MiyaRAT

MiyaRAT is a custom remote access tool associated with the Bitter espionage group (also tracked as TA397). Reporting from Proofpoint and Threatray describes it as part of TA397’s evolution from basic downloaders to more advanced remote access tooling, alongside families such as MuuyDownloader, BDarkRAT, and WmRAT, and indicates it remained under active development as of 2025. MiyaRAT has been observed in campaigns between October 2024 and April 2025 targeting primarily government, diplomatic, and defense organizations, including entities linked to China, Pakistan, other Indian neighboring countries, and, in December 2024, targets in Turkey. TA397 commonly delivers malware through spear-phishing using spoofed or compromised diplomatic and government email accounts, with lures themed around diplomatic, military, trade, and government matters. In documented intrusions, TA397 used files or URLs that created scheduled tasks, then conducted hands-on-keyboard activity to enumerate victim systems and selectively deploy follow-on payloads. Proofpoint specifically reported finding MiyaRAT payloads on a TA397-controlled SMB share after operators mounted \72.18.215[.]1\tempy to retrieve payloads during a government-targeting intrusion. MiyaRAT was also referenced in prior TA397 activity involving manual deployment of wmRAT and MiyaRAT. High-confidence contextual indicators tied to the broader TA397 activity include scheduled-task-based staging, beaconing to PHP endpoints, transmission of victim computer name and username, frequent use of Let’s Encrypt certificates on staging infrastructure, and infrastructure and operator activity aligned with Indian Standard Time business hours.