APT-C-08 Expands Its Arsenal with a Stealthy New Remote Access Trojan
The hacking collective APT-C-08, also known as TA397 and Bitter, continues to expand its cyber arsenal. Chinese researchers have uncovered a new malicious component belonging to the family of remote access trojans, previously unseen in public reporting. This tool has been provisionally named gmRAT, in reference to its predecessor wmRAT, which was actively deployed by the same group. Though still in development — as evidenced by its “beta_v1.0” designation — gmRAT already showcases a broad range of functionalities designed to maintain control over compromised systems.
The first identified sample, distributed under the name gsxviewm.exe, weighed approximately 395 KB and connected to a C2 server at pololiberty.com via port 56218. Upon establishing communication, it harvested extensive information from the victim’s machine — including username, hostname, running processes, OS version, administrative privileges, and hardware identifiers — before transmitting these details back to the attackers.
Its command-based framework enables the execution of file and process operations, access to the command line and PowerShell, document upload and download, screenshot capture, and enumeration of available drives. Commands observed include: pwd, dir, cd, cp, mv, rm, run_process, upload, cont_upload, CNL_UP, StartTransmit, download, shell, pshell, list_drives, screenshot, among others. Data transfers are handled through segmented 64 KB blocks with markers, allowing interrupted operations to resume seamlessly.
Certain commands, such as reg_query and reg_add, remain only partially implemented, reflecting its unfinished state. Nevertheless, gmRAT already provides attackers with comprehensive remote control over infected machines. Analysis shows that results and artifacts are stored in system directories to minimize suspicion — for instance, screenshots are saved under C:\Users\Public\Pictures\ss.jpg while uploaded files are deposited in *C:\ProgramData*. This stealth-oriented approach also simplifies long-term management of compromised hosts.
In addition to gsxviewm.exe, analysts identified another variant, gviewstc.exe, with identical size and functionality. Its timestamp traces back to April 2025, and it first appeared on VirusTotal in May, still evading most detection engines — a testament to its high level of stealth. The fact that these binaries were distributed via infrastructure linked to APT-C-08, which previously propagated wmRAT and various .NET-based malware, combined with characteristic URL templates incorporating system variables, firmly ties gmRAT to the group’s ecosystem.
APT-C-08 has long focused its operations on South Asian nations, targeting government bodies, diplomatic missions, universities, and defense contractors. In recent years, the group has consistently expanded its technical capabilities, developing proprietary malware, adapting tools to new platforms, and refining evasion tactics. The emergence of gmRAT demonstrates its determination not only to preserve existing access channels but also to broaden its toolkit with more sophisticated components. Backed by financial resources and skilled personnel, APT-C-08 cements its position as one of the most formidable regional APT groups.
