In a newly uncovered campaign, the threat group known as Bitter—also tracked as APT-Q-37—has leveraged both malicious Office macros and a previously undocumented WinRAR path traversal vulnerability to deliver a C# backdoor and siphon sensitive information.
Researchers at Qi’anxin Threat Intelligence Center warn that this dual-pronged attack illustrates the group’s evolving tactics and their focus on high-value targets in government, electric power, and military sectors across China, Pakistan, and other strategic regions.
Bitter, or 蔓灵花, is widely believed to operate from a South Asian base and has been active for several years.
Historically, the group has conducted highly targeted espionage operations against government agencies and critical infrastructure operators.
Their toolset has traditionally included spear-phishing emails laden with macro-enabled Office documents and custom backdoors.
Recent analysis of network infrastructure and script patterns has solidified attribution to Bitter, particularly the use of domains such as which aligns with earlier Vermillion Bitter campaigns.
Overview of the Incident
Qi’anxin’s analysts recovered multiple samples demonstrating two attack modes, each culminating in the deployment of a C# backdoor capable of fetching and executing arbitrary EXE files from remote servers.
In Mode 1, a malicious XLAM file named Nominated Officials for the Conference.xlam prompts victims to enable macros, then displays a bogus “File parsing failed” message to lull users into a false sense of security.
Behind the scenes, the embedded VBA macro decodes a Base64-encoded C# source file into C:ProgramDatacayote.log.
It then compiles the code into C:ProgramDataUSOSharedvlcplayer.dll using csc.exe and installs it via InstallUtil.exe.
Persistence is achieved through a batch script placed in the Startup folder, which schedules recurring connections to hxxps://www.keeferbeautytrends.com/d6Z2.php?rz= to retrieve further instructions.
In Mode 2, attackers exploit a WinRAR path traversal vulnerability to overwrite the user’s Word template (Normal.dotm).
By packaging both a benign-looking Document.docx and a concealed Normal.dotm inside a crafted RAR archive, the exploit ensures that when the victim extracts the archive—often directly to their Downloads folder—the malicious template supplants the legitimate one.
Upon opening any DOCX file, Word loads the tampered Normal.dotm, which mounts a remote share and executes winnsc.exe, the same C# backdoor previously observed.
Initial assumptions pointed to CVE-2025-8088, but testing confirmed the vulnerability affects WinRAR versions prior to 7.12, indicating an older, unpatched vulnerability.
Detailed Analysis and Backdoor Functionality
The backdoor’s source code, stored in cayote.log, employs AES decryption routines to conceal configuration strings.
Its primary loop gathers device details—OS version, architecture, hostname, and temporary directory path—and transmits them via POST to hxxps://msoffice.365cloudz.esanojinjasvc.com/cloudzx/msweb/drxbds23.php. The server’s response encodes download instructions for additional EXE payloads.
Subsequent requests to drdxcsv34.php fetch raw EXE data, which the malware repairs by prefixing DOS headers before validating and executing the binary. Execution results are reported back to drxcvg45.php.
The same backdoor logic is present in winnsc.exe, confirming that both attack vectors ultimately converge on a common implant.
Multiple domains—such as teamlogin.esanojinjasvc.com—serve as C2 infrastructure, all registered in April 2025, reinforcing the conclusion that these samples derive from a single Bitter operation.
Protection Recommendations
Qi’anxin Threat Intelligence Center urges organizations to adopt a multi-layered defense strategy:
- Exercise caution with unsolicited email attachments or links from unknown sources.
- Disable or restrict macro execution in Office applications.
- Apply the latest patches for WinRAR and other archive utilities.
- Employ network segmentation and monitor outbound POST requests to detect anomalous traffic.
- Utilize sandbox analysis platforms—such as Qi’anxin’s File Depth Analysis Platform—to inspect untrusted files before execution.
By combining social engineering and zero-day exploitation, Bitter demonstrates its agility in expanding attack capabilities. Vigilance, timely patch management, and proactive threat hunting remain critical to thwarting such sophisticated intrusions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
