virus logo Threat Actor

Bitter

Description

Bitter APT is a cyber espionage group known for targeting government, military, and critical infrastructure, primarily in South and Southeast Asia (Pakistan, India, Bangladesh, Myanmar, Vietnam, Thailand) for intelligence collation and sensitive data exfiltration. Active since at least 2013, Bitter is suspected to be a China-aligned nation-state threat actor. The group uses custom malware, phishing emails, and strategic web compromises for initial access.

It is believed Bitter (aka GTG-1002) was recently linked to attacks using CLAUDE which is an LLM by Anthropic Inc. However, no direct connection has been made at this time and remains unclear.

Aliases

  • TA4865
  • APT-C-08
  • Bitter
  • T-APT-17

Common Vulnerabilities and Exposures

Targeted Industries

  • Energy
  • Government
  • Military
  • NGOs
  • Research Institutes
  • Telecommunications

Objectives

Data Collection and Exfiltration

Known Tools Used

  • AndroRAT variants
  • ArtraDownloader
  • BadNews
  • GravityRAT (possible overlap)
  • Malicious RTF/Office macros
  • Mudia
  • Yty Framework
  • ZxxZ

Known Infection Vectors

  • Fake or trojanized Android applications
  • Infected attachments
  • Malicious links
  • Malicious Office documents
  • Social-engineering impersonation
  • Spear-phishing emails

References

CISA Known Exploited Vulnerabilities (KEV) Catalog

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

MITRE ATT&CK Bitter - G1002

https://attack.mitre.org/groups/G1002/

Bitter

ID

6256

Published

Apr 05, 2026

Threat Actor Type

Advanced Persistent Threat (APT)

Tags

Microsoft Exchange Agent Tesla Malware Attack

Attacker Origins

  • South Asia

Target Systems

  • Android
  • Windows

Regions Targeted

  • Asia

Active CVEs