Cyber Warfare Escalates: Bitter APT Targets Pakistan's Telecommunications Company

Pakistan’s national telecommunications company, Pakistan Telecommunications Company Ltd., was recently under a suspected state-sponsored attack. This attack was conducted as a possible cyber-espionage against the country. Specifically, the attack targets Pakistan’s critical telecommunications infrastructure. The attack successfully infiltrated the state telecommunications company with controls and access through a familiar IP address previously associated with prior attacks.

According to EclecticIQ, the attack was perpetrated by Bitter APT. Mitre.org profiled the group, “a suspected South Asian cyber espionage threat group that has been active since at least 2013. BITTER has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.”

Detailing the Attack

Bitter APT penetrated the Pakistan Telecommunications Company through a compromised email account. The hacked email address (ctd@islamabadpolice.gov.pk) is from the Islamabad Police, and the hack was made possible through an infostealer variant.

The compromised email address was then used to spread malware. An email from the account sends a file with an IQY attachment and a security briefing message, prompting the receiver to open the email. An IQY file format is actually a text file that triggers the importation of data from a web server. Since the email came from a reliable source, the receiver opened the email.

The file downloads a payload that comes with a variant of WmRAT. A type of Trojan virus, WmRAT, can extract information from its infected system and establish a connection with its command-and-control (C2) server. Two IP addresses were used: 185.244.151.84 and

185.244.151.87. The former IP address was previously used in December 2024, which used the same Trojan virus variant. This further solidifies the possibility of Bitter APT as responsible for the recent attack.

The email used to trick users into downloading the Trojan virus is sent to the telecommunication company engineers and other specialists. Access may have been granted unknowingly to hackers, as these engineers and specialists could be used for real-time monitoring of communications, possible disruption, and insight into other corporate and business transactions.

Curiously, the attack was detected on May 7, 2025. During that time, Pakistan and India were at odds with each other as they commenced their “Operation Sindoor” after “ a deadly militant attack in Pahalgam, Indian-administered Kashmir, has triggered a sharp escalation between India and Pakistan, with both sides exchanging gunfire across the Line of Control and downgrading diplomatic ties,” according to the Global Conflict Tracker.

Securing Lines of Communication in Times of Conflict

The EclecticIQ report of a coordinated attack on Pakistan’s telecommunication company is a clear warning for institutions to be on a constant lookout for potential attacks. Bad agents are always on the lookout for vulnerabilities to use for access and control. A remote IP address is used for monitoring and controlling one of Pakistan’s most important institutions. Any country serious about its security against foreign attacks should not only equip itself militarily but also prepare for cyber attacks, as bad agents are already working to infiltrate even before a conflict escalates.