WmRAT

WmRAT is a C++ malware family associated with the Bitter threat actor, also tracked as TA397, which Proofpoint and Threatray assessed with high confidence as a state-backed espionage group aligned with Indian government interests. Reporting from late 2024 through early 2025 places WmRAT in campaigns targeting primarily government, diplomatic, and defense organizations, including targeting of Turkey and entities in Europe with links to China and neighboring countries relevant to Indian geopolitical interests. Proofpoint reported that TA397 used spear-phishing as the observed initial access vector, delivering files or URLs that commonly created scheduled tasks; the actor experimented with MSC, CHM, LNK, IQY, and Microsoft Access files, and in some cases abused Microsoft Search Connector files and exploited CVE-2024-43572 (GrimResource). In hands-on-keyboard intrusions against government organizations, TA397 manually enumerated victim systems and selectively deployed follow-on payloads including WmRAT and MiyaRAT, sometimes after pre-filtering targets based on received system information. Proofpoint found WmRAT payloads on a TA397-controlled SMB share after operators mounted \72.18.215[.]1\tempy to retrieve payloads. Detection content indicates WmRAT can be tracked via YARA using socket usage, error handling, and reused strings. High-confidence infrastructure and related indicators mentioned in the reporting include TA397 upload activity to /svupfl.php on 46.229.55[.]63, attempted payload retrieval from 173.254.204[.]72, and the SMB share \72.18.215[.]1\tempy where WmRAT and MiyaRAT payloads were found.