Pakistan Telecommunication Company (PTCL) Targeted by Bitter APT During Heightened Regional Conflict

On May 7, 2025, EclecticIQ and Hudson Rock observed Bitter APT (TA397) conduct a targeted spear-phishing campaign against PTCL personnel using compromised Pakistan CTD email credentials; an IQY attachment with a malicious Excel macro downloaded a WmRAT variant (vcswin.exe) via a BAT loader from fogomyart.com, established persistence, and communicated with a C2 domain tradesmarkets.greenadelhouse.com (resolved to 185.244.151.84/87). The report links the activity to prior TA397 infrastructure, documents StealC infostealer initial access, provides detailed IOCs and TTPs, and assesses the operation as strategic cyber espionage against critical telecom infrastructure during regional conflict.