TA397 Hackers Exploits Scheduled Tasks to Deploy Malware on Targeted Systems

A recent in-depth analysis by Proofpoint Threat Research has shed light on the sophisticated operations of TA397, also known as Bitter, a suspected state-backed threat actor highly likely aligned with Indian intelligence interests.

Identified as an espionage-focused group, TA397 has been actively targeting entities across Europe and Asia, particularly those with connections to China, Pakistan, and neighboring regions of the Indian subcontinent.

Their campaigns, observed between October 2024 and April 2025, reveal a persistent use of scheduled tasks as a core mechanism for malware deployment, coupled with spearphishing tactics that exploit geopolitical themes to lure victims.

Tactics of an India-Aligned Espionage Group

Operating within standard Indian Standard Time (IST) working hours, as evidenced by infrastructure timestamps and hands-on-keyboard activity, TA397’s methods showcase both consistency and adaptability in bypassing detection and achieving intelligence-gathering objectives.

TA397’s primary attack vector remains spearphishing emails, often masquerading as ...