G1002: BITTER
Analyst context for executives and security teams
BITTER is a suspected South Asian cyber espionage group reported by ATT&CK as active since at least 2013, with targeting of government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia. For leaders, the value is not in treating the name as a standalone indicator, but in validating whether controls cover the associated pattern: phishing or malicious files for execution, Windows-oriented persistence via scheduled tasks/services, privilege escalation through exploitation, and command-and-control that may blend into web, encrypted, or dynamically resolved traffic.
Executive priority
Prioritize this as an espionage-aligned readiness scenario for organizations with government, energy, engineering, regional, or partner exposure matching the ATT&CK description. Key leadership questions: Are email and endpoint controls producing usable evidence for malicious attachment execution? Are Windows scheduled tasks and service changes monitored well enough for incident response? Can the SOC investigate web-like, encrypted, dynamically resolved, or non-application-layer C2? Are vulnerability management decisions connected to client-side and privilege-escalation exposure? The business risk is loss of sensitive information, prolonged dwell time, and weak audit evidence if telemetry is missing.
Technical view
ATT&CK provides no official detection text for BITTER, so defenders should validate coverage against the related software and techniques. The relationship set includes ZxxZ, a Visual C++ trojan used by BITTER since at least August 2021 against Bangladeshi government personnel, and techniques spanning spearphishing attachment, malicious file execution, client exploitation, DDE, scheduled task persistence, masqueraded task/service names, privilege escalation exploitation, ingress tool transfer, dynamic resolution, encrypted channels, web protocols, and non-application-layer protocols. SOC and IR teams should build procedures around the sequence of suspicious email/file delivery, execution artifacts, persistence creation or modification, tool download, and outbound C2 behavior rather than relying only on group-name attribution.
Likely telemetry
- Email security logs and message metadata for attachments associated with targeted phishing workflows
- Endpoint process creation, parent-child process lineage, and file creation events for opened documents or malicious files
- Windows Task Scheduler events, scheduled task definitions, service creation/modification logs, and task/service names and descriptions
- Endpoint detection telemetry for DDE-related execution and abnormal client application behavior
- Vulnerability and patch posture data for client applications and privilege-escalation-relevant software
Detection direction
- Because no official ATT&CK detection guidance is provided, start with behavior-level detections mapped to the related techniques rather than claims of BITTER-specific coverage.
- Correlate spearphishing attachment delivery with user-driven file opening, client application spawning script interpreters or unusual child processes, DDE-like execution, and subsequent payload download.
- Tune scheduled task and service monitoring for new, modified, or deceptively named tasks/services, with false-positive handling for legitimate administration and software update activity.
- Validate that outbound web, encrypted, and dynamically resolved communications are investigated using metadata, destination reputation/context, beaconing patterns, and endpoint process attribution; encrypted traffic alone should not be treated as malicious.
- Review visibility for non-application-layer protocol communications, since many environments have limited packet or protocol-level telemetry.
Mitigation priorities
- Harden phishing resistance first: attachment controls, user reporting workflows, detonation/sandboxing where available, and rapid containment playbooks for suspicious opened files.
- Maintain timely patching for client applications and privilege-escalation-relevant software, prioritizing exposed user populations and high-value roles.
- Restrict and monitor scheduled task and service creation, especially on Windows systems, and ensure administrative activity is attributable.
- Apply least privilege to reduce the value of successful execution and limit opportunities for privilege escalation.
- Control outbound traffic with DNS, proxy, firewall, and egress policies that support investigation of dynamic domains, encrypted channels, and tool transfers.
Analyst notes and limits
This take is based only on the supplied ATT&CK intrusion-set description, external references, and listed relationships. The strongest defensive use is as a coverage validation scenario: phishing-to-execution, persistence through scheduled tasks/services, exploitation-driven privilege escalation, tool transfer, and C2 over common or obscured channels. Attribution should remain secondary unless local forensic evidence supports it.
ATT&CK provides no official detection field for this group, no group-level platforms or tactics, and the related technique descriptions are largely generic ATT&CK behavior summaries rather than detailed BITTER procedures. Local asset exposure, regional relevance, telemetry availability, and confirmed indicators are required before making environment-specific risk or coverage claims.
BITTER
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | BITTER has downloaded additional malware and tools onto a compromised host.CitationCisco Talos Bitter Bangladesh May 2022CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BITTER has used HTTP POST requests for C2.CitationCisco Talos Bitter Bangladesh May 2022CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1588.002 | Tool Sub-technique | BITTER has obtained tools such as PuTTY for use in their operations.CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1568 | Dynamic Resolution | BITTER has used DDNS for C2 communications.CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.CitationCisco Talos Bitter Bangladesh May 2022CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1204.002 | Malicious File Sub-technique | BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.CitationCisco Talos Bitter Bangladesh May 2022CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | BITTER has used a RAR SFX dropper to deliver malware.CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1573 | Encrypted Channel | BITTER has encrypted their C2 communications.CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | BITTER has exploited CVE-2021-1732 for privilege escalation.CitationDBAPPSecurity BITTER zero-day Feb 2021CitationMicrosoft CVE-2021-1732 Feb 2021 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | BITTER has disguised malware as a Windows Security update service.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | BITTER has registered domains to stage payloads.CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1203 | Exploitation for Client Execution | BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.CitationCisco Talos Bitter Bangladesh May 2022CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1583.001 | Domains Sub-technique | BITTER has registered a variety of domains to host malicious payloads and for C2.CitationForcepoint BITTER Pakistan Oct 2016 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | BITTER has used scheduled tasks for persistence and execution.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1095 | Non-Application Layer Protocol | BITTER has used TCP for C2 communications.CitationForcepoint BITTER Pakistan Oct 2016 |
Groups, software, and campaigns
S1013: ZxxZ
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 67d537b4b3ff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cisco Talos Bitter Bangladesh May 2022
Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
Open source URL -
[2]
Forcepoint BITTER Pakistan Oct 2016
Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
Open source URL -
[3]
T-APT-17
(Citation: Cisco Talos Bitter Bangladesh May 2022)
-
[4]
mitre-attack G1002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.