Bitter

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to intrusion sets

· Published 16/12/2025 19:39 · Modified 09/04/2026 20:05 · Source: The MITRE Corporation

Essential information

Confidence: 100/100
Published: 16/12/2025 19:39
Modified: 09/04/2026 20:05
Updated at: 09/04/2026 20:05
Revoked: No
Author / Source: The MITRE Corporation
Resource level: —
Primary motivation: —
Related entities: 2 reports, 54 attack patterns (mitre), 16 malware, 6 sectors, 13 countries, 102 indicators, 9 vulnerabilities (cve)

Aliases

T-APT-17

Description

[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)

Marking (TLP)

External references

Forcepoint BITTER Pakistan Oct 2016
Cisco Talos Bitter Bangladesh May 2022
mitre-attack (G1002)

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (2)

Hack-for-Hire Campaign Targets Journalists Across MENA Region

AlienVault Confidence 100 4 CVEs 3 Malwares 12 IOCs 12 Observables 1 APT

· threat-report
Bitter (APT-Q-37) uses diverse means to deliver new …

1 CVE 17 MITREs 1 Malware 19 Observables 1 APT

Attack patterns (MITRE) (54)

T1140 uses

Deobfuscate/Decode Files or Information MITRE
T1588.002 uses

Tool MITRE
T1071.001 uses

Web Protocols MITRE
T1016 uses

System Network Configuration Discovery MITRE
Multi-Stage Channels uses

T1104 MITRE
T1027 uses

Obfuscated Files or Information MITRE
T1033 uses

System Owner/User Discovery MITRE
T1568 uses

Dynamic Resolution MITRE
T1573.001 uses

Symmetric Cryptography MITRE
T1592 uses

Gather Victim Host Information MITRE
T1571 uses

Non-Standard Port MITRE
T1203 uses

Exploitation for Client Execution MITRE

← Previous

Page / 5

1–12 of 54

AndroRAT uses

Family The MITRE Corporation Confidence 100

[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuuyDownloader uses
ProSpy uses

Family
DarkWatchman - S0673 uses
Dracarys Android uses
ToSpy uses

Family
ZxxZ uses
Backdoor.Oldrea - S0093 uses

Family
Bitter uses
C# backdoor uses

Family
Almond uses
Backdoor.Oldrea uses

← Previous

Page / 2

1–12 of 16

Government targets
Energy targets
Defense ministries (including the military) targets
Technology targets
Media targets
Defense targets

Countries (13)

Egypt targets
Pakistan targets
China targets
India targets
Bangladesh targets
Saudi Arabia targets
United Kingdom of Great Britain and Northern Ireland targets
Lebanon targets
Australia targets
United Arab Emirates targets
Singapore targets
Georgia targets

← Previous

Page / 2

1–12 of 13

22dd82c94cadf5cf31b3e9519e8149d4a68fe13bac13eaef91bf283a4beb8101 indicates
w32timeslicesvc.net indicates
http://autodefragapp.com/ indicates

stix 100/100 Revoked

· Valid until 28/06/2022 · Source: AlienVault
android.com-ae.net indicates

stix 100/100

· Valid until 15/03/2027 · Source: AlienVault
[email protected] indicates

stix 100/100 Revoked

· Valid until 25/08/2023 · Source: AlienVault
b0f8c8e48d4a1e78550bda551745219613cc3dca7068da86688b95051d7c249e indicates
signal-premium-app.org indicates
http://olmajhnservice.com/nt.php?dt=%25computername%25-ex-1&amp indicates

stix 100/100 Revoked

· Valid until 28/06/2022 · Source: AlienVault
http://olmajhnservice.com/nxl/nx/ indicates

stix 100/100 Revoked

· Valid until 28/06/2022 · Source: AlienVault
daveonenewtestpanel.com indicates
[email protected] indicates

stix 100/100 Revoked

· Valid until 25/08/2023 · Source: AlienVault
http://dracjohnsupport.com/park/jeff.php?wan= indicates

← Previous

Page / 9

1–12 of 102

Vulnerabilities (CVE) (9)

CVE-2026-34040 targets

7.8 High

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass …

Attack vector: Local
Complexity: Low
Published: 31/03/2026
Modified: 16/06/2026

CWE-288 Undergoing Analysis

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2018-0798 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 27/05/2026

CVE-2026-5281 KEV targets

8.8 High

Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code …

Attack vector: NETWORK
Complexity: LOW
EPSS: 0.0004 (P11.3%)
Published: 01/04/2026
Modified: 09/04/2026

CWE-416 Analyzed

CVE-2026-35616 KEV targets

9.8 Critical

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands …

Attack vector: NETWORK
Complexity: LOW
Published: 04/04/2026
Modified: 09/04/2026

CWE-284 Received

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2021-28310 KEV targets

Microsoft Windows Win32k contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2018-0802 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 20/12/2025

Contact About Legal notice Privacy policy Terms of use

Bitter

Essential information

Aliases

Description

Marking (TLP)

External references

Related entities

Reports (2)

Attack patterns (MITRE) (54)

Malware (16)

Sectors (6)

Countries (13)

Indicators (102)

Vulnerabilities (CVE) (9)