Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers’ usual victims. As part of this, there’s a new trojan based on Apost Talos is calling “ZxxZ,” that, among other features, includes remote file execution capability. Based on the similarities between the C2 server in this campaign with that of Bitter’s previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group. Executive Summary
Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.
This campaign targets an elite unit of the Bangladesh’s government with a themed lure document alleging to relate to the regular operational tasks in the victim’s organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once