The Bitter End: Unraveling Eight Years of Espionage Antics—Part One

    Date: 06/09/2025

    Severity: High

    Summary

    TA397 (also known as Bitter) is an espionage-focused threat group with a consistent track record of targeting entities in South Asia. Although commonly linked to India, the basis for this attribution has not been thoroughly documented. In this blog, we present new evidence supporting TA397’s alignment with Indian interests and reveal previously unreported instances of the group’s activity beyond Asia. Part one of this series delves into TA397’s targeting strategies, campaign techniques, payload delivery mechanisms, and a detailed examination of its infrastructure.

    Indicators of Compromise (IOC) List

    Domains\URLs: 

    mnemautoregsvc.com 

    jacknwoods.com 

    http://46.229.55.63/svch.php?li=%computername%..%username% 

    http://95.169.180.122/vbgf.php?mo=%computername%--%username% 

    inizdesignstudio.com 

    trkswqsservice.com 

    utizviewstation.com 

    blucollinsoutien.com 

    princecleanit.com 

    woodstocktutors.com 

    warsanservices.com 

    headntale.com 

    Hash : 

    1b67fc55fd050d011d6712ac17315112767cac8bbe059967b70147610933b6c1 

    7c5dde52845ecae6c80c70af2200d34ef0e1bc6cbf3ead1197695b91acd22a67 

    b56385dc93cc8f317ce499539b0d52aa0b3d8b6a8f9493e1ee7ba01765edd020 

    80b3a71138c34474725bbb177d8dec078effb7d8f4b19bf2e7a881b01ec7d323 

    55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8 

    cdddbd65dbb24d3b9205e417cc267007bfd0369c316f70d2749887b9f02e949b 

    1fbf95ccf1193e84d0e4f8c315816dd2aec56edb11ef1e7b28667360ca7e5ccd 

    55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8 

    5a39f10d2e4c1cae1b52baff0cf8b3e397da2e69cb90e1bac138e8d437cbea41 

    cc65fac9151fa527bc4b296f699475554ee2510572b8c16d5ef4b472a4cb9ffc 

    680c99915d478ed8d9f1427b3deb2ebd255a6ec614ad643909ab4c01f52905ae 

    c9612051b3956ac8722d8be7994634b7c940be07ca26e2fc8d0d5c94db2e4682 

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs: 

    domainname like "http://95.169.180.122/vbgf.php?mo=%computername%--%username%" or url like "http://95.169.180.122/vbgf.php?mo=%computername%--%username%" or siteurl like "http://95.169.180.122/vbgf.php?mo=%computername%--%username%" or domainname like "jacknwoods.com" or url like "jacknwoods.com" or siteurl like "jacknwoods.com" or domainname like "headntale.com" or url like "headntale.com" or siteurl like "headntale.com" or domainname like "mnemautoregsvc.com" or url like "mnemautoregsvc.com" or siteurl like "mnemautoregsvc.com" or domainname like "utizviewstation.com" or url like "utizviewstation.com" or siteurl like "utizviewstation.com" or domainname like "princecleanit.com" or url like "princecleanit.com" or siteurl like "princecleanit.com" or domainname like "blucollinsoutien.com" or url like "blucollinsoutien.com" or siteurl like "blucollinsoutien.com" or domainname like "http://46.229.55.63/svch.php?li=%computername%..%username%" or url like "http://46.229.55.63/svch.php?li=%computername%..%username%" or siteurl like "http://46.229.55.63/svch.php?li=%computername%..%username%" or domainname like "trkswqsservice.com" or url like "trkswqsservice.com" or siteurl like "trkswqsservice.com" or domainname like "warsanservices.com" or url like "warsanservices.com" or siteurl like "warsanservices.com" or domainname like "inizdesignstudio.com" or url like "inizdesignstudio.com" or siteurl like "inizdesignstudio.com" or domainname like "woodstocktutors.com" or url like "woodstocktutors.com" or siteurl like "woodstocktutors.com"

    Hash : 

    sha256hash IN ("7c5dde52845ecae6c80c70af2200d34ef0e1bc6cbf3ead1197695b91acd22a67","1b67fc55fd050d011d6712ac17315112767cac8bbe059967b70147610933b6c1","b56385dc93cc8f317ce499539b0d52aa0b3d8b6a8f9493e1ee7ba01765edd020","80b3a71138c34474725bbb177d8dec078effb7d8f4b19bf2e7a881b01ec7d323","55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8","cdddbd65dbb24d3b9205e417cc267007bfd0369c316f70d2749887b9f02e949b","1fbf95ccf1193e84d0e4f8c315816dd2aec56edb11ef1e7b28667360ca7e5ccd","55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8","5a39f10d2e4c1cae1b52baff0cf8b3e397da2e69cb90e1bac138e8d437cbea41","cc65fac9151fa527bc4b296f699475554ee2510572b8c16d5ef4b472a4cb9ffc","680c99915d478ed8d9f1427b3deb2ebd255a6ec614ad643909ab4c01f52905ae","c9612051b3956ac8722d8be7994634b7c940be07ca26e2fc8d0d5c94db2e4682")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one


    Tags

    Threat ActorTA397BitterSouth AsiaIndia

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags