Headline
Bitter APT adds Bangladesh to their targets
Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers’ usual victims.As part of this, there’s a new trojan based on Apost Talos is calling “ZxxZ,” that, among other…
[[ This is only the beginning! Please visit the blog for the complete entry ]]
- Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers’ usual victims.
- As part of this, there’s a new trojan based on Apost Talos is calling “ZxxZ,” that, among other features, includes remote file execution capability.
- Based on the similarities between the C2 server in this campaign with that of Bitter’s previous campaign, we assess with moderate confidence that this campaign is operated by the Bitter APT group.
Executive Summary
Cisco Talos discovered an ongoing campaign operated by what we believe is the Bitter APT group since August 2021. This campaign is a typical example of the actor targeting South Asian government entities.
This campaign targets an elite unit of the Bangladesh’s government with a themed lure document alleging to relate to the regular operational tasks in the victim’s organization. The lure document is a spear-phishing email sent to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB). The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802 — all in Microsoft Office — then downloads the trojan from the hosting server and runs it on the victim’s machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.
Such surveillance campaigns could allow the threat actors to access the organization’s confidential information and give their handlers an advantage over their competitors, regardless of whether they’re state-sponsored.
Bitter threat actor
Bitter, also known as T-APT-17, is a suspected South Asian threat actor. They have been active since 2013, targeting energy, engineering and government sectors in China, Pakistan and Saudi Arabia. In their latest campaign, they have extended their targeting to Bangladeshi government entities.
Bitter is mainly motivated by espionage. The adversary typically downloads malware onto compromised endpoints from their hosting server via HTTP and uses DNS to establish contact with the command and control. Bitter is known for exploiting known vulnerabilities in victims’ environments. For example, in 2021, security researchers discovered that the adversary was exploiting the zero-day vulnerability CVE-2021-28310, a security flaw in Microsoft’s Desktop Manager. Bitter is known to target both mobile and desktop platforms. Their arsenal mainly contains Bitter RAT, Artra downloader, SlideRAT and AndroRAT.
Infrastructure
The actor’s infrastructure consists of the C2 server (helpdesk[.]autodefragapp[.]com) and several domains that host the adversary’s malware, which is outlined below.
Domains hosting Bitter APT malware.
The SSL thumbprints are unique for each domain’s certificate. We compiled a list of these SSL thumbprints in the IOCs section of the report. The timeline below shows the various domains based on their certificate creation date.
The C2 host is helpdesk[.]autodefragapp[.]com. Its WhoIs record indicates that the domain autodefragapp[.]com registered it in November 2020, and later updated it on Nov. 3, 2021. We have seen the actor use this C2 in previous campaigns.
The C2 domain resolved to 99[.]83[.]154[.]118 during the period of the campaign. This is a legitimate IP address for the AWS Global Accelerator networking service. Usually, the AWS Global Accelerator provides static IPs to the registrant, which allows the user to redirect traffic to their application or host for improved performance. In this case, we believe that the actor is using the AWS Global Accelerator to redirect traffic to their actual C2 host, which is parked behind the legitimate AWS service. We believe that the actor has employed this technique to conceal their identity.
Attribution
We assess with moderate confidence that this campaign is operated by Bitter based on the use of the same C2 IP address from previous campaigns and similarities in the decrypted strings of the payload, such as module names, payload executable name, paths and the constants.
The 99[.]83[.]154[.]118 IP also hosts mswsceventlog[.]net, according to Cisco Umbrella, a domain that was previously reported as Bitter’s C2 server in a campaign against Pakistani government organizations.
The campaign
Cisco Talos observed an ongoing campaign operated by the Bitter APT group since August 2021 targeting Bangladeshi government personnel with spear-phishing emails. The email contains a maldoc attachment and masquerades as a legitimate email. The sender asks the target to review or verify the attached maldoc, which is either a call data record (CDR), a list of phone numbers, or a list of registered cases. We have seen the actor use these themes in phishing emails in the past.
The maldocs are an RTF document and Microsoft Excel spreadsheets. Examples of the specific subjects of the phishing emails are below.
- Subject: CDR
- Subject: Application for CDR
- Subject: List of Numbers to be verified
- Subject: List of registered cases
The maldocs’ file names are consistent with the phishing emails’ themes, as seen in the list of file names below:
- Passport Fee Dues.xlsx
- List of Numbers to be verified.xlsx
- ASP AVIJIT DAS.doc
- Addl SP Hafizur Rahman.doc
- Addl SP Hafizur Rahman.xlsx
- Registered Cases List.xlsx
Below are two spear-phishing email samples of this campaign.
Phishing email sample 1
Phishing email sample 2
The actor is using JavaMail with the Zimbra web client version 8.8.15_GA_4101 to send the emails. Zimbra is a collaborative software suite that includes an email server and a web client for messaging.
Phishing email header information.
The originating IP address and header information indicates the emails were sent from mail servers based in Pakistan and the actor spoofed the sender details to make the email appear as though it was sent from Pakistani government organizations. The actor exploited a possible vulnerability in the Zimbra mail server. By modifying the Zimbra mail server configuration file, a user can send emails from a non-existing email account/domain. We have compiled a list of fake sender email addresses from this campaign:
- cdrrab13bd@gmail[.]com
- arc@desto[.]gov[.]pk
- so.dc@pc[.]gov[.]pk
- mem_psd@pc[.]gov[.]pk
- chief_pia@pc[.]gov[.]pk
- rab3tikatuly@gmail[.]com
- ddscm2@pof[.]gov[.]pk
The infection chain
The infection chain begins with the spear-phishing email and either a malicious RTF document or an Excel spreadsheet attachment. When the victim opens the attachment, it launches the Microsoft Equation Editor application to execute the equations in the form of OLE objects and connects to the hosting server to download and run the payload.
Malicious RTF infection chain summary.
In the case of a malicious Excel spreadsheet, when the victim opens the file, it launches the Microsoft Equation Editor application to execute the embedded equation object and launches the task scheduler to configure two scheduled tasks. One of the scheduled tasks downloads the trojan “ZxxZ” into the public user’s account space, while the other task runs the "ZxxZ".
Malicious Excel infection chain summary.
The payload runs as a Windows security update service on the victim’s machine and establishes communication with the C2 to remotely download and execute files in the victim’s environment.
RTF document
The Malicious RTF document is weaponized to exploit the stack overflow vulnerability CVE-2017-11882, which enables arbitrary code execution on victims’ machines running vulnerable versions of Microsoft Office. Our previous blog outlines how this particular exploit works in the victim’s environment.
Malicious RTF document sample.
The RTF document is embedded with an OLE object with the class name “Equation 3.0.” It contains the shellcode as an equation formula created using Microsoft Equation Editor.
Embedded Microsoft Equation object.
When the victim opens the RTF file with Microsoft Word, it invokes the Equation Editor application and executes the equation formula containing the Return-Oriented Programming (ROP) gadgets. The ROP loads and executes the shell code located at the end of the maldocs in an encrypted format that connects to the malicious host olmajhnservice[.]com and downloads the payload from the URL hxxp[:]//olmajhnservice[.]/nxl/nx. The payload is downloaded in the folder “C:\$Utf” created by the shellcode and runs as a process on the victim’s machine.
Download URL captured during runtime of the maldoc.
Excel spreadsheet
The malicious Excel spreadsheet is weaponized to exploit the Microsoft Office memory corruption vulnerabilities CVE-2018-0798 and CVE-2018-0802.
When the victim opens the Excel spreadsheet, it launches the Microsoft Equation Editor application to execute the embedded Microsoft Equation 3.0 objects.
Malicious Excel spreadsheet.
Once the Microsoft Equation Editor service executes the embedded objects, it invokes the scheduled task service to configure the task scheduler with the commands shown below:
Task 1: Rdx
Task 2: RdxFac
The actor creates the folder "RdxFact ‘’ in the Windows tasks folder and schedules two tasks with the task names "Rdx ‘’ and "RdxFac ‘’ to run every five minutes. When the first task runs, the victim’s machine attempts to connect to the hosting server through the URL and, using the cURL utility, downloads the “RdxFactory.exe” into the public user profile’s music folder. RdxFactory.exe is the trojan downloader.
After five minutes of execution of the first task, "Rdx,", the second task, "RdxFac,"runs to start the payload.
Based on other related samples we discovered, the actor also uses different folder names, tasks names and dropper file names in their campaigns.
We noticed that the actor is using the cURL command-line utility to download the payload in the Windows environment. Systems running Windows 10 and later have the cURL utility, which the actor abuses in this campaign.
The payload
The payload is a 32-bit Windows executable compiled in Visual C++ with a timestamp of Sept. 10, 2021. We named the trojan “ZxxZ” based on the name of a separator that the payload uses while sending information to the C2. This trojan is a downloader that downloads and executes the remote file. The executables were seen with the filenames "Update.exe", “ntfsc.exe” or “nx” in this campaign. They are either downloaded or dropped into the victim’s “local application data” folder and run as a Windows Security update with medium integrity to elevate the privileges of a standard user.
The actor uses common encoding techniques to obfuscate strings in the WinMain function to hide its behavior from static analysis tools.
WinMain function snippet.
The decryption function receives the encrypted strings and decrypts each character with the XOR operation and stores the result in an array that will be returned to the caller function.
Decryption function.
The malware searches for the Windows Defender and Kaspersky antivirus processes in the victim’s machine by creating the snapshot of running processes using CreateToolhelp32Snapshot and iterates through each process using API Process32First and Process32Next.
WinMain() snippet showing antivirus process detection.
The information-gathering function gathers the victim’s hostname, operating system product name, and the victim’s username and writes them into a memory buffer.
Information-gathering function.
The C2 communicating function at offset 401C50 is called from the two other requests making functions to send the victim’s information with the decrypted strings “xnb/dxagt5avbb2.php?txt=” and “data1.php?id=” to C2 and receive the response.
The received response is a remote file saved into the “debug” folder and executed with the API "ShellExecuteA". In our research debugging environment, the remote file is similar to the trojan.
Requests making function 1 at offset 00401E00.
Requests making function 2 at offset 00402130.
C2 communication
For C2 communication, first, the trojan sends the victim’s computer name, user name, a separator “ZxxZ” and the Windows version pulled from the registry. The server responds back with data in the format <id><user>:"<Program name">.
Next, the malware requests the program data. The server sends back the data of the Portable Executable effectively matching the pattern:<zero or more bytes>ZxxZ<PE data minus the MZ>. It then saves the file to %LOCALAPPDATA%\Debug\<program name>.exe and tries to execute it.
Request sent to C2.
If the download is successful, the server sends back the request with the opcode DN-S and, in case of a failure, the opcode RN_E in their response. Based on our analysis, the opdoce DN-S means “download successful” and RN_E stands for run error. If failed, the malware attempts to download the program data 225 times, and after that, it will launch itself and exit.
Conclusion
Organizations should be vigilant about the highly motivated threat actors who are known to conduct targeted attacks in their region. Threat actors usually emerge with smart techniques to accomplish their adversarial objectives and we have seen such an attempt in this campaign with the addition of a new variant to their arsenal.
In this current campaign, upon compromising the victim’s machine and implanting the trojan ZxxZ - which has remote file execution capability - the adversary can deploy and run other tools from their arsenal to achieve their malicious objective.
Organizations should have a layered defense strategy with the implementation of the latest detection rules and behavioral protections in their endpoint defense solutions - not only with technical controls, but the organizations should have matured incident response plans and have the organization’s security posture streamlined to protect their environment against the latest threats.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
The following ClamAV signatures have been released to detect this threat:
Ole2.Exploit.ZxxZDownloader-9944376-0
Win.Downloader.ZxxZ-9944378-0
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs for this threat are 59736 and 300132.
IOC****Domains
olmajhnservice[.]com
levarisnetqlsvc[.]net
urocakpmpanel[.]com
tomcruefrshsvc[.]com
autodefragapp[.]com
helpdesk[.]autodefragapp[.]com
URLs
http[://]autodefragapp[.]com/
hxxp[://]olmajhnservice[.]com/updateReqServ10893x[.]php?x=035347
hxxp[://]olmajhnservice[.]com/
hxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-BKP&ct=BKP
hxxp[://]olmajhnservice[.]com/nxl/nx
hxxp[://]olmajhnservice[.]com/nxl/nx/
hxxp[://]olmajhnservice[.]com/nt[.]php/?dt=
hxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-2&ct=2
hxxps[://]olmajhnservice[.]com/
hxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-1
hxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-1&
hxxp[://]olmajhnservice[.]com/nt[.]php?dt=%25computername%25-ex-1&
hxxp[://]olmajhnservice[.]com/nt[.]php
hxxp[://]olmajhnservice[.]com/nt[.]php/
hxxp[://]olmajhnservice[.]com/nt[.]php/?dt=%25username%25-EX-3ct=1
hxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-1&ct=1
hxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-1&ct=1
hxxps[://]olmajhnservice[.]com/nt[.]php/
hxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25computername%25-EX-3&ct=3
hxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25username%25-EX-3&ct=1
hxxps[://]olmajhnservice[.]com/nt[.]php/?dt=%25username%25-EX-3&ct=1
hxxp[://]levarisnetqlsvc[.]net/drw/drw
hxxp[://]levarisnetqlsvc[.]net/lt[.]php
hxxp[://]levarisnetqlsvc[.]net/
hxxps[://]levarisnetqlsvc[.]net/lt[.]php
hxxp[://]levarisnetqlsvc[.]net/jig/gij
hxxps[://]levarisnetqlsvc[.]net/lt[.]php/?dt=%25computername%25-LT-2&ct=LT
hxxp[://]urocakpmpanel[.]com/axl/ax
hxxp[://]urocakpmpanel[.]com/nt[.]php?dt=%25computername%25-****
hxxps[://]urocakpmpanel[.]com/
hxxp[://]urocakpmpanel[.]com/nt[.]php/?dt=%25computername%25-****
hxxps[://]urocakpmpanel[.]com/nt[.]php/?dt=%25computername
hxxp[://]urocakpmpanel[.]com/
hxxp[://]urocakpmpanel[.]com:33324/
hxxps[://]urocakpmpanel[.]com/nt[.]php
SSL Certificates Thumbprints
0cbf8c7ff9faf01a9b5c3874e9a9d49cbbf5037b
25092b60d972e574ed593a468564de2394fa008b
4fbde39a0735d1ad757038072cf541dfdc65faa3
5a972665b590cc77dcdfb4500c04acda5dc1cc4e
530f597666afc147886f5ad651b5071d0cc894ba
04a75df9b60290efb1a2d934570ad203a23f4e9c
aeb02ac0c0f0793651f32a3c0f594ce79ba99e82
Documents
b0b687977eee41ee7c3ed0d9d179e8c00181f0c0db64eebc0005a5c6325e8a82
f7ed5eec6d1869498f2fca8f989125326b2d8cee8dcacf3bc9315ae7566963db
490e9582b00e2622e56447f76de4c038ae0b658a022e6bc44f9eb0ddf0720de6
b7765ff16309baacff3b19d1a1a5dd7850a1640392f64f19353e8a608b5a28c5
ce922a20a73182c18101dae7e5acfc240deb43c1007709c20ea74c1dd35d2b12
e4545764e0c54ed1e1321a038fa2c1921b5b70a591c95b24127f1b9de7212af8
Payload
fa0ed2faa3da831976fee90860ac39d50484b20bee692ce7f0ec35a15670fa92
3fdf291e39e93305ebc9df19ba480ebd60845053b0b606a620bf482d0f09f4d3
69b397400043ec7036e23c225d8d562fdcd3be887f0d076b93f6fcaae8f3dd61
90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787
Related news
SmokeLoader malware has resurfaced with enhanced capabilities and functionalities, targeting your personal data.
The long-active, India-sponsored cyber-threat group targeted multiple entities across Asia, Africa, the Middle East, and even Europe in a recent attack wave that demonstrated the use of a previously unknown post-exploit tool called StealerBot.
Users of Chinese instant messaging apps like DingTalk and WeChat are the target of an Apple macOS version of a backdoor named HZ RAT. The artifacts "almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers' server," Kaspersky researcher Sergey Puzan said. HZ RAT was first
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea. The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the
The North Korea-linked threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension that's designed to steal sensitive information as part of an ongoing intelligence collection effort. Zscaler ThreatLabz, which observed the activity in early March 2024, has codenamed the extension TRANSLATEXT, highlighting its ability to gather email addresses, usernames,
The U.S. Justice Department (DoJ) on Friday announced the seizure of online infrastructure that was used to sell a remote access trojan (RAT) called Warzone RAT. The domains – www.warzone[.]ws and three others – were "used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers," the DoJ said. Alongside the takedown, the
The threat actor referred to as Cloud Atlas has been linked to a set of spear-phishing attacks on Russian enterprises. Targets included a Russian agro-industrial enterprise and a state-owned research company, according to a report from F.A.C.C.T., a standalone cybersecurity company formed after Group-IB's formal exit from Russia earlier this year. Cloud Atlas, active since at
Attackers are weaponizing an old Microsoft Office vulnerability as part of phishing campaigns to distribute a strain of malware called Agent Tesla. The infection chains leverage decoy Excel documents attached in invoice-themed messages to trick potential targets into opening them and activate the exploitation of CVE-2017-11882 (CVSS score: 7.8), a memory corruption vulnerability in Office's
Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]
Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers
By Deeba Ahmed FortiGuard Discovers Phishing Campaign Distributing New Agent Tesla Variant to Windows Devices. This is a post from HackRead.com Read the original post: New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs
The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. “APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,” NSFOCUS Security Labs said in a report published last week. APT34, also known by
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
A lack of website protections, Sender Policy Framework (SPF) records, and DNSSEC configurations leave companies open to phishing and data exfiltration attacks.
By Deeba Ahmed An APT group known as Tonto Team has tried targeting the Singapore-based Group-IB cybersecurity firm for the second time. This is a post from HackRead.com Read the original post: Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm
CISA’s Known Exploited Vulnerabilities Catalog has become a valuable repository of vulnerabilities to be patched. A pair of reports analyze the vulnerabilities under attack to understand the kind of threats organizations should be prioritizing.
Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.
A financially motivated cybercrime group has been linked to an ongoing wave of attacks aimed at hospitality, hotel, and travel organizations in Latin America with the goal of installing malware on compromised systems. Enterprise security firm Proofpoint, which is tracking the group under the name TA558 dating all the way back to April 2018, called it a "small crime threat actor." "Since 2018,
The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.
Over a dozen military-industrial complex enterprises and public institutions in Afghanistan and Europe have come under a wave of targeted attacks since January 2022 to steal confidential data by simultaneously making use of six different backdoors. Russian cybersecurity firm Kaspersky attributed the attacks "with a high degree of confidence" to a China-linked threat actor tracked by Proofpoint
By Deeba Ahmed Research reveals that around 80% of all malware attacks used MS Office flaws. Atlas VPN has shared its… This is a post from HackRead.com Read the original post: Microsoft Office Most Exploited Software in Malware Attacks – Report
Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced persistent threat tracked as Bitter. "Through malicious document files and intermediate malware stages the threat actors conduct espionage by deploying Remote Access Trojans," cybersecurity firm SECUINFRA said in a new write-up published on July 5. The findings from the
The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.
The malware is using spreadsheets, documents, and other types of Microsoft Office attachments in a new and improved version that is often able to bypass email gateway-security scanners.
An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020. "Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their
Notable new infection chain uses PDF to embed malicious files, load remote exploits, shellcode encryption, and more, new research shows.
Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2)