TA397 hackers Exploits Scheduled Tasks to Deploy Malware on Targeted Systems
A recent in-depth analysis by Proofpoint Threat Research has shed light on the sophisticated operations of TA397, also known as Bitter, a suspected state-backed threat actor highly likely aligned with Indian intelligence interests.
Identified as an espionage-focused group, TA397 has been actively targeting entities across Europe and Asia, particularly those with connections to China, Pakistan, and neighboring regions of the Indian subcontinent.
Their campaigns, observed between October 2024 and April 2025, reveal a persistent use of scheduled tasks as a core mechanism for malware deployment, coupled with spearphishing tactics that exploit geopolitical themes to lure victims.
Tactics of an India-Aligned Espionage Group
Operating within standard Indian Standard Time (IST) working hours, as evidenced by infrastructure timestamps and hands-on-keyboard activity, TA397’s methods showcase both consistency and adaptability in bypassing detection and achieving intelligence-gathering objectives.
TA397’s primary attack vector remains spearphishing emails, often masquerading as legitimate governmental entities from countries like Madagascar, Mauritius, and China to add credibility to their lures.
Their emails typically contain malicious attachments or URLs hosted on legitimate file-sharing platforms, initiating infection chains that create scheduled tasks on targeted systems.
These tasks, executed via tools like PowerShell and cmd.exe, beacon to staging domains every 16 to 19 minutes, transmitting victim identifiers such as computer names and usernames to actor-controlled servers.
Manual Payload Delivery
According to the Report, Proofpoint’s research highlights that TA397 frequently experiments with esoteric file types, including Microsoft Search Connector (MSC) files and exploits like CVE-2024-43572 (GrimResource) for remote code execution, demonstrating a willingness to innovate within their established framework.
A notable aspect of their operations is the manual deployment of second-stage payloads, such as wmRAT, MiyaRAT, and BDarkRAT, only after assessing the target’s relevance based on system enumeration data a hallmark of espionage-driven precision.
One observed campaign saw operators manually issue commands at specific IST-aligned timestamps, revealing errors like failed payload retrievals and subsequent corrections via SMB shares, underscoring their hands-on approach.
Infrastructure analysis further ties TA397 to India, with domain registration, passive DNS, and Let’s Encrypt certificate timestamps consistently mapping to IST business hours, while their use of PHP URL patterns and victim data in beaconing provides a high-confidence fingerprint for detection.
These indicators provide critical data points for cybersecurity teams to monitor and mitigate TA397’s activities, reinforcing the need for robust email security and endpoint detection to counter their evolving tactics.
Indicators of Compromise (IoC)
| Indicator | Type | Description | First Seen |
|---|---|---|---|
| mnemautoregsvc[.]com | Domain | Staging domain | October 2024 |
| jacknwoods[.]com | Domain | Staging domain | November 2024 |
| 1b67fc55fd050d011d6712ac17315112767cac8bbe059967b70147610933b6c1 | SHA256 | LNK scheduled task loader | December 2024 |
| hxxp://46[.]229[.]55[.]63/svch.php?li=%computername%[.][.]%username% | URL | Payload delivery | December 2024 |
| utizviewstation[.]com | Domain | Staging domain | February 2025 |
| blucollinsoutien[.]com | Domain | Staging domain | March 2025 |
| princecleanit[.]com | Domain | Staging domain | March 2025 |
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
