A sophisticated cyberattack campaign by the South Asian threat actor Bitter, also known as APT-Q-37, has been revealed, leveraging a WinRAR zero-day vulnerability to deploy custom C# backdoors for data theft and persistent access. The campaign employs two primary infection methods: the use of malicious Excel Add-In files with VBA macros and the exploitation of a previously unknown WinRAR path traversal vulnerability.
In the first method, a file named “Nominated Officials for the Conference—xlam” is used to distribute the malware. When macros are enabled, it creates a file containing Base64-encoded C# source code, which is then compiled and installed as a payload in the system. This method ensures persistence by creating a scheduled task that connects to a domain associated with prior Bitter activities.
The second method involves a weaponized archive that overwrites Word’s default template, ensuring malware execution every time Word is launched. This method also embeds macros that connect to a server to retrieve a backdoor, indicating a shared origin with the first method.
The backdoor used by the Bitter group is highly advanced, utilizing encrypted HTTP communications to collect system information and transmit it to a command and control server. This infrastructure is linked to a domain cluster registered in April 2025, suggesting ongoing refinement of their techniques targeting high-value sectors such as government, defense, and energy.
Users are advised to update WinRAR, disable macro execution, and avoid opening unsolicited attachments to mitigate the risk.
