Bitter APT Targets Turkish Defense Sector with WmRAT and MiyaRAT Malware

Proofpoint researchers observed the Bitter (TA397) APT conduct a November 2024 espionage operation against a Turkish defense organization using a booby-trapped RAR attachment that leveraged NTFS alternate data streams and a malicious LNK to create scheduled tasks and retrieve two RAT families (WmRAT and MiyaRAT). The report details the delivery and persistence techniques, RAT capabilities (data exfiltration, file transfer, command execution, screenshots, geolocation), and links the activity to Bitter's prior nation-state-focused campaigns across South and East Asia.