
Bitter APT Targets Turkish Defense Sector with Advanced Malware Campaign | Image Source: thehackernews.com
ISTANBUL, Turkey, 17 December 2024 – A South Asian cyber-espionage group, called Bitter, was linked to a cyber-attack against a Turkish defence organization in November 2024. The operation included the delivery of two advanced malware families, ​WmRAT and MiyaRAT, taking advantage of alternative data ​streams and social engineering tactics. According to a ​report shared by Proofpoint researchers and published by The Hacker News, the threat agent used a malicious RAR ​file to ​deploy these tools and ​execute their ​spying activities.
Managed techniques and sophisticated ​delivery ​chain
The ​attack string used by Bitter started with a RAR file with traps ​containing multiple ​components, including a Windows shortcut file (LNK) disguised as a ​PDF document, a decoding file in public ​infrastructure projects, and an ​integrated PowerShell alternative data stream ​code (ADS). Advanced ​researchers, including ​Nick ​Attfield and Konstantin Klinger, revealed that the management of the LNK file had begun to solve a programmed task on the victim’s machine. This task then downloaded ​additional loads from a staging domain, “jacknwoods [.] com”, ​completing the attack sequence.
This document, ​linked to a public ​initiative of the World Bank in Madagascar, was ​used as a bait to attract targets for participation in the malicious RAR file. ​ADS, a feature of Windows NTFS, was exploited ​to hide the malicious load in a file log without changing its appearance or size. ​This secret tactic allowed attackers to ​deploy PowerShell scripts with ​Base64 code capable of setting remote commands.
The Malware: WmRAT and Miyarat
WmRAT ​and MiyaRAT are distant Trojan horses known for their complete spy capabilities. These malware families can collect ​information about the host system, download and download ​files, ​capture ​screenshots, ​retrieve geolocation data and execute arbitrary commands using ​cmd.exe or PowerShell. As pointed out in QiAnXin’s previous analysis, MiyaRAT selectively deploys against high-value targets, indicating its strategic use in espionage campaigns.
The broader implications ​of ​the attack are evident in Bitter’s meticulous approach. According to Proofpoint, the campaigns ​orchestrated by this group are “almost certainly intelligence gathering efforts to support the interests of a government in South Asia.” The use of programmed tasks ensures continuous communication with the staging areas, allowing the deployment of ​additional malicious back doors for privileged access ​to sensitive data and intellectual property.
A story of Espionage
Bitter, also known as TA397, APT-C-08, APT-Q-37 and Hazy Tiger, has been ​active since at least 2013, targeting entities in Asia and other countries. Previous ​operations have engaged organizations in China, Pakistan, India, Saudi ​Arabia and ​Bangladesh, using malware such as BitterRAT, ArtraDownloader and ZxxZ. According to ​previous reports from BlackBerry and Meta, the ​group has also ​deployed Android-based malware such as PWNDROID2 and Dracarys in campaigns ​targeting mobile platforms.
In February 2024, Bitter was linked to a spear attack on a Chinese government ​agency. The campaign, documented by the cybersecurity company NSFOCUS, involved a Trojan horse designed for data theft and remote control. These incidents highlight ​the evolution of the group’s tactics and ​its ​focus ​on high-level ​objectives to serve geopolitical objectives.
Regional and sectoral approach
While Bitter’s ​activities ​have always focused ​on Asian entities, the recent attack on a Turkish defence organization ​marks a significant ​expansion of its operations. The sensitivity of the defence sector to espionage, given its strategic importance and access to sensitive technologies, makes it a key ​objective ​for ​government-sponsored threat actors. By exploiting legitimate platforms such as World Bank initiatives and taking advantage of advanced malware, Bitter demonstrates dependence by combining technical sophistication and psychological manipulation.
The deployment of MiyaRAT suggests in ​particular that the aggressors ​prioritize the Turkish target as a high-value entity. According to Proofpoint, the selective use of advanced tools is consistent with the group’s objectives of acquiring critical information and ​strengthening regional intelligence efforts for ​a South ​Asian government.
Mitigation ​and Defence Outlook
The ongoing Bitter campaigns highlight ​the urgent need for ​robust cybersecurity measures in critical areas such as defence. ​According to cybersecurity experts, organizations should be ​vigilant against lance generation tactics and ensure full monitoring of planned tasks and archiving activities. The operation of ​ADS and PowerShell in this ​attack demonstrates the importance of detecting unconventional ​file behavior and analyzing ​administrative tools for ​unauthorized use.
In addition, as suggested in the Proofpoint ​report, the exchange of information on threats and collaboration between industries is essential to counter ​continuing ​advanced threats (APT). ​Strengthening end-of-line ​security and the deployment of proactive threat hunting capabilities can help mitigate the risks posed by ​sophisticated opponents such as Bitter. Given the ​geopolitical implications of these campaigns, defence entities should also consider aligning their cyber security strategies with national security priorities to address the broader ramifications of state-sponsored espionage.
The Turkish ​defence ​sector’s attack ​recalls the ​changing threat landscape and the need for constant adaptation to emerging cyber threats. ​As attackers refine ​their ​tactics, security measures must move forward in parallel to protect ​critical assets and operating infrastructure.