Bitter Malware Employs Custom-Built Tools to Evade Detection in Advanced Attacks

In a recent research by Proofpoint and Threatray has unveiled the intricate and evolving malware arsenal of the Bitter group, also known as TA397, believed to be a state-backed actor aligned with the interests of the Indian government.

Active since 2016, Bitter has transformed its operations from deploying rudimentary downloaders to orchestrating sophisticated Remote Access Trojans (RATs) and backdoors, showcasing a high degree of technical prowess and adaptability.

A Sophisticated Arsenal of Evolving Threats

This group’s sustained campaign over eight years targets intelligence gathering through a series of custom-developed tools written in C/C++ and .NET, designed to bypass traditional detection mechanisms.

Their infection chain prioritizes payload delivery during hands-on activities over complex anti-analysis techniques within the malware itself, marking a strategic focus on operational efficiency.

Consistent code patterns in system information gathering and string obfuscation across their malware families, such as ArtraDownloader, MuuyDownloader ...