BITTER
G10022 reportsaliases · BITTER · T-APT-17
2
Reports
4
Techniques
3
Tactics
6
Countries
50%
Hunt coverage
2
Aliases
Analyst assessment — key judgments
- Signature techniques: T1590.005 (IP Addresses), T1036 (Masquerading), T1589.001 (Credentials).
- Primary targeting: US, CN, IR, PK.
- Newly emerged: 2 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 4 new technique(s), 80 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 50% of 4 observed techniques (2 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Newly emergedLast 30d: 2 vs 0 prior (+100%)· first reported 2026-07-09 · last 2026-07-13
2
7d
2
30d
2
90d
2
All
0.2
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
New techniques
T1590.005T1036T1589.001AML.T0074Targeting gained
CNINIRPKTWUSNew infrastructure
5753274efbf9c3839fafa78f14e19fdchttps://grist.org/politics/data-center-ahttps://www.nytimes.com/2026/05/01/us/pohttps://www.consumerreports.org/data-cenhttps://www.brookings.edu/articles/new-ehttps://www.bloodinthemachine.com/p/workhttps://www.businessinsider.com/data-cenhttps://www.technologyreview.com/2025/05https://about.bnef.com/insights/data-cenhttps://www.deloitte.com/us/en/insights/https://www.businessinsider.com/microsofhttps://www.washingtonpost.com/technologOverview
Analyst triage
Intelligence summary
BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1590.005 · IP Addressesconf 601
- T1036 · Masqueradingconf 601
- T1589.001 · Credentialsconf 601
- AML.T0074 · Masqueradingconf 601
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|