ctipilot.ch

Bitter

actor · actor:bitter

India-nexus espionage actor (Recorded Future TAG-179; Kaspersky 'Mysterious Elephant'; Qihoo 360 APT-C-08) observed by SentinelLabs deploying Remcos against Pakistani law-enforcement targets 2024-2026; diversifying TTPs since early 2025.

Aliases: TAG-179, Mysterious Elephant, APT-C-08

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
4
pinned v19.1 · see below

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1189Drive-by Compromise×1

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · ATT&CK page ↗

Stealth TA0005

T1036Masquerading×1

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · ATT&CK page ↗

T1620Reflective Code Loading×1

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).

Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · ATT&CK page ↗

Command and Control TA0011

T1071.001Application Layer Protocol: Web Protocols×1

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · ATT&CK page ↗

Story timeline

  1. 2026-07-10Espionage actors weaponise a citizen-facing e-government complaint portal as a watering hole, serving a fake 'portal update' that reflectively loads a RAT
    researchSentinelLabs: a nation-state actor turned a citizen-and-staff e-government portal into a watering hole with a disguised 'portal update' RAT loader

Where this entity is cited

  • research1

Source distribution

  • sentinelone.com1 (50%)
  • tribune.com.pk1 (50%)

Entries about Bitter (1)

2026-07-10 · view entry permalink →

NOTABLE

Espionage actors weaponise a citizen-facing e-government complaint portal as a watering hole, serving a fake 'portal update' that reflectively loads a RAT

SentinelLabs documented sustained, independent cyberespionage between February 2024 and April 2026 against several Pakistani law-enforcement bodies, and while the victim class carries no direct European nexus, one technique is squarely relevant to any government running citizen-facing digital services: a suspected China-nexus actor planted custom implants directly in a public-facing Complaint Management System (CMS) — a portal used by both police staff and ordinary citizens — turning it into a watering hole (T1189, SentinelLabs, 2026-07-09). The compromised web applications were part of an EU-supported "Smart Police Station" digitalization programme, so the case is a concrete illustration of trusted e-government infrastructure being weaponised against its own users. Two implant variants were deployed: a Rust stager and a .NET executable masquerading as security/portal-update software (T1036) that displays "Update Complete! Please refresh the page" to the victim; the .NET variant reflectively loads AsyncRAT (T1620) configured against separate command-and-control infrastructure (T1071.001). SentinelLabs ties the CMS-implant samples to a Chinese-speaking developer through a shared build-path artefact across related samples, and separately attributes a converging India-nexus intrusion set at the same targets to the actor tracked as Bitter (registry: actor:bitter; aka TAG-179 / Mysterious Elephant / APT-C-08) using Remcos, alongside commodity PlugX, ShadowPad and Cobalt Strike activity (SentinelLabs, 2026-07-09; corroborated by The Express Tribune, 2026-07-09). Per this pipeline's no-IOC policy, the report's C2 addresses are not reproduced here; the transferable content is the technique class, not the indicators.

A suspected China-nexus actor planted implants in one of the web applications, which serves both police staff and citizens, weaponizing a tool of Pakistan's police digitalization against its users.

Many of the web applications hosted on the affected servers are part of the Smart Police Station initiative, an EU-supported effort to modernize Balochistan policing and improve how it serves the public through digitalization.

SentinelLabs (SentinelOne) 2026-07-09
research10 Jul 04:36Zmulti-sourceOpen finding ↗