAT\r\nBDarkRAT is a .NET RAT first discovered in 2019 that Bitter group continues to use today. The RAT\r\n( e07e8cbeeddc60697cc6fdb5314bd3abb748e3ac5347ff108fef9eab2f5c89b8 , seen in 2021) begins by gathering basic system\r\ninformation such as username, operating system, and MAC address. A hardcoded version number is appended to the\r\ncollected information before sending it to the C2 server in order to register new victims.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 6 of 39\n\nBDarkRAT collecting system information.\r\nBDarkRAT includes standard RAT capabilities such as executing shell commands, downloading files, and managing files on\r\nthe compromised system.\r\nBDarkRAT registering different C2 commands.\r\nThe configuration for the RAT is hardcoded in plain text, with the C2 address in hex-encoded form.\r\nBDarkRAT embedded configuration.\r\nThe RAT contains a hardcoded encryption key (stored in the config field NetworkKey) used to encrypt network packets with\r\na simple XOR operation before sending to the C2 server.\r\nA newer variant of BDarkRAT ( bf169e4dacda653c367b015a12ee8e379f07c5728322d9828b7d66f28ee7e07a , seen in 2024)\r\nexpanded its capabilities to include screen capture and PowerShell command execution. They also shifted from using a\r\ndescriptive name for each C2 command in the initialization function to numerical values, but the function names still explain\r\nthe functionality of each C2 command.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 7 of 39\n\nNew BDarkRAT variant with more C2 commands.\r\nThis variant collects less system information compared to the previous version, and no longer includes the RAT's version\r\nnumber.\r\nNew BDarkRAT system information collection.\r\nIn this variant, the C2 address is now encrypted instead of just hex-encoded.\r\nBDarkRAT with encrypted C2 address.\r\nThe encryption algorithm for the C2 address is AES-256-CBC, where the key and IV are derived via the PBKDF2\r\nalgorithm.\r\nIn early 2025, Proofpoint discovered another BDarkRAT variant\r\n( e599c55885a170c7ae5c7dfdb8be38516070747b642ac21194ad6d322f28c782 ). While this variant shared the same new\r\ncapabilities as the one discovered in 2024, it reverted to using hex-encoded C2 addresses like the older variant.\r\nBDarkRAT embedded configuration with hex-encoded C2 address\r\nBDarkRAT has been given several names by the community, including SplinterRAT. These different names likely emerged\r\ndue to varying .NET namespaces found in different samples in the wild.\r\nOne of the .NET namespaces that appeared in BDarkRAT samples.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 8 of 39\n\nHowever, we believe that BDarkRAT is likely the most accurate name for this RAT, as reported in 2023, since many code\r\ncomponents from its early versions were derived from DarkAgentRAT, an open-source .NET RAT from 2011.\r\nThe initialisation of C2 commands represents one of the key code similarities between BDarkRAT and DarkAgentRAT.\r\nDarkAgentRAT (left) using the same C2 initialization pattern as BDarkRAT (right).\r\nAdditionally, the encryption for network packets matches BDarkRAT exactly, even using identical function names:\r\nDarkAgentRAT (left) using the same network packet encryption function as BDarkRAT (right).\r\nDarkAgentRAT (left) using the same function to send network packets as BDarkRAT (right).\r\nSince BDarkRAT is based on an open-source RAT, it was essential to identify its unique functions that don't exist in the\r\nopen-source version. Using our native function retrohunt capabilities, we quickly verified which functions would make\r\nsuitable candidates for YARA rule generation.\r\nRetrohunting for one of the functions used in BDarkRAT detection rule.\r\nMuuyDownloader\r\nIn 2021, Bitter switched from ArtraDownloader to a new downloader called MuuyDownloader (also known as ZxxZ\r\ndownloader). Like ArtraDownloader, it is written in C++ and has a similar implementation.\r\nMuuyDownloader ( 3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3 , seen in 2021) begins by\r\ngathering system information (username, computer name, and operating system) and transmits it to the C2 server in\r\nencrypted form. The collected information is separated using the delimiter \"ZxxZ\".\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 9 of 39\n\nMuuyDownloader collecting system information and building C2 payload.\r\nAfter receiving the payload name from the C2 server, MuuyDownloader builds the payload path and appends \".exe\" to\r\nthe filename. The C2 server sends the payload with its first PE header byte missing, likely to evade network detection.\r\nMuuyDownloader writes the 0x4D byte to the target file, appends the downloaded payload, and executes it using\r\nShellExecuteA .\r\nMuuyDownloader downloading the next stage payload.\r\nStrings are encrypted with a simple XOR algorithm where each string has its own encryption key.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 10 of 39\n\nMuuyDownloader decrypting strings.\r\nOther variants of MuuyDownloader have been identified featuring slight modifications to their string obfuscation and HTTP\r\nrequest formats.\r\nThe second variant ( 225d865d61178afafc33ef89f0a032ad0e17549552178a72e3182b48971821a8 , seen in 2021) implements a\r\nmodified string encoding algorithm that subtracts 5 from each character and strips asterisk characters from the decoded\r\noutput.\r\nThis variant uses a dollar sign instead of \"ZxxZ\" as the separator for system information.\r\nSecond MuuyDownloader variant collecting system information and building C2 payload.\r\nThe third variant ( 91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42 , seen in 2022) implements a\r\nstring decryption algorithm similar to the first variant but uses a single XOR key to decrypt all strings.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 11 of 39\n\nThird MuuyDownloader variant decrypting strings.\r\nThis variant also includes two different payload formats for system information.\r\nThird MuuyDownloader variant building C2 payload.\r\nInstead of using ShellExecuteA , this variant executes the next-stage payload using CreateProcessA .\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 12 of 39\n\nThird MuuyDownloader variant downloading the next stage payload.\r\nDuring our investigations, we discovered a new sample from Bitter that we believe, with medium-high confidence, is a new\r\nvariant of MuuyDownloader ( edb68223db3e583f9a4dd52fd91867fa3c1ce93a98b3c93df3832318fd0a3a56 , seen in 2025).\r\nThis variant decrypts strings using a combination of single-byte XOR operations and character addition.\r\nFourth MuuyDownloader variant decrypting strings.\r\nLike previous variants, it collects comparable system information using a similar payload format. The key difference is that\r\nthis variant Base64-encodes the system information before C2 transmission.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 13 of 39\n\nFourth MuuyDownloader variant collecting system information and building C2 payload.\r\nLike other variants, this version fetches the next-stage payload using a blocking stream rather than recv .\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 14 of 39\n\nFourth MuuyDownloader variant downloading the next stage payload.\r\nMuuyDownloader has been found to also download a simple keylogger (similar to the one dropped by ArtraDownloader),\r\nand two different .NET RATs called BDarkRAT and AlmondRAT.\r\nAlmondRAT\r\nAlmondRAT, another .NET RAT discovered in 2022, is deployed by the Bitter group and shares similar functionality with\r\nBDarkRAT. The RAT ( d83cb82be250604b2089a1198cedd553aaa5e8838b82011d6999bc6431935691 , seen in 2022) starts by\r\ncollecting and transmitting system information, including username and operating system details, to the C2 server.\r\nAlmondRAT collecting system information.\r\nThe RAT includes standard functionality for directory listing, file transfer (both upload and download), and shell command\r\nexecution.\r\nAlmondRAT C2 command handling.\r\nIn another variant of AlmondRAT ( 55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396 , seen in 2022),\r\nstrings such as the C2 address and commands are stored in an encrypted format.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 15 of 39\n\nAlmondRATC2 usage of encrypted strings.\r\nString encryption uses AES-256-CBC encryption, with the key and initialization vector (IV) derived through the PBKDF2\r\nalgorithm. The decryption code is identical to the one used in BDarkRAT.\r\nWmRAT\r\nWmRAT is a C++ RAT first observed in 2022 and later seen in 2024 campaigns documented by Proofpoint. The RAT\r\n( 4e3e4d476810c95c34b6f2aa9c735f8e57e85e3b7a97c709adc5d6ee4a5f6ccc , seen in 2023) starts by decrypting some strings\r\n(including the C2 address) before calling its main function. After that, it connects to the C2 server and starts receiving\r\ncommands.\r\nIn case no command is received, the RAT collects system information such as the the username, computer name, and\r\noperating system. The collected information is then sent to the C2 server and the RAT waits for C2 commands.\r\nWmRAT information collection.\r\nWmRAT supports basic capabilities such as capturing screenshots, stealing files, and executing PowerShell commands. The\r\nC2 commands are numerical values where each number represents a specific functionality.\r\nWmRAT C2 commands.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 16 of 39\n\nAlmost all strings in WmRAT are encrypted, and they are decrypted using character subtraction in some cases and addition\r\nin other cases.\r\nWmRAT string decryption routine.\r\nWmRAT also employs some kind of anti-analysis by creating a number of junk threads. The threads loop for 1000 times just\r\nto get basic machine information. This is possibly done to generate noise in the logs of the victim’s environment.\r\nWmRAT code to fill the system logs with useless events.\r\nIt also frequently calls the Sleep function throughout the code as an evasion technique.\r\nDuring our investigation into WmRAT, we observed numerous samples in the wild reported by different sources. Our native\r\ncode diffing capabilities enabled us to quickly cluster samples and identify shared code functions. This helped us identify\r\ndifferent variants and guided our YARA rule creation workflow by pinpointing unique code.\r\nClustering multiple WmRAT samples.\r\nORPCBackdoor\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 17 of 39\n\nORPCBackdoor is a C++ backdoor that emerged in 2022. The backdoor\r\n( 8aeb7dd31c764b0cf08b38030a73ac1d22b29522fbcf512e0d24544b3d01d8b3 , seen in 2022) initially collects various system\r\ndetails including the username, computer name, operating system, and running processes.\r\nORPCBackdoor collecting system information\r\nORPCBackdoor implements basic C2 functionality, including file downloads from the C2 server and shell command\r\nexecution.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 18 of 39\n\nORPCBackdoor C2 command handling\r\nThe backdoor communicates with the C2 server using the RPC protocol.\r\nORPCBackdoor connecting to the C2 server via RPC.\r\nThe C2 commands and many other strings are hex-encoded and decoded in batches during runtime.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 19 of 39\n\nORPCBackdoor decoding hex strings.\r\nIn 2023, a new group called \"Mysterious Elephant\" (also known as \"APT-K-47\") was using ORPCBackdoor to target\r\nvictims linked to Pakistan's foreign affairs. This variant is identical to its 2022 version, with only the C2 address being\r\ndifferent.\r\nMiyaRAT\r\nMiyaRAT is another RAT written in C++, first observed in 2024. The RAT\r\n( df5c0d787de9cc7dceeec3e34575220d831b5c8aeef2209bcd81f58c8b3c08ed , seen in 2024) initially connects to its C2 server\r\nusing a hardcoded port. It then collects basic system information, including the username, computer name, and operating\r\nsystem details.\r\nMiyaRAT collecting system information.\r\nThe C2 address is decrypted through a simple subtraction operation, where the characters of a hardcoded key are subtracted\r\nfrom the encrypted value. The system information is concatenated and sent to the C2 server using a pipe character ( \"|\" ) to\r\nseparate the values.\r\nMiyaRAT features multiple command capabilities, including shell command execution, file deletion, screenshot capture, and\r\ndirectory enumeration.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 20 of 39\n\nMiyaRAT C2 command handling.\r\nIn a variant discovered by Proofpoint in late 2024\r\n( c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317 ), the RAT appends its version number to the\r\nsystem information payload, whereas the first variant stored this information in the PDB string.\r\nMiyaRAT old (left) vs new (right) C2 payload format.\r\nUnlike the first variant of MiyaRAT, this variant encrypts all C2 communication by XORing each byte with a hardcoded\r\nsingle-byte key before transmission.\r\nIn May 2025, Proofpoint discovered a new MiyaRAT variant\r\n( c2c92f2238bc20a7b4d4c152861850b8e069c924231e2fa14ea09e9dcd1e9f0a , seen in 2025). This version (v5.0) maintains\r\nnearly identical functionality to its predecessor, with minor modifications. One notable change is its expanded use of the\r\ncharacter subtraction algorithm for string decryption, still utilizing a hardcoded binary key.\r\nThis variant employs single-byte XOR encryption for C2 communication, though it implements the encryption differently\r\nthan previous variants. While the C2 commands are now obfuscated with only their first characters visible, the variant\r\nmaintains the same functionality and command set as before.\r\nMiyaRAT old (left) vs new (right) C2 commands.\r\nWhile the code's functionality remains identical, the implementation changes make it more difficult to create detection\r\nsignatures based on code patterns. A string-based YARA rule was able to detect most MiyaRAT variants, however it failed to\r\ndetect the latest variant (v5.0) due to the newly obfuscated strings. Threatray's detection capabilities, which are based on\r\ncode reuse algorithms, allowed us to easily detect it by finding structural similarities with past MiyaRAT variants.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 21 of 39\n\nMiyaRAT 5.0 detected by Threatray.\r\nKiwiStealer\r\nKiwiStealer is a simple file stealer first discovered in late 2024. The stealer\r\n( 4b62fc86273cdc424125a34d6142162000ab8b97190bf6af428d3599e4f4c175 , seen in 2024) starts by gathering the computer\r\nname and username. It also retrieves the current system time, which will be used later to check the last modification time of\r\nfiles on the machine.\r\nKiwiStealer reading system information.\r\nThe computer name and username are then appended to the C2 path (which is decrypted at runtime) and sent to the C2\r\nserver while exfiltrating files from the victim’s machine.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 22 of 39\n\nKiwiStealer building the C2 path.\r\nKiwiStealer searches through the following predefined list of directories to gather files.\r\nKiwiStealer hardcoded list of directories to traverse.\r\nThe stealer only exfiltrates files that are smaller than 50MB and have been modified within the past year. It searches for files\r\nwith these extensions: . z7, .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .jpg, .zip, .rar, .apk,\r\n.neat, .err, .eln, .ppi, .er9, .azr, .pfx, .ovpn\r\nThe stealer writes the collected file paths and their last modification timestamps to a log file at\r\nC:\\ProgramData\\winlist.log\r\nAfter that, the stealer reads the log file and exfiltrates the collected files.\r\nKiwiStealer exfiltrating files from the victim’s machine.\r\nThe C2 address and other strings are encoded through a combination of string reversal and a modified Caesar cipher\r\n(ROT2).\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 23 of 39\n\nKiwiStealer decoding strings.\r\nKugelBlitz\r\nKugelBlitz is a shellcode loader discovered in late 2024. The loader\r\n( a56b5e90a08822483805f9ab38debb028eb5eade8d796ebf0ff1695c3c379618 , seen in 2024) loads shellcode into memory from\r\na file specified via command line. If no file is specified, it defaults to run.bin .\r\nKugelBlitz parsing the command line to get the payload file name.\r\nThe shellcode loading process is straightforward: it allocates memory for the shellcode using VirtualAlloc , reads the file\r\ncontent into the allocated memory, and executes it.\r\nKugelBlitz loading the shellcode file into memory and executing it.\r\nProofpoint observed Bitter using KugelBlitz to deploy the Havoc C2 framework during hands-on activities. See Part 1 over\r\nat Proofpoint's blog for more details.\r\nShared Payload TTPs\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 24 of 39\n\nAcross Bitter's diverse and evolving malware arsenal, several consistent TTPs emerge, painting a clearer picture of the\r\ngroup's development practices and operational playbook. These shared characteristics not only aid in identifying Bitter's\r\nhandiwork but also suggest a common origin or shared development resources for their tools.\r\nConsistent Information Gathering\r\nA striking commonality across almost all of Bitter's malware families is the method used for initial victim system\r\nreconnaissance.  The malware routinely gathers a standard set of details:\r\nComputer Name: To identify the specific machine.\r\nUsername: To identify the active user.\r\nOperating System Details: Typically extracted from the ProductName registry value.\r\nCommon information gathering pattern.\r\nThis consistent pattern of collecting Computer Name, Username, and OS information is evident in malware like\r\nArtraDownloader, WSCSPL Backdoor, MuuyDownloader, WmRAT, MiyaRAT and Kugelblitz, indicating a standardized\r\napproach to initial system fingerprinting.\r\nEvolution of Encoding and Encryption\r\nOlder malware families, such as early versions of ArtraDownloader, Keylogger, and WSCSPL Backdoor, predominantly\r\nrelied on simple character addition or subtraction for encoding and decoding important strings. MuuyDownloader, WmRAT\r\nand MiyaRAT also rely on a very similar character subtraction pattern.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 25 of 39\n\nSimple character arithmetic of early malware families.\r\nAs their tools evolved, Bitter incorporated simple XOR encryption. This is notably seen in MuuyDownloader (where each\r\nstring might have its own unique key, or a single key is used for all strings in other variants), BDarkRAT (using a hardcoded\r\nkey for network packets), and later variants of MiyaRAT (for C2 communication).\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 26 of 39\n\nXOR encryption used by later malware families.\r\nThe two .NET families, BDarkRAT and AlmondRAT both employ AES-256-CBC encryption. The key and Initialization\r\nVector for are derived using the PBKDF2 algorithm. The implementation is exactly the same for both families.\r\nBDarkRAT and AlmondRAT AES-256-CBC encryption implementation.\r\nCode Pattern Variations and Iterative Development\r\nWhile core functionalities often remain the same, several malware families exhibit variations in their code patterns across\r\ndifferent versions. This is particularly evident in:\r\nC2 Payload Construction: ArtraDownloader and MuuyDownloader show different methods of concatenating or formatting\r\nthe data sent to the C2 server in their various iterations\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 27 of 39\n\nArtaDownloader C2 formatting variations.\r\nMuuyDownloader C2 formatting variations.\r\nString Decryption Routines: Even when the underlying cryptographic logic is similar (e.g., character subtraction or XOR),\r\nthe specific implementation of the decryption functions can vary between variants of ArtraDownloader, MuuyDownloader,\r\nand MiyaRAT.  For example, MiyaRAT v5.0, while functionally identical to its predecessor, featured tweaked code patterns\r\nfor string decryption and C2 XORing, making signature-based detection more challenging.\r\nArtraDownloader string decryption variations.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 28 of 39\n\nMuuyDownloader string decryption variations.\r\nMiyaRAT string decryption variations.\r\nConclusion\r\nWith this collaborative research we have provided a comprehensive dissection of Bitter (TA397)  group's sustained\r\nespionage operations spanning over eight years. Through Proofpoint’s analysis of extensive telemetry and Threatray’s in-depth malware analysis, we have illuminated the group's evolving TTPs, from their initial access methodologies and hands-on-keyboard activity to their diverse and custom-developed payload arsenal. Our findings reveal consistent operational\r\npatterns, shared development practices across their malware families, and distinct infrastructure characteristics that, when\r\ncombined with observed targeting and lure strategies, lead us to jointly assess that Bitter (TA397) is highly likely a state-backed threat actor tasked with intelligence gathering in the interests of the Indian government. By sharing these detailed\r\ninsights, YARA rules, and indicators of compromise, we aim to empower the global cybersecurity community to better\r\ndetect, mitigate, and ultimately disrupt Bitter (TA397).\r\nAppendix: Indicators and YARA Rules\r\nAssociated IOCs are also available on our GitHub repository.\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 29 of 39\n\nIoCs\r\nSHA256 Malware Family\r\nFirst\r\nSeen\r\nSource Notes\r\nef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57 ArtraDownloader 2018\r\nPaloAlto\r\nUnit42\r\n0b2a794bac4bf650b6ba537137504162520b67266449be979679afbb14e8e5c0 ArtraDownloader 2019\r\nPaloAlto\r\nUnit42\r\nf0ef4242cc6b8fa3728b61d2ce86ea934bd59f550de9167afbca0b0aaa3b2c22 ArtraDownloader 2018\r\nPaloAlto\r\nUnit42\r\na241cfcd60942ea401d53d6e02ec3dfb5f92e8f4fda0aef032bee7bb5a344c35 WSCSPL 2018 QianXin\r\nDropped by\r\nArtraDownloader\r\n096e6546b5ca43adbe34bbedc84b002bbf399d2ecf08e83966757b88c5c0d2a2 WSCSPL 2018 Tencent\r\nDropped by\r\nArtraDownloader\r\n225d865d61178afafc33ef89f0a032ad0e17549552178a72e3182b48971821a8 MuuyDownloader 2021 QianXin\r\n3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3 MuuyDownloader 2021 Cisco Talos\r\n91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42 MuuyDownloader 2022 Secuinfra\r\nedb68223db3e583f9a4dd52fd91867fa3c1ce93a98b3c93df3832318fd0a3a56 MuuyDownloader 2025 Threatray\r\nf619eb9a6255f6adcb02d59ed20f69d801a7db1f481f88e14abca2df020c4d26 Keylogger 2017 Tencent\r\nDropped by\r\nArtraDownloader\r\n1f9363e640e9fe0d25ef15ed5d3517ec5b3fb16e3b1abb58049f5ad45415654d Keylogger 2021 QianXin\r\nDropped by\r\nMuuyDownloader\r\n9319421ff52d7ea4cca08d1cc7064f9ed5b19ee19dbdde182a0e51325632df88 BDarkRAT 2019 DBAPPSecurity\r\nv1.22.7 Dropped\r\nby\r\nArtraDownloader\r\nbf169e4dacda653c367b015a12ee8e379f07c5728322d9828b7d66f28ee7e07a BDarkRAT 2024 QianXin\r\ne599c55885a170c7ae5c7dfdb8be38516070747b642ac21194ad6d322f28c782 BDarkRAT 2025 Proofpoint\r\n55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396 AlmondRAT 2022 Secuinfra\r\nDropped by\r\nMuuyDownloader\r\nd83cb82be250604b2089a1198cedd553aaa5e8838b82011d6999bc6431935691 AlmondRAT 2022 Secuinfra\r\nDropped by\r\nMuuyDownloader\r\n811741d9df51a9f16272a64ec7eb8ff12f8f26794368b1ff4ad5d30a1f4bb42a WmRAT 2023 QianXin\r\n10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f WmRAT 2024 Proofpoint\r\n8aeb7dd31c764b0cf08b38030a73ac1d22b29522fbcf512e0d24544b3d01d8b3 ORPCBackdoor 2022 KnownSec 404\r\ndd53768eb7d5724adeb58796f986ded3c9b469157a1a1757d80ccd7956a3dbda ORPCBackdoor 2023 QianXin\r\ndf5c0d787de9cc7dceeec3e34575220d831b5c8aeef2209bcd81f58c8b3c08ed MiyaRAT 2024 QianXin v1.1\r\nc7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317 MiyaRAT 2024 Proofpoint v3.0\r\n0953d4cc6861082c079935918c63cd71df30e5e6854adf608a8b8f5254be8e99 MiyaRAT 2024 Threatray v3.2\r\nc2c92f2238bc20a7b4d4c152861850b8e069c924231e2fa14ea09e9dcd1e9f0a MiyaRAT 2025 Proofpoint v5.0\r\n4b62fc86273cdc424125a34d6142162000ab8b97190bf6af428d3599e4f4c175 KiwiStealer 2024 360 Security\r\na56b5e90a08822483805f9ab38debb028eb5eade8d796ebf0ff1695c3c379618 KugelBlitz 2024 360 Security\r\nYARA Rules\r\nimport \"pe\"\r\nrule ArtraDownloader : BitterAPT {\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 30 of 39\n\nmeta:\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\n description = \"Detects ArtraDownloader used by Bitter APT\"\n license = \"Detection Rule License (DRL) 1.1\"\n date = \"2025-06-01\"\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\n hash = \"ef0cb0a1a29bcdf2b36622f72734aec8d38326fc8f7270f78bd956e706a5fd57\"\n hash = \"0b2a794bac4bf650b6ba537137504162520b67266449be979679afbb14e8e5c0\"\n hash = \"f0ef4242cc6b8fa3728b61d2ce86ea934bd59f550de9167afbca0b0aaa3b2c22\"\n strings:\n $v1_s1 = \"BCDEF=%s\u0026MNOPQ=%s\u0026GHIJ=%s\u0026UVWXYZ=%s\u0026st=%d\" ascii fullword\n $v1_s2 = \"%s %s %s\\r\\n%s %s\\r\\n%s%s\\r\\n%s%s\\r\\nContent-length: %d\\r\\n\\r\\n%s\" ascii fullword\n $v1_s3 = \"DFCB=\" ascii fullword\n $v1_s4 = \"DWN\" ascii fullword\n $v1_s5 = \"  \n\" ascii fullword\n $v2_s1 =\"GET %s HTTP/1.0\" ascii fullword\n $v2_s2 =\"Host: %s\" ascii fullword\n $v2_s3 =\"?a=\\x00\u0026b=\\x00\u0026c=\\x00\u0026d=\\x00\u0026e=\\x00\" ascii fullword\n $v2_s4 =\"%s%s%s%s%s%s%s%s\" ascii fullword\n $v2_s5 =\"Yes file\" ascii fullword\n\n$v3_s1 = \"AXE: #\" ascii fullword\n $v3_s2 = \"%s*%s*%s\" ascii fullword\n $v3_s3 = \"Bld: %s.%s.%s\" ascii fullword\n $v3_s4 = \"%s@%s %s\" ascii fullword\n $v3_s5 = \"%s%s\\r\\n\\r\\n\" ascii fullword\n condition:\n pe.is_pe and\n filesize \u0026lt; 400KB and\n all of ($v1_*) or all of ($v2_*) or all of ($v3_*)\n}\nrule BitterKeylogger : BitterAPT {\n meta:\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\n description = \"Detects the Keylogger module used by Bitter APT\"\n license = \"Detection Rule License (DRL) 1.1\"\n date = \"2025-06-01\"\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\n hash = \"f619eb9a6255f6adcb02d59ed20f69d801a7db1f481f88e14abca2df020c4d26\"\n hash = \"1f9363e640e9fe0d25ef15ed5d3517ec5b3fb16e3b1abb58049f5ad45415654d\"\n strings:\n $code_get_key_state = {\n 8B 07 // mov eax, [edi]\n 3D A0 00 00 00 // cmp eax, 0A0h\n 74 ?? // jz short loc_401472\n 3D A1 00 00 00 // cmp eax, 0A1h\n 75 ?? // jnz short loc_401486\n }\n $code_collect_clipboard = {\n FF 15 ?? ?? ?? ?? // call ds:OpenClipboard\n 85 ?? // test eax, eax\n 74 ?? // jz short loc_40250A\n 6A 01 // push 1 ; format\n FF 15 ?? ?? ?? ?? // call ds:IsClipboardFormatAvailable\n 85 C0 // test eax, eax\n 74 ?? // jz short loc_40250A\n 6A 01 // push 1 ; uFormat\n FF 15 ?? ?? ?? ?? // call ds:GetClipboardData\n 8B ?? // mov ecx, eax\n 8D ?? 01 // lea esi, [ecx+1]\n }\n $code_check_log_file_size = {\n 6A 02 // push 2\n 8B ?? // mov esi, eax\n 6A 00 // push 0\n 5? // push esi\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\nPage 31 of 39\n\nE8 ?? ?? ?? ?? // call _fseek\r\n 5? // push esi\r\n E8 ?? ?? ?? ?? // call _ftell\r\n 5? // push esi\r\n 8B ?? // mov edi, eax\r\n E8 ?? ?? ?? ?? // call _fclose\r\n 83 C4 1C // add esp, 1Ch\r\n 81 ?? E8 03 00 00 // cmp edi, 3E8h\r\n }\r\n condition:\r\n pe.is_pe and\r\n filesize \u003c 400KB and\r\n all of them\r\n}\r\nrule WSCSPLBackdoor : BitterAPT {\r\n meta:\r\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\r\n description = \"Detects WSCSPL backdoor used by Bitter APT\"\r\n license = \"Detection Rule License (DRL) 1.1\"\r\n date = \"2025-06-01\"\r\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\r\n hash = \"a241cfcd60942ea401d53d6e02ec3dfb5f92e8f4fda0aef032bee7bb5a344c35\"\r\n hash = \"096e6546b5ca43adbe34bbedc84b002bbf399d2ecf08e83966757b88c5c0d2a2\"\r\n strings:\r\n $code_main = {\r\n 6A 64 // push 64h ; 'd' ; cchBufferMax\r\n 68 ?? ?? ?? ?? // push offset WindowName ; lpBuffer\r\n 6A 67 // push 67h ; 'g' ; uID\r\n 5? // push esi ; hInstance\r\n FF D? // call edi ; LoadStringA\r\n 6A 64 // push 64h ; 'd' ; cchBufferMax\r\n 68 ?? ?? ?? ?? // push offset ClassName ; lpBuffer\r\n 6A 6D // push 6Dh ; 'm' ; uID\r\n 5? // push esi ; hInstance\r\n FF D? // call edi ; LoadStringA\r\n }\r\n $code_xor_c2_data = {\r\n 8A 8? 17 ?? ?? ?? ?? // mov al, byte_4520D8[edi+edx]\r\n 32 8? ?? ?? ?? ?? // xor al, byte_406078[ecx]\r\n 4? // inc ecx\r\n 88 8? ?? ?? ?? ?? // mov byte_4520D8[edx], al\r\n 4? // inc edx\r\n 3? ?? // cmp ecx, esi\r\n 75 ?? // jnz short loc_401C2B\r\n 3? ?? // xor ecx, ecx\r\n 3? ?? // cmp edx, ebp\r\n 7C ?? // jl short loc_401C10\r\n }\r\n $code_handle_c2_commands = {\r\n 8D ?? 24 10 // lea edx, [esp+10h]\r\n 5? // push edx ; lpParameter\r\n 68 ?? ?? ?? ?? // push offset mw_get_victim_info ; lpStartAddress\r\n 6A 00 // push 0 ; dwStackSize\r\n 6A 00 // push 0 ; lpThreadAttributes\r\n C7 05 ?? ?? ?? ?? A0 0F 00 00 // mov dword_406090, 4000\r\n C7 05 ?? ?? ?? ?? ?? ?? 00 00 // mov dword_45EA98, 3000\r\n FF 15 ?? ?? ?? ?? // call ds:CreateThread\r\n A3 ?? ?? ?? ?? // mov dword_45EA64, eax\r\n E9 ?? ?? 00 00 // jmp def_401CEE\r\n }\r\n condition:\r\n pe.is_pe and\r\n filesize \u003c 200KB and\r\n all of them\r\n}\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 32 of 39\n\nrule MuuyDownloader : BitterAPT {\r\n meta:\r\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\r\n description = \"Detects MuuyDownloader used by Bitter APT\"\r\n license = \"Detection Rule License (DRL) 1.1\"\r\n date = \"2025-06-01\"\r\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\r\n hash = \"225d865d61178afafc33ef89f0a032ad0e17549552178a72e3182b48971821a8\"\r\n hash = \"3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3\"\r\n hash = \"91ddbe011f1129c186849cd4c84cf7848f20f74bf512362b3283d1ad93be3e42\"\r\n hash = \"edb68223db3e583f9a4dd52fd91867fa3c1ce93a98b3c93df3832318fd0a3a56\"\r\n strings:\r\n $x = \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\" ascii wide fullword\r\n $code_main = {\r\n 6A 64 // push 64h ; 'd' ; cchBufferMax\r\n 68 ?? ?? ?? ?? // push offset WindowName ; lpBuffer\r\n 6A 67 // push 67h ; 'g' ; uID\r\n 5? // push esi ; hInstance\r\n FF D? // call edi ; LoadStringA\r\n 6A 64 // push 64h ; 'd' ; cchBufferMax\r\n 68 ?? ?? ?? ?? // push offset ClassName ; lpBuffer\r\n 6A 6D // push 6Dh ; 'm' ; uID\r\n 5? // push esi ; hInstance\r\n FF D? // call edi ; LoadStringA\r\n }\r\n $code_write_mz = {\r\n 8B 3D ?? ?? ?? ?? // mov edi, ds:fwrite\r\n [0-2]\r\n 56 // push esi ; Stream\r\n 6A 01 // push 1 ; ElementCount\r\n 6A 01 // push 1 ; ElementSize\r\n 68 ?? ?? ?? ?? // push offset aM ; Buffer\r\n FF D7 // call edi ; fwrite\r\n }\r\n $code_c2_conn = {\r\n C7 [2-3] 01 00 00 00 // mov [esp+1E4h+pHints.ai_socktype], 1\r\n C7 [2-3] 06 00 00 00 // mov [esp+1E4h+pHints.ai_protocol], 6\r\n FF 15 ?? ?? ?? ?? // call ds:getaddrinfo\r\n 85 C0 // test eax, eax\r\n }\r\n $code_check_running_procs = {\r\n 6A 00 // push 0 ; th32ProcessID\r\n 6A 0F // push 0Fh ; dwFlags\r\n E8 ?? ?? ?? ?? // call CreateToolhelp32Snapshot\r\n 68 ?? 01 00 00 // push 124h ; Size\r\n 8B ?? // mov esi, eax\r\n 8D [3-5] // lea eax, [ebp+pe.cntUsage]\r\n 6A 00 // push 0 ; Val\r\n 50 // push eax ; void *\r\n E8 ?? ?? ?? ?? // call memset\r\n 83 C4 0C // add esp, 0Ch\r\n }\r\n condition:\r\n pe.is_pe and\r\n filesize \u003c 100KB and\r\n ($x and 2 of ($code*) or (3 of ($code*))) and\r\n for any i in pe.import_details: ( for any f in i.functions: ( f.name == \"fwrite\" ) )\r\n}\r\nrule BDarkRAT : BitterAPT {\r\n meta:\r\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\r\n description = \"Detects BDarkRAT used by Bitter APT\"\r\n license = \"Detection Rule License (DRL) 1.1\"\r\n date = \"2025-06-01\"\r\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\r\n hash = \"e07e8cbeeddc60697cc6fdb5314bd3abb748e3ac5347ff108fef9eab2f5c89b8\"\r\n hash = \"bf169e4dacda653c367b015a12ee8e379f07c5728322d9828b7d66f28ee7e07a\"\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 33 of 39\n\nhash = \"e599c55885a170c7ae5c7dfdb8be38516070747b642ac21194ad6d322f28c782\"\r\n strings:\r\n $s1 = \"Process started successfully\" wide fullword\r\n $s2 = \"No process to send input to\" wide fullword\r\n $code_initialize_commands = {\r\n 73 ?? 00 00 0A // IL_0000: newobj ::.ctor()\r\n 80 ?? 00 00 04 // IL_0005: stsfld ::packetList\r\n 72 ?? ?? 00 70 // IL_000A: ldstr \"1\"\r\n [1-2] // IL_000F: ldc.i4.2\r\n D0 ?? ?? 00 02 // IL_0010: ldtoken R_DeleteFile\r\n 28 ?? ?? 00 0A // IL_0015: call ::GetTypeFromHandle\r\n 73 ?? ?? 00 06 // IL_001A: newobj ::.ctor\r\n 28 ?? ?? 00 06 // IL_001F: call ::RegisterPacket\r\n 72 ?? ?? 00 70 // IL_0024: ldstr \"12\"\r\n [1-2] // IL_0029: ldc.i4.s 18\r\n D0 ?? ?? 00 02 // IL_002B: ldtoken R_FileMgrGetDrives\r\n 28 ?? ?? 00 0A // IL_0030: call ::GetTypeFromHandle\r\n 73 ?? ?? 00 06 // IL_0035: newobj ::.ctor\r\n 28 ?? ?? 00 06 // IL_003A: call ::RegisterPacket\r\n 72 ?? ?? 00 70 // IL_003F: ldstr \"13\"\r\n }\r\n $code_connect_ip = {\r\n 26 // IL_0071: pop\r\n 02 // IL_0072: ldarg.0\r\n 7B ?? ?? 00 04 // IL_0073: ldfld ::random\r\n 17 // IL_0078: ldc.i4.1\r\n 1? // IL_0079: ldc.i4.4\r\n 6F ?? ?? 00 0A // IL_007A: callvirt Random::Next\r\n 20 E8 03 00 00 // IL_007F: ldc.i4 1000\r\n 5A // IL_0084: mul\r\n 28 ?? ?? 00 0A // IL_0085: call Thread::Sleep\r\n DE ?? // IL_008A: leave.s IL_00CE\r\n 02 // IL_008C: ldarg.0\r\n 7B ?? ?? 00 04 // IL_008D: ldfld ::random\r\n 17 // IL_0092: ldc.i4.1\r\n 1? // IL_0093: ldc.i4.2\r\n 6F ?? ?? 00 0A // IL_0094: callvirt Random::Next\r\n 20 E8 03 00 00 // IL_0099: ldc.i4 1000\r\n 5A // IL_009E: mul\r\n 28 ?? ?? 00 0A // IL_009F: call Thread::Sleep\r\n 7E ?? ?? 00 04 // IL_00A4: ldsfld Settings::ConnectIP\r\n 28 ?? ?? 00 0A // IL_00A9: call ::IsNullOrEmpty\r\n 2D 19 // IL_00AE: brtrue.s IL_00C9\r\n 7E ?? ?? 00 04 // IL_00B0: ldsfld ClientConnect::clientSocket\r\n 7E ?? ?? 00 04 // IL_00B5: ldsfld Settings::ConnectIP\r\n 28 ?? ?? 00 0A // IL_00BA: call IPAddress::Parse\r\n 7E ?? ?? 00 04 // IL_00BF: ldsfld Settings::ConnectPort\r\n 6F ?? ?? 00 0A // IL_00C4: callvirt Socket::Connect\r\n DE ?? // IL_01EE: leave.s IL_01F3\r\n }\r\n $code_packet_crypt = {\r\n 16 // IL_0000: ldc.i4.0\r\n 0A // IL_0001: stloc.0\r\n 2B 16 // IL_0002: br.s IL_001A\r\n 02 // IL_0004: ldarg.0\r\n 06 // IL_0005: ldloc.0\r\n 8F ?? ?? 00 01 // IL_0006: ldelema System.Byte\r\n 25 // IL_000B: dup\r\n 47 // IL_000C: ldind.u1\r\n 7E ?? ?? 00 04 // IL_000D: ldsfld CryptEngine::_key\r\n D2 // IL_0012: conv.u1\r\n 61 // IL_0013: xor\r\n D2 // IL_0014: conv.u1\r\n 52 // IL_0015: stind.i1\r\n 06 // IL_0016: ldloc.0\r\n 17 // IL_0017: ldc.i4.1\r\n 58 // IL_0018: add\r\n 0A // IL_0019: stloc.0\r\n 06 // IL_001A: ldloc.0\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 34 of 39\n\n02 // IL_001B: ldarg.0\r\n 8E // IL_001C: ldlen\r\n 69 // IL_001D: conv.i4\r\n 32 E4 // IL_001E: blt.s IL_0004\r\n 02 // IL_0020: ldarg.0\r\n 2A // IL_0021: ret\r\n }\r\n condition:\r\n pe.is_pe and\r\n filesize \u003c 200KB and\r\n all of ($s*) and 2 of ($code*)\r\n}\r\nrule AlmondRAT : BitterAPT {\r\n meta:\r\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\r\n description = \"Detects AlmondRAT used by Bitter APT\"\r\n license = \"Detection Rule License (DRL) 1.1\"\r\n date = \"2025-06-01\"\r\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\r\n hash = \"55901c2d5489d6ac5a0671971d29a31f4cdfa2e03d56e18c1585d78547a26396\"\r\n hash = \"d83cb82be250604b2089a1198cedd553aaa5e8838b82011d6999bc6431935691\"\r\n strings:\r\n $s1 = \"GetMacid\" ascii fullword\r\n $s2 = \"GetOsName\" ascii fullword\r\n $s3 = \"GetallDrives\" ascii fullword\r\n $s4 = \"sendingSysInfo\" ascii fullword\r\n $s5 = \"fileAccessible\" ascii fullword\r\n $s6 = \"StartClient\" ascii fullword\r\n $s7 = \"StartCommWithServer\" ascii fullword\r\n $s8 = \"*|END|*\" wide fullword\r\n $s9 = \"PATH\u003e\" wide fullword\r\n $s10 = \"FILE\u003e\" wide fullword\r\n $s11 = \"NOTOK\" wide fullword\r\n condition:\r\n pe.is_pe and\r\n filesize \u003c 50KB and\r\n 8 of ($s*)\r\n}\r\nrule ORPCBackdoor : BitterAPT {\r\n meta:\r\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\r\n description = \"Detects ORPCBackdoor used by Bitter APT\"\r\n license = \"Detection Rule License (DRL) 1.1\"\r\n date = \"2025-06-01\"\r\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\r\n hash = \"8aeb7dd31c764b0cf08b38030a73ac1d22b29522fbcf512e0d24544b3d01d8b3\"\r\n hash = \"dd53768eb7d5724adeb58796f986ded3c9b469157a1a1757d80ccd7956a3dbda\"\r\n strings:\r\n $rpc = \"RPCRT4.dll\"\r\n $s1 = \"Host Name:\\t\\t\\t\" ascii\r\n $s2 = \"OS Build Type :\\t\\t\\t\" ascii\r\n $s3 = \"Registered Owner:\\t\\t\" ascii\r\n $s4 = \"Product ID:\\t\\t\\t\" ascii\r\n $s5 = \"Install Date:\\t\\t\\t\" ascii\r\n $s6 = \"System Manufacturer:\\t\\t\" ascii\r\n $s7 = \"Processor(s):\\t\\t\\t\" ascii\r\n $s8 = \"BiosVersion:\\t\\t\\t\" ascii\r\n $s9 = \"BIOSVENDOR:\\t\\t\\t\" ascii\r\n $s10 = \"BIOS Date:\\t\\t\\t\" ascii\r\n $s11 = \"Boot Device:\\t\\t\\t\" ascii\r\n $s12 = \"Input Locale:\\t\\t\\t\" ascii\r\n $s13 = \"Time zone:\\t\\t\\t\" ascii\r\n $s14 = \"Total Physical Memory:\\t\\t\" ascii\r\n $s15 = \"Virtual Memory: In Use:\\t\\t\" ascii\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 35 of 39\n\n$s16 = \"Page File Location(s):\\t\\t\" ascii\r\n $s17 = \"Error! GetComputerName failed.\\n\" ascii\r\n $s18 = \"Error! RegOpenKeyEx failed.\\n\" ascii\r\n $s19 = \"IA64-based PC\" wide\r\n $s20 = \"AMD64-based PC\" wide\r\n $s21 = \"X86-based PC\" wide\r\n $s22 = \"%s\\\\oeminfo.ini\" wide\r\n condition:\r\n pe.is_pe and\r\n $rpc and 15 of ($s*)\r\n}\r\nrule WmRAT : BitterAPT {\r\n meta:\r\n author = \"Abdallah Elshinbary (n1ghtw0lf, Threatray)\"\r\n description = \"Detects WmRAT used by Bitter APT\"\r\n license = \"Detection Rule License (DRL) 1.1\"\r\n date = \"2025-06-01\"\r\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\r\n hash = \"4e3e4d476810c95c34b6f2aa9c735f8e57e85e3b7a97c709adc5d6ee4a5f6ccc\"\r\n hash = \"10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f\"\r\n strings:\r\n $s1 = \"%s%ld M\" ascii fullword\r\n $s2 = \"%s%ld K\" ascii fullword\r\n $s3 = \"%s%ld MB\" ascii fullword\r\n $s4 = \"%s%ld KB\" ascii fullword\r\n $s5 = \"--,.\" ascii fullword\r\n $s6 = \"RFOX\" ascii fullword\r\n $s7 = \"1llll\" ascii fullword\r\n $s8 = \"exit\" ascii fullword\r\n $s9 = \"Path=\" ascii fullword\r\n $s10 = \" %d result(s)\" ascii fullword\r\n $s11 = \"%02d-%02d-%d %02d:%02d\" ascii fullword\r\n $code_sleep = {\r\n 6A 64 // push 64h ; 'd' ; dwMilliseconds\r\n FF ?? // call esi ; Sleep\r\n 6A 01 // push 1 ; unsigned int\r\n E8 ?? ?? ?? ?? // call ??2@YAPAXI@Z ; operator new(uint)\r\n 83 C4 04 // add esp, 4\r\n 3B ?? // cmp eax, edi\r\n 74 ?? // jz short loc_4019E5\r\n }\r\n $code_dec_str = {\r\n 83 7C 24 ?? 10 // cmp dword ptr [esp+44h], 10h\r\n 8B 44 24 ?? // mov eax, [esp+30h]\r\n 73 ?? // jnb short loc_4086B2\r\n 8D 44 24 ?? // lea eax, [esp+30h]\r\n 8A 0C 37 // mov cl, [edi+esi]\r\n 80 ?? ?? // sub cl, 2Eh ; '.'\r\n 88 0C 30 // mov [eax+esi], cl\r\n 46 // inc esi\r\n 3B F5 // cmp esi, ebp\r\n 7C ?? // jl short loc_408680\r\n }\r\n $code_fill_logs = {\r\n BD E8 03 00 00 // mov ebp, 1000\r\n 83 ?? FF // or edi, 0FFFFFFFFh\r\n E8 ?? ?? ?? ?? // call Get_ComputerName_and_Username\r\n 66 A1 ?? ?? ?? ?? // mov ax, ds:word_40D82C\r\n 8A 0D ?? ?? ?? ?? // mov cl, ds:byte_40D82E\r\n 66 89 44 24 ?? // mov [esp+14h], ax\r\n 88 4C 24 ?? // mov [esp+16h], cl\r\n FF 15 ?? ?? ?? ?? // call ds:GetLogicalDrives\r\n 89 44 24 ?? // mov [esp+18h], eax\r\n 3B ?? // cmp eax, esi\r\n 74 ?? // jz short loc_4091E1\r\n 8D ?? 00 00 00 00 // lea ebx, [ebx+0]\r\n A8 01 // test al, 1\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 36 of 39\n\n74 ?? // jz short loc_4091D5\r\n }\r\n condition:\r\n pe.is_pe and\r\n filesize \u003c 300KB and\r\n 10 of ($s*) or all of ($code*)\r\n}\r\nrule MiyaRAT : BitterAPT {\r\n meta:\r\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\r\n description = \"Detects MiyaRAT used by Bitter APT\"\r\n license = \"Detection Rule License (DRL) 1.1\"\r\n date = \"2025-06-01\"\r\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\r\n hash = \"df5c0d787de9cc7dceeec3e34575220d831b5c8aeef2209bcd81f58c8b3c08ed\"\r\n hash = \"c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317\"\r\n hash = \"0953d4cc6861082c079935918c63cd71df30e5e6854adf608a8b8f5254be8e99\"\r\n hash = \"c2c92f2238bc20a7b4d4c152861850b8e069c924231e2fa14ea09e9dcd1e9f0a\"\r\n strings:\r\n $x1 = \"] GB FREE\\r\\n\" ascii fullword\r\n $x2 = \"\u003c||\u003e\\r\\n\" wide fullword\r\n $s1 = \"\u003cSZ\u003e\" wide\r\n $s2 = \"\u003cFIL\u003e\" wide\r\n $s3 = \"UPL1\" wide\r\n $s4 = \"DWNL\" wide\r\n $s5 = \",filesize==\" wide\r\n $s6 = \"[DIR]\u003c||\u003e\" wide\r\n $s7 = \"[FILE]\u003c||\u003e\" wide\r\n $s8 = \"[END]~!@\" wide\r\n $s9 = \"GDIR\" wide\r\n $s10 = \"DELz\" wide\r\n $s11 = \"GFS\" wide\r\n $s12 = \"SH1\" wide\r\n $s13 = \"SH2\" wide\r\n $s14 = \"SFS\" wide\r\n $s15 = \"GSS\" wide\r\n $s16 = \"SH1cmd\" wide\r\n $s17 = \"SH1start_cmd\" wide\r\n $s18 = \"SH1start_ps\" wide\r\n $s19 = \"SH1exit_client\" wide\r\n $code_init_c2_conn = {\r\n 68 00 00 00 80 // push 80000000h ; esFlags\r\n FF 15 ?? ?? ?? ?? // call ds:SetThreadExecutionState\r\n 68 E9 FD 00 00 // push 0FDE9h ; wCodePageID\r\n FF 15 ?? ?? ?? ?? // call ds:SetConsoleOutputCP\r\n 68 E9 FD 00 00 // push 0FDE9h ; wCodePageID\r\n FF 15 ?? ?? ?? ?? // call ds:SetConsoleCP\r\n [0-1]\r\n 8D 85 ?? ?? ?? ?? // lea eax, [ebp+WSAData]\r\n 50 // push eax ; lpWSAData\r\n 68 02 02 00 00 // push 202h ; wVersionRequested\r\n FF 15 ?? ?? ?? ?? // call ds:WSAStartup\r\n 85 C0 // test eax, eax\r\n }\r\n $code_collect_user_info = {\r\n 68 00 20 00 00 // push 2000h ; Size\r\n [0-6]\r\n 6A 00 // push 0 ; Val\r\n [0-6]\r\n 5? // push eax ; void *\r\n E8 ?? ?? ?? ?? // call _memset ; Connection successful. Start gathering syst\r\n 83 C4 0C // add esp, 0Ch\r\n C7 85 ?? ?? ?? ?? 10 00 00 00 // mov [ebp+pcbBuffer], 10h\r\n 8D 8? ?? ?? ?? ?? // lea eax, [ebp+pcbBuffer] ; Get username.\r\n 5? // push eax ; pcbBuffer\r\n 8D 4? ?? // lea eax, [ebp+Buffer]\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 37 of 39\n\n5? // push eax ; lpBuffer\r\n FF 15 ?? ?? ?? ?? // call ds:GetUserNameW\r\n [0-6]\r\n C7 85 ?? ?? ?? ?? 10 00 00 00 // mov [ebp+pcbBuffer], 10h\r\n [0-6]\r\n 5? // push eax ; nSize\r\n 8D 4? ?? // lea eax, [ebp+var_34]\r\n 5? // push eax ; lpBuffer\r\n FF 15 ?? ?? ?? ?? // call ds:GetComputerNameW\r\n 6A 00 // push 0 ; lpModuleName\r\n FF 15 ?? ?? ?? ?? // call ds:GetModuleHandleW ; Get current module file path.\r\n }\r\n condition:\r\n pe.is_pe and\r\n all of ($x*) and\r\n (10 of ($s*) or 2 of ($code*))\r\n}\r\nrule KiwiStealer : BitterAPT {\r\n meta:\r\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\r\n description = \"Detects KiwiStealer used by Bitter APT\"\r\n license = \"Detection Rule License (DRL) 1.1\"\r\n date = \"2025-06-01\"\r\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\r\n hash = \"4b62fc86273cdc424125a34d6142162000ab8b97190bf6af428d3599e4f4c175\"\r\n strings:\r\n $code_main = {\r\n FF 15 ?? ?? ?? ?? // call cs:CreateMutexA\r\n 4C 8B F8 // mov r15, rax\r\n FF 15 ?? ?? ?? ?? // call cs:GetLastError\r\n 3D B7 00 00 00 // cmp eax, 0B7h\r\n 0F 84 ?? ?? ?? ?? // jz loc_14000B718\r\n FF 15 ?? ?? ?? ?? // call cs:GetLastError\r\n 83 F8 05 // cmp eax, 5\r\n 0F 84 ?? ?? ?? ?? // jz loc_14000B718\r\n }\r\n $code_dec_str = {\r\n 66 83 ?? 19 // cmp ax, 19h\r\n 77 ?? // ja short loc_140005CDF\r\n 83 ?? 3F // sub ecx, 3Fh ; '?'\r\n B? 4F EC C4 4E // mov eax, 4EC4EC4Fh\r\n F7 ?? // imul ecx\r\n C1 ?? 03 // sar edx, 3\r\n 8B ?? // mov eax, edx\r\n C1 ?? 1F // shr eax, 1Fh\r\n 03 ?? // add edx, eax\r\n 6B ?? 1A // imul eax, edx, 1Ah\r\n 2B ?? // sub ecx, eax\r\n 66 83 ?? 41 // add cx, 41h ; 'A'\r\n }\r\n condition:\r\n pe.is_pe and\r\n filesize \u003c 300KB and\r\n all of them\r\n}\r\nrule KugelBlitz : BitterAPT {\r\n meta:\r\n author = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\r\n description = \"Detects KugelBlitz shellcode loader used by Bitter APT\"\r\n license = \"Detection Rule License (DRL) 1.1\"\r\n date = \"2025-06-01\"\r\n reference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"\r\n hash = \"a56b5e90a08822483805f9ab38debb028eb5eade8d796ebf0ff1695c3c379618\"\r\n strings:\r\n $s1 = \"run.bin\" wide\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 38 of 39\n\n$s2 = \"Failed to open the file.\" ascii\r\n $s3 = \"Failed to allocate memory.\" ascii\r\n $s4 = \"Failed to read the shellcode.\" ascii\r\n $s5 = \"ShellCode_Loader\" ascii\r\n condition:\r\n pe.is_pe and\r\n filesize \u003c 100KB and\r\n 4 of them\r\n}\r\nSource: https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nhttps://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\r\nPage 39 of 39\n\npe.is_pe and filesize \u003c 400KB and \nall of ($v1_*) or all of ($v2_*) or all of ($v3_*)\n}  \nrule BitterKeylogger : BitterAPT { \nmeta:  \nauthor = \"Abdallah Elshinbary (n1ghtw0lf), Threatray\"\ndescription = \"Detects the Keylogger module used by Bitter APT\"\nlicense = \"Detection Rule License (DRL) 1.1\"\ndate = \"2025-06-01\"  \nreference = \"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two\"  \nhash = \"f619eb9a6255f6adcb02d59ed20f69d801a7db1f481f88e14abca2df020c4d26\"  \nhash = \"1f9363e640e9fe0d25ef15ed5d3517ec5b3fb16e3b1abb58049f5ad45415654d\"  \nstrings:  \n$code_get_key_state = { \n8B 07 // mov eax, [edi]\n3D A0 00 00 00 // cmp eax, 0A0h\n74 ?? // jz short loc_401472\n3D A1 00 00 00 // cmp eax, 0A1h\n75 ?? // jnz short loc_401486\n}  \n$code_collect_clipboard = { \nFF 15 ?? ?? ?? ?? // call ds:OpenClipboard\n85 ?? // test eax, eax\n74 ?? // jz short loc_40250A\n6A 01 // push 1 ; format\nFF 15 ?? ?? ?? ?? // call ds:IsClipboardFormatAvailable\n85 C0 // test eax, eax\n74 ?? // jz short loc_40250A\n6A 01 // push 1 ; uFormat\nFF 15 ?? ?? ?? ?? // call ds:GetClipboardData\n8B ?? // mov ecx, eax\n8D ?? 01 // lea esi, [ecx+1]\n}  \n$code_check_log_file_size = { \n6A 02 // push 2\n8B ?? // mov esi, eax\n6A 00 // push 0\n5? // push esi\n  Page 31 of 39\n\nE8 ?? ?? ?? ?? 83 C4 0C // // call _memset add esp, 0Ch ; Connection successful. Start gathering syst\nC7 85 ?? ?? ?? ?? 10 00 00 00 // mov [ebp+pcbBuffer], 10h\n8D 8? ?? ?? ?? ?? // lea eax, [ebp+pcbBuffer] ; Get username.\n5? // push eax ; pcbBuffer\n8D 4? ?? // lea eax, [ebp+Buffer] \n  Page 37 of 39",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.threatray.com/blog/the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two"
	],
	"report_names": [
		"the-bitter-end-unraveling-eight-years-of-espionage-antics-part-two"
	],
	"threat_actors": [
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "acd789fa-d488-47f3-b9cc-fdb18b1fa375",
			"created_at": "2023-01-06T13:46:39.332092Z",
			"updated_at": "2026-04-10T02:00:03.290017Z",
			"deleted_at": null,
			"main_name": "HAZY TIGER",
			"aliases": [
				"T-APT-17",
				"APT-C-08",
				"Orange Yali",
				"TA397"
			],
			"source_name": "MISPGALAXY:HAZY TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f5339d7c-473e-4b49-b44c-189b4f72b585",
			"created_at": "2024-12-28T02:01:54.8259Z",
			"updated_at": "2026-04-10T02:00:04.778045Z",
			"deleted_at": null,
			"main_name": "Mysterious Elephant",
			"aliases": [
				"APT-K-47"
			],
			"source_name": "ETDA:Mysterious Elephant",
			"tools": [
				"ORPCBackdoor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434921,
	"ts_updated_at": 1775792036,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d7e9f49173fc2cad5d070361cdbf67b7d382db0b.pdf",
		"text": "https://archive.orkl.eu/d7e9f49173fc2cad5d070361cdbf67b7d382db0b.txt",
		"img": "https://archive.orkl.eu/d7e9f49173fc2cad5d070361cdbf67b7d382db0b.jpg"
	}
}