TAG-179 is a suspected India-nexus cyberespionage threat actor associated with intrusions targeting Pakistani government and law-enforcement entities. The actor has been linked to activity against Pakistani police organizations, including Balochistan Police and other public-sector security institutions, with apparent intelligence-collection objectives focused on Pakistan’s internal security posture, particularly in Balochistan. TAG-179 has been observed using Remcos as a primary malware family in documented operations. Its tradecraft includes spearphishing and lure-based delivery using politically and operationally relevant decoy themes tailored to Pakistani government and police audiences, including subjects related to repatriation of illegal foreigners and coordination among police and intelligence bodies. The actor’s operations indicate familiarity with regional administrative and security issues and a focus on credentialed or malware-enabled access to sensitive law-enforcement environments. Infrastructure, tooling, and tactics attributed to TAG-179 overlap with activity tracked by other vendors as Mysterious Elephant and APT-C-08, also widely known as Bitter. Based on those overlaps, TAG-179 is best understood as closely aligned with, or potentially part of, the broader Bitter intrusion set. Bitter has long been associated with South Asian espionage activity, especially targeting government, diplomatic, defense, and strategic organizations in the region. Observed TAG-179 activity fits a cyberespionage profile rather than disruptive or financially motivated crime. Targeting has included systems associated with police operations and sensitive records, suggesting an interest in situational awareness, security-force activities, and regional intelligence collection. High-confidence reporting supports the assessment of India nexus and overlap with the Bitter/Mysterious Elephant cluster; more specific organizational relationships beyond that overlap remain not publicly established.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
Attributed origin per open-source reporting.
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
14 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
India-nexus cyberespionage activity targeting Pakistani law enforcement, especially Balochistan Police, using Remcos infrastructure and law-enforcement-themed lure documents.
Suspected India-nexus cyberespionage activity targeting Pakistani law enforcement, especially Balochistan Police, using Remcos infrastructure and law-enforcement-themed lure documents.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.