Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1002: BITTER

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[1][2]

EnterpriseG1002GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

BITTER is a suspected South Asian cyber espionage group reported by ATT&CK as active since at least 2013, with targeting of government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia. For leaders, the value is not in treating the name as a standalone indicator, but in validating whether controls cover the associated pattern: phishing or malicious files for execution, Windows-oriented persistence via scheduled tasks/services, privilege escalation through exploitation, and command-and-control that may blend into web, encrypted, or dynamically resolved traffic.

Executive priority

Prioritize this as an espionage-aligned readiness scenario for organizations with government, energy, engineering, regional, or partner exposure matching the ATT&CK description. Key leadership questions: Are email and endpoint controls producing usable evidence for malicious attachment execution? Are Windows scheduled tasks and service changes monitored well enough for incident response? Can the SOC investigate web-like, encrypted, dynamically resolved, or non-application-layer C2? Are vulnerability management decisions connected to client-side and privilege-escalation exposure? The business risk is loss of sensitive information, prolonged dwell time, and weak audit evidence if telemetry is missing.

Technical view

ATT&CK provides no official detection text for BITTER, so defenders should validate coverage against the related software and techniques. The relationship set includes ZxxZ, a Visual C++ trojan used by BITTER since at least August 2021 against Bangladeshi government personnel, and techniques spanning spearphishing attachment, malicious file execution, client exploitation, DDE, scheduled task persistence, masqueraded task/service names, privilege escalation exploitation, ingress tool transfer, dynamic resolution, encrypted channels, web protocols, and non-application-layer protocols. SOC and IR teams should build procedures around the sequence of suspicious email/file delivery, execution artifacts, persistence creation or modification, tool download, and outbound C2 behavior rather than relying only on group-name attribution.

Likely telemetry

  • Email security logs and message metadata for attachments associated with targeted phishing workflows
  • Endpoint process creation, parent-child process lineage, and file creation events for opened documents or malicious files
  • Windows Task Scheduler events, scheduled task definitions, service creation/modification logs, and task/service names and descriptions
  • Endpoint detection telemetry for DDE-related execution and abnormal client application behavior
  • Vulnerability and patch posture data for client applications and privilege-escalation-relevant software

Detection direction

  • Because no official ATT&CK detection guidance is provided, start with behavior-level detections mapped to the related techniques rather than claims of BITTER-specific coverage.
  • Correlate spearphishing attachment delivery with user-driven file opening, client application spawning script interpreters or unusual child processes, DDE-like execution, and subsequent payload download.
  • Tune scheduled task and service monitoring for new, modified, or deceptively named tasks/services, with false-positive handling for legitimate administration and software update activity.
  • Validate that outbound web, encrypted, and dynamically resolved communications are investigated using metadata, destination reputation/context, beaconing patterns, and endpoint process attribution; encrypted traffic alone should not be treated as malicious.
  • Review visibility for non-application-layer protocol communications, since many environments have limited packet or protocol-level telemetry.

Mitigation priorities

  • Harden phishing resistance first: attachment controls, user reporting workflows, detonation/sandboxing where available, and rapid containment playbooks for suspicious opened files.
  • Maintain timely patching for client applications and privilege-escalation-relevant software, prioritizing exposed user populations and high-value roles.
  • Restrict and monitor scheduled task and service creation, especially on Windows systems, and ensure administrative activity is attributable.
  • Apply least privilege to reduce the value of successful execution and limit opportunities for privilege escalation.
  • Control outbound traffic with DNS, proxy, firewall, and egress policies that support investigation of dynamic domains, encrypted channels, and tool transfers.
Analyst notes and limits

This take is based only on the supplied ATT&CK intrusion-set description, external references, and listed relationships. The strongest defensive use is as a coverage validation scenario: phishing-to-execution, persistence through scheduled tasks/services, exploitation-driven privilege escalation, tool transfer, and C2 over common or obscured channels. Attribution should remain secondary unless local forensic evidence supports it.

ATT&CK provides no official detection field for this group, no group-level platforms or tactics, and the related technique descriptions are largely generic ATT&CK behavior summaries rather than detailed BITTER procedures. Local asset exposure, regional relevance, telemetry availability, and confirmed indicators are required before making environment-specific risk or coverage claims.

Official MITRE ATT&CK definition

BITTER

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

16 rows
Domain ID Name Relationship / procedure
Enterprise T1105 Ingress Tool Transfer

BITTER has downloaded additional malware and tools onto a compromised host.[1][2]
Enterprise T1071.001 Web Protocols Sub-technique

BITTER has used HTTP POST requests for C2.[1][2]
Enterprise T1588.002 Tool Sub-technique

BITTER has obtained tools such as PuTTY for use in their operations.[2]
Enterprise T1568 Dynamic Resolution

BITTER has used DDNS for C2 communications.[2]
Enterprise T1566.001 Spearphishing Attachment Sub-technique

BITTER has sent spearphishing emails with a malicious RTF document or Excel spreadsheet.[1][2]
Enterprise T1204.002 Malicious File Sub-technique

BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.[1][2]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

BITTER has used a RAR SFX dropper to deliver malware.[2]
Enterprise T1573 Encrypted Channel

BITTER has encrypted their C2 communications.[2]
Enterprise T1068 Exploitation for Privilege Escalation

BITTER has exploited CVE-2021-1732 for privilege escalation.CitationDBAPPSecurity BITTER zero-day Feb 2021CitationMicrosoft CVE-2021-1732 Feb 2021
Enterprise T1036.004 Masquerade Task or Service Sub-technique

BITTER has disguised malware as a Windows Security update service.[1]
Enterprise T1608.001 Upload Malware Sub-technique

BITTER has registered domains to stage payloads.[2]
Enterprise T1559.002 Dynamic Data Exchange Sub-technique

BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.[1]
Enterprise T1203 Exploitation for Client Execution

BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.[1][2]
Enterprise T1583.001 Domains Sub-technique

BITTER has registered a variety of domains to host malicious payloads and for C2.[2]
Enterprise T1053.005 Scheduled Task Sub-technique

BITTER has used scheduled tasks for persistence and execution.[1]
Enterprise T1095 Non-Application Layer Protocol

BITTER has used TCP for C2 communications.[2]
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1013: ZxxZ

ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, including against Bangladeshi government personnel.[1]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Malware S1013: ZxxZ Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1568: Dynamic Resolution Enterprise uses · Technique T1566.001: Spearphishing Attachment Enterprise uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1573: Encrypted Channel Enterprise uses · Technique T1068: Exploitation for Privilege Escalation Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Technique T1608.001: Upload Malware Enterprise uses · Technique T1559.002: Dynamic Data Exchange Enterprise uses · Technique T1203: Exploitation for Client Execution Enterprise uses · Technique T1583.001: Domains Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
67d537b4b3ff1ccf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 67d537b4b3ff…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cisco Talos Bitter Bangladesh May 2022

    Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.

    Open source URL
  2. [2]
    Forcepoint BITTER Pakistan Oct 2016

    Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.

    Open source URL
  3. [3]
    T-APT-17

    (Citation: Cisco Talos Bitter Bangladesh May 2022)

  4. [4]
    mitre-attack G1002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use