Home/ Threat Actors/ BITTER

🌐BITTER

🌐 BITTER is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 16 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G1002) ↗

14Use cases

0Articles

16Techniques

0IOCs

About this actor (MITRE)

[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)

Known aliases

BITTERT-APT-17

Top techniques

T1027.013 · Encrypted/Encoded File T1036.004 · Masquerade Task or Service T1053.005 · Scheduled Task

All other tracked techniques

T1068 · Exploitation for Privilege Escalation T1071.001 · Web Protocols T1095 · Non-Application Layer Protocol T1105 · Ingress Tool Transfer T1203 · Exploitation for Client Execution T1204.002 · Malicious File T1559.002 · Dynamic Data Exchange T1566.001 · Spearphishing Attachment T1568 · Dynamic Resolution T1573 · Encrypted Channel T1583.001 · Domains T1588.002 · Tool T1608.001 · Upload Malware

Detection use cases (14)

BITTER (T-APT-17) Equation Editor exploit chain — EQNEDT32.EXE spawns shell/downloader (CVE-2017-11882 / CVE-2018-0798 weaponized RTF) AI · profile SΣ BITTER scheduled-task downloader persistence — schtasks /create invoking LOLBin to fetch from DDNS C2 AI · profile S Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match