A sophisticated phishing attack targeting a Turkish defense sector organization was recently uncovered by security researchers, shedding light on the evolving tactics of threat actor TA397, also known as “Bitter.”
This campaign, observed by Proofpoint, deployed spear phishing emails containing RAR archives to deliver malware through advanced mechanisms involving NTFS Alternate Data Streams (ADS) and scheduled tasks.
The phishing email used the subject line “PUBLIC INVESTMENTS PROJECTS 2025 _ MADAGASCAR,” a hallmark of TA397's targeted campaigns, which often focus on public sector organizations and infrastructure projects. Inside the attached RAR file, victims found a shortcut (LNK) file disguised as a PDF, a hidden legitimate decoy PDF and two NTFS ADS files.
These components worked together to execute malicious PowerShell commands and establish persistence on the infected system.
Upon opening the RAR archive, the LNK file ran hidden PowerShell commands stored in the ADS titled “Participation.” These commands displayed the legitimate PDF document to the victim while creating a scheduled task called “DsSvcCleanup.”
This task transmitted machine data to a staging domain controlled by TA397, jacknwoods[.]com, every 17 minutes. The attackers responded manually to these transmissions, deploying two types of payloads – WmRAT and MiyaRAT – via downloaded MSI installers.
Read more on RAT threats: Chinese Hackers Leveraging ‘Noodle RAT’ Backdoor
Advanced Malware in Action
WmRAT, written in C++, supports functions such as exfiltrating files, running arbitrary commands and taking screenshots. MiyaRAT, another C++ malware, features similar capabilities but includes more refined functionality, such as reverse shell commands and advanced directory enumeration.
Both RATs communicate with separate attacker-controlled command-and-control (C2) domains, with MiyaRAT appearing to be reserved for high-value targets.
Network and Attribution
The infrastructure utilized in this campaign included staging and C2 domains, with registration patterns linked to previous TA397 activity. Researchers attribute the campaign to espionage efforts likely supporting a South Asian government, based on historical targeting of defense and public sector organizations in EMEA and APAC regions.
Proofpoint noted that TA397 continues to operate within UTC+5:30 working hours, reinforcing suspicions of its South Asian nexus.