Date: 06/09/2025
Severity: High
Summary
TA397 (also known as Bitter) is an espionage-focused threat group with a consistent track record of targeting entities in South Asia. Although commonly linked to India, the basis for this attribution has not been thoroughly documented. In this blog, we present new evidence supporting TA397’s alignment with Indian interests and reveal previously unreported instances of the group’s activity beyond Asia. Part one of this series delves into TA397’s targeting strategies, campaign techniques, payload delivery mechanisms, and a detailed examination of its infrastructure.
Indicators of Compromise (IOC) List
Domains\URLs: | mnemautoregsvc.com jacknwoods.com http://46.229.55.63/svch.php?li=%computername%..%username% http://95.169.180.122/vbgf.php?mo=%computername%--%username% inizdesignstudio.com trkswqsservice.com utizviewstation.com blucollinsoutien.com princecleanit.com woodstocktutors.com warsanservices.com headntale.com |
Hash : | 1b67fc55fd050d011d6712ac17315112767cac8bbe059967b70147610933b6c1
7c5dde52845ecae6c80c70af2200d34ef0e1bc6cbf3ead1197695b91acd22a67
b56385dc93cc8f317ce499539b0d52aa0b3d8b6a8f9493e1ee7ba01765edd020
80b3a71138c34474725bbb177d8dec078effb7d8f4b19bf2e7a881b01ec7d323
55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8
cdddbd65dbb24d3b9205e417cc267007bfd0369c316f70d2749887b9f02e949b
1fbf95ccf1193e84d0e4f8c315816dd2aec56edb11ef1e7b28667360ca7e5ccd
55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8
5a39f10d2e4c1cae1b52baff0cf8b3e397da2e69cb90e1bac138e8d437cbea41
cc65fac9151fa527bc4b296f699475554ee2510572b8c16d5ef4b472a4cb9ffc
680c99915d478ed8d9f1427b3deb2ebd255a6ec614ad643909ab4c01f52905ae
c9612051b3956ac8722d8be7994634b7c940be07ca26e2fc8d0d5c94db2e4682
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs: | domainname like "http://95.169.180.122/vbgf.php?mo=%computername%--%username%" or url like "http://95.169.180.122/vbgf.php?mo=%computername%--%username%" or siteurl like "http://95.169.180.122/vbgf.php?mo=%computername%--%username%" or domainname like "jacknwoods.com" or url like "jacknwoods.com" or siteurl like "jacknwoods.com" or domainname like "headntale.com" or url like "headntale.com" or siteurl like "headntale.com" or domainname like "mnemautoregsvc.com" or url like "mnemautoregsvc.com" or siteurl like "mnemautoregsvc.com" or domainname like "utizviewstation.com" or url like "utizviewstation.com" or siteurl like "utizviewstation.com" or domainname like "princecleanit.com" or url like "princecleanit.com" or siteurl like "princecleanit.com" or domainname like "blucollinsoutien.com" or url like "blucollinsoutien.com" or siteurl like "blucollinsoutien.com" or domainname like "http://46.229.55.63/svch.php?li=%computername%..%username%" or url like "http://46.229.55.63/svch.php?li=%computername%..%username%" or siteurl like "http://46.229.55.63/svch.php?li=%computername%..%username%" or domainname like "trkswqsservice.com" or url like "trkswqsservice.com" or siteurl like "trkswqsservice.com" or domainname like "warsanservices.com" or url like "warsanservices.com" or siteurl like "warsanservices.com" or domainname like "inizdesignstudio.com" or url like "inizdesignstudio.com" or siteurl like "inizdesignstudio.com" or domainname like "woodstocktutors.com" or url like "woodstocktutors.com" or siteurl like "woodstocktutors.com" |
Hash : | sha256hash IN ("7c5dde52845ecae6c80c70af2200d34ef0e1bc6cbf3ead1197695b91acd22a67","1b67fc55fd050d011d6712ac17315112767cac8bbe059967b70147610933b6c1","b56385dc93cc8f317ce499539b0d52aa0b3d8b6a8f9493e1ee7ba01765edd020","80b3a71138c34474725bbb177d8dec078effb7d8f4b19bf2e7a881b01ec7d323","55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8","cdddbd65dbb24d3b9205e417cc267007bfd0369c316f70d2749887b9f02e949b","1fbf95ccf1193e84d0e4f8c315816dd2aec56edb11ef1e7b28667360ca7e5ccd","55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8","5a39f10d2e4c1cae1b52baff0cf8b3e397da2e69cb90e1bac138e8d437cbea41","cc65fac9151fa527bc4b296f699475554ee2510572b8c16d5ef4b472a4cb9ffc","680c99915d478ed8d9f1427b3deb2ebd255a6ec614ad643909ab4c01f52905ae","c9612051b3956ac8722d8be7994634b7c940be07ca26e2fc8d0d5c94db2e4682")
|
Reference:
https://www.proofpoint.com/us/blog/threat-insight/bitter-end-unraveling-eight-years-espionage-antics-part-one