{ "id": "6b9bac41-9d82-4635-8527-00d892c13e3c", "created_at": "2026-04-06T00:07:55.094771Z", "updated_at": "2026-04-10T03:37:58.75111Z", "deleted_at": null, "sha1_hash": "deb4a33a3b911c9edb4dc083828e5d454f230060", "title": "Bitter Group Distributes CHM Malware to Chinese Organizations - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1283846, "plain_text": "Bitter Group Distributes CHM Malware to Chinese Organizations\r\n- ASEC\r\nBy ATCP\r\nPublished: 2023-04-03 · Archived: 2026-04-05 13:59:50 UTC\r\nThe Bitter (T-APT-17) group is a threat group that usually targets South Asian government organizations, using\r\nMicrosoft Office programs to distribute malware such as Word or Excel. AhnLab Security Emergency response\r\nCenter (ASEC) has identified multiple circumstances of the group distributing CHM malware to certain Chinese\r\norganizations. CHM files have been used by various threat groups in APT attacks since earlier this year and\r\ncovered multiple times in ASEC blog posts.\r\nThe files used in the recent attack were being distributed as attachments to emails as compressed files. The\r\ncompressed files contain a CHM file with the following filenames.\r\nFilenames used in distribution\r\nProject Plan 2023 .chm\r\nUrgent passport enquiry of the following officials.docx.chm\r\nSUSPECTED      FOREIGN TERRORIST FIGHTERS.chm\r\nForensic Evidence on Crime Scene.chm\r\nPatches updates.chm\r\nhttps://asec.ahnlab.com/en/51043/\r\nPage 1 of 5\n\nTicktes.chm\r\nKC_16.11.chm\r\nWhen CHM files are executed, most generate an empty help window, but some display content related to the\r\n“United Front Work Department of the Central Committee of the Chinese Communist Party” and “Russian-Chinese Committee for Friendship, Peace and Development.”\r\nThe internal malicious script identified in such CHM files is as follows. It is difficult for users to be aware of how\r\nthe malicious script operates. A common characteristic of this script is that the part of the script involving the\r\nhttps://asec.ahnlab.com/en/51043/\r\nPage 2 of 5\n\nClick method which executes the linked shortcut object is obfuscated. Unlike CHM files covered in the past, this\r\nversion seems to evade static diagnosis through obfuscation.\r\nWhen the script is executed, both types create a task that executes the malicious command. Each malicious\r\ncommand connects to their respective URL address below and executes an additional malicious file. Both of the\r\nfollowing URLs are currently unavailable, but an MSI file presumed to have been downloaded from the first URL\r\nhas been collected.\r\nhxxps://bluelotus.mail-gdrive[.]com/Services.msi\r\nhxxps://coauthcn[.]com/hbz.php?id=%computername%\r\nUpon execution, the MSI file generates a normal exe file and a malicious DLL file before executing the former.\r\nGenerated files are shown below. When MicrosoftServices.exe is executed, OLMAPI32.dll is loaded. The loaded\r\nDLL is the malicious file created by the threat actor. The DLL Side-Loading method (T1574.002) has been used.\r\nThe features of the loaded malicious DLL are as follows. First, it collects user information through the following\r\ncommands and saves it in “c:\\Users\\Public\\cr.dat”.\r\nIP Info\r\ncmd.exe /c nslookup myip.opendns.com resolver1.opendns.com\u003e\u003e c:\\Users\\Public\\cr.dat\r\nSystem Info\r\ncmd.exe /c systeminfo\u003e\u003e c:\\Users\\Public\\cr.dat\r\nDirectory Info\r\ncmd.exe /c dir “%userprofile%\\Documents”\u003e\u003e c:\\Users\\Public\\cr.dat\r\nhttps://asec.ahnlab.com/en/51043/\r\nPage 3 of 5\n\ncmd.exe /c dir “%userprofile%\\Desktop”\u003e\u003e c:\\Users\\Public\\cr.dat\r\ncmd.exe /c dir “%userprofile%\\Downloads”\u003e\u003e c:\\Users\\Public\\cr.dat\r\nAfterward, a task is created to maintain persistence which executes MicrosoftServices.exe under the name\r\n“Microsoft Update.”\r\nAdditionally, it attempts to connect to the following C2 server and can perform various malicious behaviors\r\nfollowing commands from the threat actor.\r\nmsdata.ddns[.]net:443\r\nRecently there has been a rise in attacks using CHM files both in Korea and overseas, and this file format is being\r\nused for various malware. Users must carefully check the senders of emails and refrain from opening files from\r\nunknown sources. They should also perform routine PC checks and always keep their security products updated to\r\nthe latest version.\r\n[File Detection]\r\nTrojan/Win.Generic.R560734 (2023.03.04.03)\r\nDropper/CHM.Generic (2023.03.30.00)\r\nDropper/MSI.Generic (2023.04.04.03)\r\nMD5\r\n09a9e1b03f7d7de4340bc5f9e656b798\r\n8b15c4a11df2deea9ad4699ece085a6f\r\na7e8d75eae4f1cb343745d9dd394a154\r\ncce89f4956a5c8b1bec82b21e371645b\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//bluelotus[.]mail-gdrive[.]com/Services[.]msi\r\nhttps[:]//coauthcn[.]com/hbz[.]php?id=%computername%\r\nhttps[:]//msdata[.]ddns[.]net/\r\nhttps://asec.ahnlab.com/en/51043/\r\nPage 4 of 5\n\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/51043/\r\nhttps://asec.ahnlab.com/en/51043/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/51043/" ], "report_names": [ "51043" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "acd789fa-d488-47f3-b9cc-fdb18b1fa375", "created_at": "2023-01-06T13:46:39.332092Z", "updated_at": "2026-04-10T02:00:03.290017Z", "deleted_at": null, "main_name": "HAZY TIGER", "aliases": [ "T-APT-17", "APT-C-08", "Orange Yali", "TA397" ], "source_name": "MISPGALAXY:HAZY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434075, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/deb4a33a3b911c9edb4dc083828e5d454f230060.pdf", "text": "https://archive.orkl.eu/deb4a33a3b911c9edb4dc083828e5d454f230060.txt", "img": "https://archive.orkl.eu/deb4a33a3b911c9edb4dc083828e5d454f230060.jpg" } }