Connect with us

Hi, what are you looking for?



China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign 

A South Asian espionage group named Bitter has been targeting the Chinese nuclear energy sector.

A South Asian advanced persistent threat (APT) actor has been targeting the nuclear energy sector in China in a recent cyberespionage campaign, Intezer reports.

Dubbed ‘Bitter’ and active since at least 2021, the group is known for the targeting of energy and government organizations in Bangladesh, China, Pakistan, and Saudi Arabia, and is characterized by the use of Excel exploits, and Microsoft Compiled HTML Help (CHM) and Windows Installer (MSI) files.

Continuing to target Chinese organizations, the group used updated first-stage payloads in the recently observed espionage campaign, added an extra layer of obfuscation, and employed additional decoys for social engineering.

The Bitter APT targeted recipients in China’s nuclear energy industry with at least seven phishing emails impersonating the embassy of Kyrgyzstan in China, inviting them to join conferences on relevant subjects.

The recipients were lured into downloading and opening an attached RAR archive containing CHM or Excel payloads designed to achieve persistence and fetch additional malware from the command-and-control (C&C) server.

Observed Excel payloads contained an Equation Editor exploit designed to set a scheduled task to download a next-stage EXE file, and another task to execute the payload.

CHM files, on the other hand, can be used to simply execute arbitrary code with low user interaction, even if a vulnerable iteration of Microsoft Office is not installed, and the Bitter APT used multiple such files in this campaign.

Advertisement. Scroll to continue reading.

One of the identified variants creates a scheduled task to execute a remote MSI payload using msiexec. While investigating the attack chain, Intezer was only served empty MSI files, which the attackers could use for reconnaissance and which could be swapped with an actual payload if the target is deemed promising.

A second version of the CHM file was observed performing similar activity using an encoded PowerShell command stage.

“Bitter APT do not appear to change their tactics too much, therefore we can assume that the payloads will be similar to those observed in 2021, executing a downloader module that can be served with plugins such as a keylogger, remote access tool, file stealer, or browser credential stealer,” Intezer notes.

Related: New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries

Related: Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up

Related: Military Organizations in Pakistan Targeted With Sophisticated Espionage Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.