Pulse Detail — Threat Intelligence

PULSE NAME

Bitter (APT-Q-37) uses diverse means to deliver new backdoor components

WHITE Bitter PetrP.73 2025-10-24 Modified: 2025-10-24

IOCs

MEDIUM VOLUME

Bitter, also known as APT-Q-37, is a threat actor group believed to have South Asian origins, primarily targeting government, military, and electric power sectors in China, Pakistan, and other nations. Their objective revolves around the acquisition of sensitive data. Recently, the Qi'anxin Threat Intelligence Center uncovered attack samples linked to Bitter that utilize varied methods to deploy a C# backdoor capable of receiving arbitrary executable files from a remote server.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1036 T1059.005 T1105 T1127 T1140 T1204.002 T1566.001 T1574.002 T1583.001

Indicators of Compromise (35)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2025-8088	—	2025-10-24
FileHash-MD5	18164f7b3d320a79b6db634f718a1095	—	2025-10-24
FileHash-MD5	4bedd8e2b66cc7d64b293493ef5b8942	—	2025-10-24
FileHash-MD5	7452fb632fd824f882fa12f9bebd7aa7	—	2025-10-24
FileHash-MD5	b165b489c5f8c4e136364664502d68f1	—	2025-10-24
FileHash-MD5	f16f2e4317c37085cad630d41001f7c3	—	2025-10-24
FileHash-MD5	f6f2fdc38cd61d8d9e8cd35244585967	—	2025-10-24
FileHash-SHA1	1d56efe9744f72cb02cee26dad937796d53fb752	SHA1 of f16f2e4317c37085cad630d41001f7c3	2025-10-24
FileHash-SHA1	59243520bdb500097aea8178b0c6cbe1c4ee5b4f	SHA1 of 7452fb632fd824f882fa12f9bebd7aa7	2025-10-24
FileHash-SHA1	d5fc860bf59dddaac2b81e73017319a6c0dc5049	SHA1 of 4bedd8e2b66cc7d64b293493ef5b8942	2025-10-24
FileHash-SHA1	eb3032c062c9dc36100a4af9a501bc8fc118567d	SHA1 of b165b489c5f8c4e136364664502d68f1	2025-10-24
FileHash-SHA1	fc4e129e63736f10edf9427e7c89e8e454697871	SHA1 of 18164f7b3d320a79b6db634f718a1095	2025-10-24
FileHash-SHA256	1e7ce7c530a1cf4d74a356592f99bde2ca359ed4b4144f32cc69ab705f52e4e2	SHA256 of 7452fb632fd824f882fa12f9bebd7aa7	2025-10-24
FileHash-SHA256	259d6c10c93fa4f734b6ae7cf94a478ebee61d1268bf28befc009e71d609b207	SHA256 of b165b489c5f8c4e136364664502d68f1	2025-10-24
FileHash-SHA256	a39a26838e6bc26502ff0b562a3a098d55c5ad5b6daf4405469ce5e11f2192a4	SHA256 of 4bedd8e2b66cc7d64b293493ef5b8942	2025-10-24
FileHash-SHA256	bb67a4de756336d45ebaa7657a7586b4ebff26c74aba458d62de85c2070f3d90	SHA256 of f16f2e4317c37085cad630d41001f7c3	2025-10-24
FileHash-SHA256	f7e25e5601fdf038aa0840be508cf1d5915cd5317a5513cd7e7c3ae76055839f	SHA256 of 18164f7b3d320a79b6db634f718a1095	2025-10-24
URL	https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/	—	2025-10-24
URL	https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php	—	2025-10-24
URL	https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drdxcsv34.php.	—	2025-10-24
URL	https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxbds23.php	—	2025-10-24
URL	https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxcvg45.php	—	2025-10-24
URL	https://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxcvg45.php.	—	2025-10-24
URL	https://teamlogin.esanojinjasvc.com/teamesano/drivers/t	—	2025-10-24
URL	https://teamlogin.esanojinjasvc.com/teamesano/drivers/teamidcrz/	—	2025-10-24
URL	https://teamlogin.esanojinjasvc.com/teamesano/drivers/teamsid.php	—	2025-10-24
URL	https://teamlogin.esanojinjasvc.com/teamesano/drivers/teamzid.php	—	2025-10-24
URL	https://www.keeferbeautytrends.com/d6Z2.php?rz=	—	2025-10-24
domain	ents.com	—	2025-10-24
domain	esanojinjasvc.com	—	2025-10-24
domain	keeferbeautytrends.com	—	2025-10-24
domain	koliwooclients.com	—	2025-10-24
hostname	msoffice.365cloudz.esanojinjasvc.com	—	2025-10-24
hostname	teamlogin.esanojinjasvc.com	—	2025-10-24
hostname	www.keeferbeautytrends.com	—	2025-10-24

References (1)

↗ https://ti.qianxin.com/blog/articles/bitter-uses-diverse-means-to-deliver-new-backdoor-components-en/