TA397’s Global Targeting Tactics Reveal Indian State-Backed Cyber Operations

A new report from Proofpoint Threat Research, in collaboration with Threatray, reveals mounting evidence that TA397 (also known as Bitter APT) is an India-aligned, state-backed threat actor conducting long-term espionage campaigns targeting geopolitical rivals and international partners alike. Operating predominantly during Indian business hours, the group exhibits a level of tactical persistence and strategic targeting aimed at advancing the intelligence interests of the Indian state.

While previously known for targeting South Asian entities, TA397 has expanded its scope significantly. From government organizations in Europe and Asia to diplomatic missions in China, Pakistan, and Mauritius, the group’s phishing and malware campaigns are no longer region-bound.

The targets of TA397’s operations are consistent with classic espionage motivations: foreign policy insight, defense strategy, and economic planning. The report notes the group has spoofed and impersonated a wide range of credible institutions to lure victims—ranging from the Embassy of Mauritius in China to the Ministry of Foreign Affairs of South Korea.

“Masquerading as foreign offices, embassies, and government entities… indicates that TA397 not only has knowledge of legitimate affairs of those countries, but leverages this knowledge to bolster the legitimacy of its spearphishing operations,” the report states.

At the main of TA397’s operations lies its consistent use of scheduled tasks for persistent access, with spearphishing as the primary delivery mechanism. From CHM and LNK files to MSC and even alternate data streams, the group has shown technical agility in its delivery methods—but not necessarily high sophistication.

“While TA397’s targets… were Turkish and Chinese entities with a presence in Europe, it signals that the group likely has knowledge and visibility into the legitimate affairs of Madagascar and Mauritius.”

The malware payloads often included encoded computer names and usernames within beaconing patterns—a trait that now serves as a detection signature. Furthermore, the use of Let’s Encrypt TLS certificates and distinct PHP URL patterns has helped analysts tie seemingly unrelated incidents to the same actor.

TA397 operators responded manually—sometimes hours after an initial infection—to selectively deliver custom payloads based on the infected machine’s metadata.

“The final payload of this campaign turned out to be BDarkRAT… suggesting TA397 made a conscious decision to load a hand-picked payload to the staging infrastructure.”

In one case, Proofpoint analysts found exfiltrated documents likely obtained through successful TA397 intrusions—a Bangladeshi government tax form and a strategic military document from the same country. This strongly supports the assessment that TA397’s activities are directed intelligence operations, not financially motivated attacks.

“These documents both appeared to be photocopies or scans of handwritten documents… highly likely they were exfiltrated from TA397 victims.”

A time-based analysis of domain registration, TLS certificate issuance, and server interaction confirmed that TA397 consistently operates on a Monday–Friday schedule aligned with Indian Standard Time. Coupled with shared tools such as ORPCBackdoor—also used by other Indian threat groups like Mysterious Elephant/APT-K-47 and Confucius—TA397 is clearly embedded in a tool-sharing ecosystem of Indian cyber espionage actors.

Related Posts:

• TA397 Leverages Sophisticated Spearphishing Techniques to Deploy Malware in Defense Sector
• CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV
• Bitter APT Targets Pakistan Telecom Amidst Border Tensions with New Cyberattack!
• New Trojan “MiyaRat” Unleashed by Bitter Group (APT-Q-37)
• Iranian Hacker Group MuddyWater Abuses Legitimate Atera Software to Target Global Organizations