Connect with us

Hi, what are you looking for?



Meta Disrupted Two Cyberespionage Operations in South Asia

Facebook’s parent company Meta took action earlier this year against two cross-platform cyberespionage operations that relied on various online services for malware distribution.

Facebook’s parent company Meta took action earlier this year against two cross-platform cyberespionage operations that relied on various online services for malware distribution.

The first group of hackers that Meta disrupted during the second quarter is Bitter APT. Also called T-APT-17, the group has been around since at least 2013, targeting entities in the energy, engineering, and government sectors.

Meta has observed the hacking group using link-shortening services, malicious and compromised domains, and third-party hosting providers to target victims in India, New Zealand, Pakistan and the United Kingdom with malware.

The group has created fictitious personas – posing as young women, journalists or activists – to connect with potential victims and gain their trust before tricking them into downloading malware.

Bitter APT has been seen deploying a chat application for iOS distributed via Apple’s Testflight service. However, it’s unclear whether the application was malicious or was only used for social engineering.

The hackers have also used an Android malware family that abused the accessibility services to perform nefarious actions on the infected devices.

Dubbed Dracarys, the malware was injected in non-official versions of apps such as Signal, Telegram, YouTube, and WhatsApp, offering access to device information, call logs, messages, contacts, user files, location, and providing the ability to take photos, enable microphone, and install apps.

Advertisement. Scroll to continue reading.

“This group has aggressively responded to our detection and blocking of its activity and domain infrastructure. For example, Bitter would attempt to post broken links or images of malicious links so that people would have to type them into their browser rather than click on them — all in an attempt to unsuccessfully evade enforcement,” Meta notes.

Operating out of Pakistan, the second group of hackers is APT36. Also tracked as Transparent Tribe, Earth Karkaddan, Operation C-Major, PROJECTM, and Mythic Leopard, the group is believed to be linked to the Pakistani government.

APT36 has been observed targeting government officials, human rights activists, military personnel, students, and non-profit organizations in Afghanistan, India, Pakistan, Saudi Arabia, and UAE.

The APT has been creating fictitious personas – such as recruiters or attractive young women – to build trust with their potential victims. For malware deployment, they used a custom infrastructure, including domains masquerading as app stores and photo-sharing websites, or spoofing legitimate domains.

Furthermore, the hackers have been observed using link-shortening services to hide their malicious URLs, and hosting malware on file-sharing services like WeTransfer.

In some attacks, the group used LazaSpy, a modified version of the XploitSPY Android malware, which is available on GitHub.

In other incidents, APT36 deployed non-official versions of YouTube, WhatsApp, and WeChat, which have been injected with Mobzsar or CapraSpy, which can access various types of information on the victim device, including call logs, contacts, files, location, messages, and photos, and can enable the microphone.

“Our investigations and malware analysis into advanced persistent threat (APT) groups show a notable trend in which APTs choose to rely on openly available malicious tools, including open-source malware, rather than invest in developing or buying sophisticated offensive capabilities,” Meta notes.

Related: Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

Related: New ‘ToddyCat’ APT Targets High-Profile Entities in Europe, Asia

Related: Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.