Bitter (APT-Q-37) uses diverse means to deliver new backdoor components
Oct. 23, 2025, 8:38 a.m.
Description
The Bitter group, also known as APT-Q-37, has been detected using new attack techniques to deliver a C# backdoor. Two attack chains were identified: one using VBA macros in xlam files to compile and install the backdoor, and another exploiting a WinRAR vulnerability to plant malicious macros. The backdoor communicates with C2 servers, collects device information, and can download and execute arbitrary EXE files. The group, believed to have South Asian origins, targets government, electric power, and military industries in China, Pakistan, and other countries. The attacks demonstrate the group's evolving tactics and expansion of their arsenal, although some methods require specific victim environments to succeed.
Tags
Date
- Created: Oct. 23, 2025, 8:07 a.m.
- Published: Oct. 23, 2025, 8:07 a.m.
- Modified: Oct. 23, 2025, 8:38 a.m.
Indicators
- f7e25e5601fdf038aa0840be508cf1d5915cd5317a5513cd7e7c3ae76055839f
- bb67a4de756336d45ebaa7657a7586b4ebff26c74aba458d62de85c2070f3d90
- a39a26838e6bc26502ff0b562a3a098d55c5ad5b6daf4405469ce5e11f2192a4
- 259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207
- 1e7ce7c530a1cf4d74a356592f99bde2ca359ed4b4144f32cc69ab705f52e4e2
- www.keeferbeautytrends.com
- https://teamlogin.esanojinjasvc.com/teamesano/drivers/teamzid.php
- https://teamlogin.esanojinjasvc.com/teamesano/drivers/teamidcrz/
- https://teamlogin.esanojinjasvc.com/teamesano/drivers/teamsid.php
- https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxcvg45.php
- https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxbds23.php
- https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php
- https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/
- teamlogin.esanojinjasvc.com
- msoffice.365cloudz.esanojinjasvc.com
- koliwooclients.com
- keeferbeautytrends.com
- esanojinjasvc.com
- ents.com
Additional Informations
- Energy
- Defense
- Government
- China
- Pakistan