Bitter APT Targets Turkish Defense with New Malware, WmRAT and MiyaRAT

The cyberespionage group Bitter, believed to be linked to South Asia, launched an attack in November 2024 against a defense sector organization in Turkey, utilizing two C++-based malware programs, WmRAT and MiyaRAT.

Researchers at Proofpoint reported that the attack began with a RAR archive leveraging Alternate Data Streams (ADS). The archive contained an LNK file that created a scheduled task to download additional payloads.

Active since 2013, Bitter—also tracked as TA397—has previously targeted entities in China, Pakistan, India, Saudi Arabia, and Bangladesh. The group’s primary tools, including BitterRAT, ArtraDownloader, and ZxxZ, indicate a clear focus on the Asian region.

In the latest operation, the attackers used a lure involving infrastructure projects in Madagascar. The archive included a fake PDF file and a hidden data stream containing PowerShell code.

NTFS Alternate Data Streams allow attackers to embed concealed data within files without altering their size or appearance. In this instance, one stream downloaded the decoy document from the World Bank’s website, while another contained a PowerShell script to activate a task scheduler.

The main malware tools, WmRAT and MiyaRAT, possess standard remote access trojan capabilities, including system information gathering, file uploads and downloads, screenshot capture, geolocation tracking, and the execution of arbitrary commands via cmd.exe or PowerShell.

Experts highlight that MiyaRAT is reserved for high-priority operations, as its use has been observed in a limited number of attacks. According to Proofpoint, Bitter’s activities are aimed at gathering intelligence to serve the interests of South Asian governments.