Executive Summary
A targeted phishing campaign is exploiting a security flaw, CVE-2025-8088, to attack government, military, and electric power sectors in China and Pakistan. The operation is attributed to the cyber-espionage group Bitter APT. Attackers use phishing emails containing malicious Microsoft Excel or RAR files to install a C# implant called “cayote.log”. This malware steals system information and allows attackers to run commands remotely. To defend against this threat, organizations should immediately strengthen email security, train users to spot phishing, and maintain up-to-date software patches.
Background on the Campaign
This campaign is part of ongoing cyber-espionage activities in the South Asia region and is confidently attributed to Bitter APT (also known as T-APT-17). Active since at least 2013, Bitter is a suspected South Asian espionage group with a long history of targeting government, energy, and military organizations, particularly in China and Pakistan. Their primary objective is long-term intelligence gathering and establishing a persistent foothold in strategic networks.
Bitter APT is known for its persistent, targeted attacks. Spear-phishing is their preferred method for gaining initial access, often using lures related to their targets’ geopolitical interests. The group frequently exploits Microsoft Office vulnerabilities to deliver custom malware. In this campaign, the use of the “cayote.log” implant shows their continued effort to evolve their tools to bypass modern security defenses. Currently, Bitter APT is the only threat actor publicly known to be exploiting CVE-2025-8088.
Vulnerability Details
- CVE-ID: CVE-2025-8088
- CVSS Score: 8.8
- EPSS Score: 4.42%
- Vulnerability Type: Path Traversal
- Affected Software: WinRAR versions prior to 7.13
- Patched in: WinRAR versions above 7.13
- Root Cause: It is a flaw in the processing of specially crafted Excel or RAR files, which allows malicious code to run.
Infection Method
The attack follows a clear sequence of events:
- Initial Access: The attacker sends a targeted phishing email with a weaponized Microsoft Excel or RAR file attached.
- Exploitation: The user is tricked into opening the attachment, which activates the exploit for CVE-2025-8088.
- Payload Delivery: Once exploited, a C# implant named “cayote.log” is downloaded and run on the victim’s computer.
- Command and Control: The implant connects to a remote server controlled by the attacker, ready to receive commands and send back stolen data.
Malware Behavior and Capabilities
The campaign’s main tool is the “cayote.log” implant, which can:
- Gather System Information: Collect details about the infected computer, such as its operating system, user accounts, and network settings.
- Execute Remote Commands: Receive and run commands or other malicious programs sent from the attacker’s server, giving them full control.
Techniques Used
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
| Execution | T1204.002 | User Execution: Malicious File |
| Execution | T1059 | Command and Scripting Interpreter |
| Discovery | T1082 | System Information Discovery |
| Command and Control | T1105 | Ingress Tool Transfer |
Visual: Attack Flow
[Phishing Email with Malicious Attachment] -> [User Opens Attachment & Triggers CVE-2025-8088] -> [“cayote.log” C# Implant is Installed] -> [Malware Gathers System Data] -> [Connects to Attacker’s C2 Server] -> [Executes Commands & Steals Data]
IOCs (Indicators of Compromise)
- File Name: cayote.log (C# implant)
- Associated Malware: ZxxZ, WmRAT, MiyaRAT, BDarkRAT (other tools used by this actor in past campaigns)
Threat Actor Attribution
The Gamaredon threat group exploits a critical WinRAR vulnerability, CVE-2025-8088, in its phishing campaigns to secretly install malware. Attackers entice victims into opening a RAR archive that appears to contain a harmless PDF. However, the vulnerability allows a malicious HTML Application (HTA) file to be automatically extracted to the Windows Startup folder without the user’s consent. This technique establishes persistence for the malware, ensuring it executes automatically each time the system reboots.
Mitigation Steps
- Email Security: Use advanced email filters to automatically block phishing attempts and malicious attachments.
- User Training: Conduct regular security awareness training to help employees recognize and report suspicious emails.
- Patch Management: Apply security patches for all software, especially Microsoft Office and file compression tools, as soon as they become available.
- Endpoint Security: Deploy Endpoint Detection and Response (EDR) tools to monitor for suspicious activity, such as Office programs launching unexpected processes.
- Network Monitoring: Watch for unusual outbound network traffic that could indicate a malware infection communicating with an attacker.
- Application Hardening: Use security features like Attack Surface Reduction (ASR) to block common attack behaviors associated with Office applications.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.