Threat Actor Profile
High APT
Description

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)

Confidence Score
90%
Known Aliases
BITTER T-APT-17
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (16)
T1071.001 - Web Protocols
Command and Control
T1095 - Non-Application Layer Protocol
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1568 - Dynamic Resolution
Command and Control
T1573 - Encrypted Channel
Command and Control
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1053.005 - Scheduled Task
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.002 - Malicious File
Execution
T1559.002 - Dynamic Data Exchange
Execution
T1566.001 - Spearphishing Attachment
Initial Access
T1068 - Exploitation for Privilege Escalation
Privilege Escalation
T1583.001 - Domains
Resource Development
T1588.002 - Tool
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['BITTER', 'T-APT-17'],
 'created': '2022-06-01T20:26:53.880Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[BITTER](https://attack.mitre.org/groups/G1002) is a '
                'suspected South Asian cyber espionage threat group that has '
                'been active since at least 2013. '
                '[BITTER](https://attack.mitre.org/groups/G1002) has targeted '
                'government, energy, and engineering organizations in '
                'Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: '
                'Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint '
                'BITTER Pakistan Oct 2016)',
 'external_references': [{'external_id': 'G1002',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1002'},
                         {'description': '(Citation: Cisco Talos Bitter '
                                         'Bangladesh May 2022)',
                          'source_name': 'T-APT-17'},
                         {'description': 'Dela Paz, R. (2016, October 21). '
                                         'BITTER: a targeted attack against '
                                         'Pakistan. Retrieved June 1, 2022.',
                          'source_name': 'Forcepoint BITTER Pakistan Oct 2016',
                          'url': 'https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan'},
                         {'description': 'Raghuprasad, C . (2022, May 11). '
                                         'Bitter APT adds Bangladesh to their '
                                         'targets. Retrieved June 1, 2022.',
                          'source_name': 'Cisco Talos Bitter Bangladesh May '
                                         '2022',
                          'url': 'https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html'}],
 'id': 'intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9',
 'modified': '2024-04-11T02:52:27.131Z',
 'name': 'BITTER',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.1'}
Quick Actions
Related TTPs (16)
Web Protocols
Command and Control
Non-Application Layer Protocol
Command and Control
Ingress Tool Transfer
Command and Control
Dynamic Resolution
Command and Control
Encrypted Channel
Command and Control
View All 16 TTPs
Back to Threat Actors
Dashboard Home