A suspected South Asian cyber espionage group known as TA397 or Bitter targeted a Turkish defense sector organization in November 2024. The group used sophisticated tactics to deliver two C++ malware families called WmRAT and MiyaRAT. The attack started with a phishing email containing a RAR archive.
The archive had a shortcut file disguised as a PDF, a hidden legitimate PDF document, and two NTFS Alternate Data Streams (ADS) files. When the victim opened the RAR file, the shortcut file ran malicious PowerShell commands hidden in one of the ADS files. These commands opened the decoy PDF to distract the victim.
At the same time, they created a scheduled task named “DsSvcCleanup.”
This scheduled task sent data about the infected machine to a staging domain controlled by the attackers every 17 minutes.
Targeted malware in Turkish defense industry
The attackers then manually responded by sending two types of malware payloads – WmRAT and MiyaRAT.
Both WmRAT and MiyaRAT are written in C++ and have functions for stealing files, running commands, and taking screenshots. However, MiyaRAT has more advanced features like a reverse shell and better directory searching. The attackers seem to use MiyaRAT only for high-value targets.
Proofpoint researchers believe this campaign is an espionage effort supporting a South Asian government’s interests. They base this on TA397’s history of targeting defense and public sector groups in Europe, the Middle East, Africa, and Asia-Pacific regions. The group also appears to work during UTC+5:30 hours, further suggesting they are based in South Asia.
