THREATOPS Actor Dossier
LIVE ← Dashboard

BITTER

G10022 reports
aliases · BITTER · T-APT-17
Export dossier:
2
Reports
4
Techniques
3
Tactics
6
Countries
50%
Hunt coverage
2
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1590.005 (IP Addresses), T1036 (Masquerading), T1589.001 (Credentials).
  • Primary targeting: US, CN, IR, PK.
  • Newly emerged: 2 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 4 new technique(s), 80 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 50% of 4 observed techniques (2 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

Newly emergedLast 30d: 2 vs 0 prior (+100%)· first reported 2026-07-09 · last 2026-07-13
2
7d
2
30d
2
90d
2
All
0.2
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1590.005T1036T1589.001AML.T0074
Targeting gained
CNINIRPKTWUS
New infrastructure
5753274efbf9c3839fafa78f14e19fdchttps://grist.org/politics/data-center-ahttps://www.nytimes.com/2026/05/01/us/pohttps://www.consumerreports.org/data-cenhttps://www.brookings.edu/articles/new-ehttps://www.bloodinthemachine.com/p/workhttps://www.businessinsider.com/data-cenhttps://www.technologyreview.com/2025/05https://about.bnef.com/insights/data-cenhttps://www.deloitte.com/us/en/insights/https://www.businessinsider.com/microsofhttps://www.washingtonpost.com/technolog

Overview

Analyst triage
Intelligence summary

BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected