Menu
Browse

Cyber Threat Actor: Bitter

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Spy
India
4 incidents
Profile

Bitter, also tracked as Project Bitter, is a cyberespionage-focused threat actor linked to India. The group primarily targets military and governmental organizations in South Asia, with a documented emphasis on Bangladeshi entities. Public reporting attributes campaigns to Bitter involving tailored spear-phishing emails impersonating regional entities, such as Pakistani organizations, to deliver weaponized documents. Their operations consistently aim to deploy remote access malware for intelligence gathering, demonstrating a strategic objective centered on cyberespionage rather than financial gain or disruptive attacks. Security researchers have observed Bitter’s operations since at least 2021, with activity continuing through 2022, reflecting persistent regional targeting.

Bitter employs Microsoft Office exploits, including CVE-2018-0798 in Equation Editor, as initial access vectors through malicious Excel and RTF attachments. The group’s ZxxZ malware functions as a downloader, retrieving second-stage implants like a Visual C++-based payload that enables remote system control and additional malware deployment. Bitter modifies its tools to evade detection, such as replacing characteristic ZxxZ separators with underscores in fingerprinting functions to bypass intrusion prevention systems. Campaigns leverage themed lures and retain core exploitation methodologies while adapting technical fingerprints. Notably, the group deployed ZxxZ with privilege escalation, persistence mechanisms, and automated retry features for command-and-control communication, facilitating data exfiltration from high-value targets. These operations highlight Bitter’s focus on compromising strategic entities in Bangladesh and neighboring regions through evolving but regionally consistent tactics.

Incidents
Attributed incidents available to members
4 incidents
Sources
Sources available to members
2 sources