December 5, 2023

Meta has acted against two cyber espionage operations in South Asia namely Bitter APT and APT36, respectively.

In an announcement in its Quarterly Adversarial Threat Report, Second Quarter 2022, published last week it has provided insight into the risks evolved worldwide and across multiple policy violations, particularly those perpetrated by those two hacking groups.


We took action against a group of hackers known as Bitter APT  that operated out of South Asia, and targeted people in New Zealand, India, Pakistan and the United Kingdom

Meta report

Meta said that Bitter APT was relatively low in sophistication and operational security, it was persistent and well-resourced. The group would have used various link-shortening services, malicious domains, compromised websites, and third-party hosting providers to distribute their malware.

Bitter would have used a mix of social engineering, an iOS application, an Android malware Meta called Dracarys, and adversarial adaptation.

As for as APT36 concerned, the investigation connected this activity to state-linked actors in Pakistan. It targets people in Afghanistan, India, Pakistan, UAE, and Saudi Arabia, including military personnel, government officials, employees of human rights and other non-profit organizations and students.

Meta said APT36’s TTP were relatively low in sophistication. The group was persistent and targeted several services across the internet, including email providers, file-hosting services, and social media.

APT36 is an example of a global trend, where low-sophistication groups choose to rely on openly available malicious tools, rather than invest in developing or buying sophisticated offensive capabilities.


APT36 is known for using a range of different malware  families and found in this recent operation it had also trojanized (non-official) versions of WhatsApp, WeChat and YouTube with another commodity malware family known as Mobzsar or CapraSpy.

Meta report

According to Meta, these low-cost tools require less technical expertise to deploy, yet yield results for the attackers, nonetheless.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.