Friday 26 September 14:00 - 14:30, Green room
Abdallah Elshinbary (Threatray), Nick Attfield (Proofpoint), Konstantin Klinger (Proofpoint) & Jonas Wagner (Threatray)
The Bitter APT group (TA397) remains one of the most persistent and active threat actors operating today. While often attributed to India, the evidence behind this claim remains vague. This talk provides a comprehensive analysis of Bitter's operational patterns, toolset evolution, and tentative attribution. By leveraging Proofpoint's extensive email telemetry and Threatray's in-depth malware reversing and code reuse expertise, we present new insights into the group's TTPs. Our research clusters the vast toolset associated with Bitter, tracking its development and strategic deployment.
We uncovered previously undocumented usage of an esoteric delivery mechanism and will share first-hand insight into their hands-on-keyboard activity. We will reveal their malware development and shed light on changes in technique. Additionally, we encourage the audience to contribute their own findings and pivot on the intelligence and detection opportunities we present – with the goal of collaborating to disrupt this actor's operations.
This talk is divided into three sections. First, we provide an overview of the group, exploring campaigns by focusing on the infection chain, payload delivery, and high-fidelity fingerprints. Second, we deep-dive into their toolset and its development over time. Finally, we end with a discussion on attribution. By presenting these findings, we aim to encourage community collaboration, inspire participants to analyse their data, and share intelligence to disrupt this actor's operations.
![]() |
Abdallah Elshinbary Abdallah Elshinbary is a senior malware researcher at Threatray, specializing in tracking crimeware and APT activities by leveraging code-similarity technology. He contributes to product development, builds internal tools, and assists clients with threat attribution. With a strong background in malware analysis and reverse engineering, Abdallah previously worked at Recorded Future's INSIKT team, where he tracked various APT activities and developed malware C2 emulators. He also led the malware analysis team at Triage sandbox, writing static and dynamic signatures and config extractors while collaborating on the sandbox development.
|
![]() |
Nick Attfield Nick Attfield is a threat researcher at Proofpoint, currently responsible for tracking a raft of APT actors. He has extensive experience in helping build threat intelligence functions, building custom tooling, designing FINTEL and tracking actors. With previous roles in financial services, SentinelOne and F-Secure, he has a breadth of expertise across multiple domains and operating environments.
|
![]() |
Konstantin Klinger Konstantin Klinger is a staff security research engineer at Proofpoint on the Threat Detection & Research team, providing technical leadership and guidance within a team hunting and punching malware miscreants while slapping phishing attacks at scale. With a background in government intelligence, he dedicated years to network security monitoring. Before returning to Proofpoint, he acquired valuable incident response experience at Apple. He has previously spoken at VB, Botconf, Suricon and PIVOTcon.
|
![]() |
Jonas Wagner Jonas Wagner is the Co-founder and CTO of Threatray, a deep malware intelligence and detection cyber security startup, where he is building next-gen technology for malware defence. He holds a Master's degree in cybersecurity from the Bern University of Applied Sciences. He has previously spoken at Botconf, FIRST CTI, hack.lu and DFRWS. |
Back to VB2025 conference page