Ddos 
Image: EclecticIQ
As tensions flared between India and Pakistan during Operation Sindoor on May 7, 2025, a covert cyber offensive emerged beneath the geopolitical storm. According to a recent analysis by EclecticIQ and Hudson Rock, the Bitter APT group—also known as TA397—launched a targeted spear phishing campaign against Pakistan Telecommunication Company Limited (PTCL).
“The timing of the email, coinciding with reported military confrontations between India and Pakistan, is likely an attempt to target Pakistan’s telecommunications sector during a period of regional tension,” the report explains.
The report indicates that high-value PTCL personnel, including 5G engineers, DevOps teams, and satellite communication specialists, were deliberately selected, suggesting an intent to compromise Pakistan’s core digital infrastructure.
The malicious campaign originated from a compromised email account belonging to Pakistan’s Counter Terrorism Department (CTD)—ctd@islamabadpolice.gov.pk—with credentials stolen via the StealC infostealer as early as August 2024.
“The spear phishing campaign targeted PTCL personnel… The malicious email… contained an Internet Query (IQY) attachment with a malicious Excel macro.”
When opened, the .iqy file downloaded a disguised .png file which was reconstructed into an executable—a variant of WmRAT, a remote access trojan with capabilities including file exfiltration, screen capture, and remote command execution.
The WmRAT variant used by Bitter APT demonstrates an advanced level of stealth and control. It communicates with a command-and-control (C2) server embedded as an XOR-encrypted string within the binary.
“EclecticIQ analysts decrypted the string… revealing the C2 domain: tradesmarkets.greenadelhouse.com.”
The malware utilizes Base64-encoded identifiers in its HTTPS communications to mask host and OS details:
“BAMUDTK*Admin*Windows10Enterprise” – identifying host name, user role, and OS in a single string.
Additionally, the malware mimics legacy User-Agent headers to evade detection: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0…).
The initial infection chain reveals how long-term credential theft can snowball into full-scale espionage. The stolen CTD credentials not only enabled highly believable phishing but also extended Bitter APT’s access across Pakistan’s telecom backbone.
“The compromise of the CTD’s email account provided threat actors with prolonged, privileged access… leveraged… to craft a convincing spear phishing email.”
By infiltrating PTCL’s critical personnel, Bitter APT is believed to be aiming for:
- Signals intelligence on encrypted civilian/government traffic
- Network mapping of interconnects and fiber routes
- Supply chain reconnaissance on vendor dependencies
- Crisis exploitation capabilities during military escalations
This operation showcases how nation-state APTs leverage infostealers and long-tail intrusions for cyber-enabled espionage. EclecticIQ concludes: “Bitter APT gains a long-term asymmetric advantage: the power to monitor, disrupt in any future escalation.”
Related Posts:
- New Trojan “MiyaRat” Unleashed by Bitter Group (APT-Q-37)
- Russian State Actors Target UK Critical Infrastructure in New Cyber Campaign
- Cyberattacks Surge Against Energy Sector Amid Geopolitical Tensions
- Pakistan bans financial institutions from participating in cryptocurrency transactions
- Smishing Triad Targets Pakistan with Large-Scale Banking Scam
Donate