ASEC_REPORT_vol.88.pdf (2 MB)

AhnLab analyzes Operation Bitter Biscuit as a long-running APT campaign observed from 2011 through 2017 against major South Korean organizations, with additional earlier activity affecting Japan, India, and possibly Russian-language users. The campaign used Bisonal, Bioazih, Dexbia, and related backdoors against military bodies, defense contractors, IT companies, and other sensitive institutions. Infection attempts relied mainly on spear-phishing attachments, including executables disguised as documents and malicious Office macro documents that displayed decoy content after execution. The Bisonal family appears in multiple DLL and EXE forms, often stores C2 and identifier strings with XOR encoding, and has used dynamic DNS domains resembling legitimate Korean institutional sites to redirect victims only when remote control is needed. The report matters because it ties several years of related malware activity and targeting patterns into a sustained campaign against defense and government-adjacent sectors.