Skip to content


BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.21

Item Value
ID G1002
Associated Names T-APT-17
Version 1.0
Created 01 June 2022
Last Modified 01 June 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
T-APT-17 2

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains BITTER has registered a variety of domains to host malicious payloads and for C2.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols BITTER has used HTTP POST requests for C2.21
enterprise T1568 Dynamic Resolution BITTER has used DDNS for C2 communications.1
enterprise T1573 Encrypted Channel BITTER has encrypted their C2 communications.1
enterprise T1203 Exploitation for Client Execution BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.21
enterprise T1068 Exploitation for Privilege Escalation BITTER has exploited CVE-2021-1732 for privilege escalation.34
enterprise T1105 Ingress Tool Transfer BITTER has downloaded additional malware and tools onto a compromised host.21
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.2
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service BITTER has disguised malware as a Windows Security update service.2
enterprise T1095 Non-Application Layer Protocol BITTER has used TCP for C2 communications.1
enterprise T1027 Obfuscated Files or Information BITTER has used a RAR SFX dropper to deliver malware.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool BITTER has obtained tools such as PuTTY for use in their operations.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.21
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task BITTER has used scheduled tasks for persistence and execution.2
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware BITTER has registered domains to stage payloads.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.21


ID Name References Techniques
S1013 ZxxZ 2 Data from Local System Deobfuscate/Decode Files or Information Ingress Tool Transfer Masquerade Task or Service:Masquerading Native API Obfuscated Files or Information Spearphishing Attachment:Phishing Process Discovery Query Registry Scheduled Task:Scheduled Task/Job Security Software Discovery:Software Discovery System Information Discovery System Owner/User Discovery Malicious File:User Execution