New evidence links longrunning hacking group to Indian government The Record from Recorded Future News

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp Researchers say they have uncovered new evidence linking a longrunning threat actor known as Bitter to the Indian government The group has been involved in cyberespionage operations targeting government and defense organizations across Asia Europe and South America pp Although Bitter has been active for years earlier assessments stopped short of definitively attributing it to the Indian state The new research highlights stronger technical overlaps and consistent targeting patterns suggesting it is highly likely that the group spies on behalf of Indias government pp In a twopart report released this week researchers from USbased Proofpoint and Switzerlandbased Threatray said their new findings are based on a series of campaigns conducted between October 2024 and April 2025 During this period Bitter also tracked as TA397 carried out targeted attacks against diplomatic and government entities linked to China Pakistan and other Indian neighbors pp The targets subjects and lures of TA397s campaigns are consistent with activity that is in the intelligence interests of the Indian state Proofpoint said adding that the group has no qualms with masquerading as other countries governments including Indian allies to trick their victims pp The researchers also noted toolsharing overlaps with other suspected Indian threat actors including Mysterious Elephant also known as APTK47 and Confucius All three groups have used a custom malware strain known as ORPCBackdoor suggesting a shared arsenal or possible coordination under a common development entity pp Despite using relatively unsophisticated malware Bitter is described as highly active and persistent Its primary method of attack remains phishing often leveraging spoofed or compromised diplomatic email accounts In recent campaigns the group has impersonated Chinese government agencies the embassies of Madagascar and Mauritius in China and South Koreas foreign ministry among others pp Researchers observed that TA397s malware has evolved significantly over the past decade progressing from basic downloaders to more advanced remote access tools such as MuuyDownloader BDarkRAT and MiyaRAT These tools are largely custombuilt and appear to remain under active development as of 2025 pp Proofpoint also reported instances of socalled handsonkeyboard activity in recent campaigns a term referring to realtime interaction by a human operator The timing of these operations coincided with Indian business hours further reinforcing the assessment that TA397 is a statealigned group based in India ppDaryna Antoniukppis a reporter for Recorded Future News based in Ukraine She writes about cybersecurity startups cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia She previously was a tech reporter for Forbes Ukraine Her work has also been published at Sifted The Kyiv Independent and The Kyiv PostppPrivacyppAboutppContact Uspp Copyright 2025 The Record from Recorded Future Newsp