New evidence links long-running hacking group to Indian government

Researchers say they have uncovered new evidence linking a long-running threat actor known as Bitter to the Indian government. The group has been involved in cyber-espionage operations targeting government and defense organizations across Asia, Europe, and South America.

Although Bitter has been active for years, earlier assessments stopped short of definitively attributing it to the Indian state. The new research highlights stronger technical overlaps and consistent targeting patterns, suggesting it is highly likely that the group spies on behalf of India’s government.

In a two-part report released this week, researchers from U.S.-based Proofpoint and Switzerland-based Threatray said their new findings are based on a series of campaigns conducted between October 2024 and April 2025. During this period, Bitter — also tracked as TA397 — carried out targeted attacks against diplomatic and government entities linked to China, Pakistan and other Indian neighbors.

“The targets, subjects, and lures of TA397’s campaigns … are consistent with activity that is in the intelligence interests of the Indian state,” Proofpoint said, adding that the group “has no qualms” with masquerading as other countries’ governments — including Indian allies — to trick their victims.

The researchers also noted tool-sharing overlaps with other suspected Indian threat actors, including Mysterious Elephant (also known as APT-K-47) and Confucius. All three groups have used a custom malware strain known as ORPCBackdoor, suggesting a shared arsenal or possible coordination under a common development entity.

Despite using relatively unsophisticated malware, Bitter is described as highly active and persistent. Its primary method of attack remains phishing, often leveraging spoofed or compromised diplomatic email accounts. In recent campaigns, the group has impersonated Chinese government agencies, the embassies of Madagascar and Mauritius in China, and South Korea’s foreign ministry, among others.

Researchers observed that TA397’s malware has evolved significantly over the past decade — progressing from basic downloaders to more advanced remote access tools such as MuuyDownloader, BDarkRAT, and MiyaRAT. These tools are largely custom-built and appear to remain under active development as of 2025.

Proofpoint also reported instances of so-called “hands-on-keyboard” activity in recent campaigns — a term referring to real-time interaction by a human operator. The timing of these operations coincided with Indian business hours, further reinforcing the assessment that TA397 is a state-aligned group based in India.