BDarkRAT

BDarkRAT is a .NET trojan/remote access tool first documented in 2019. Reporting cited in the source material associates it with the Bitter threat actor, also tracked as TA397, a state-backed espionage group assessed as aligned with Indian government interests. Researchers describe Bitter’s tooling as having evolved from basic downloaders to more advanced remote access tools including MuuyDownloader, BDarkRAT, and MiyaRAT, with active development observed as of 2025.

High-confidence capabilities explicitly attributed to BDarkRAT include system information gathering, shell command execution, file downloading, and file management on compromised hosts. In observed Bitter operations, BDarkRAT was used as a final payload or follow-on payload after initial spear-phishing compromise and staging activity. Bitter commonly used spear-phishing emails, often impersonating government or diplomatic entities and leveraging compromised or spoofed diplomatic email accounts, to target a very small subset of victims.

The campaigns described targeted primarily government, diplomatic, and defense organizations, including entities linked to China, Pakistan, Bangladesh, Turkey, and other countries relevant to Indian geopolitical interests, with activity observed across Asia and Europe and some reporting noting South America. In one specifically described CHM-based campaign, Bitter used a scheduled task named MSTaskUI to beacon to utizviewstation[.]com and later manually delivered BDarkRAT. More broadly, researchers observed hands-on-keyboard activity in some Bitter intrusions, including host enumeration and selective deployment of additional payloads such as KugelBlitz and BDarkRAT.

The content does not provide standalone BDarkRAT-specific hashes, mutexes, registry keys, or additional unique indicators beyond its association with Bitter campaigns and the observed delivery context above.