3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
BITTER

BITTER

ID: a31ceefc81a057c851ee4e37cc8cb08f06496
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 38% Completeness: 33% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
T-APT-17
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia. Ref: https://attack.mitre.org/groups/G1002/


Technique Technique name Tactics Evidence
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - BITTER has used a RAR SFX dropper to deliver malware. · ref
T1036.004 Masquerade Task or Service TA0005
  • Masquerading: Masquerade Task or Service - BITTER has disguised malware as a Windows Security update service. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - BITTER has used scheduled tasks for persistence and execution. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - BITTER has used HTTP POST requests for C2. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing. · ref
T1559.002 Dynamic Data Exchange TA0002
  • Inter-Process Communication: Dynamic Data Exchange - BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet. · ref
T1583.001 Domains TA0042
  • Acquire Infrastructure: Domains - BITTER has registered a variety of domains to host malicious payloads and for C2. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - BITTER has obtained tools such as PuTTY for use in their operations. · ref
T1608.001 Upload Malware TA0042
  • Stage Capabilities: Upload Malware - BITTER has registered domains to stage payloads. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.