Meta Cracks Down on Bitter APT and APT36 Cyber Espionage: What Organizations Must Know in 2026

Meta said measures have been taken against two cyber espionage operations in South Africa. This was made by the company last Thursday in its quarterly conflict threat report. Bitter used a variety of malicious tactics to target people online through social engineering and infect their devices with malware.

Last Updated: 2026-05-20

Meta Take Action Against Two Cyber Espionage Operations in South Africa

Meta Cracks Down on Bitter APT and APT36 Cyber Espionage Operations in South Africa

In a significant move against cyber espionage, Meta took action against two advanced persistent threat (APT) groups, Bitter APT and APT36, targeting individuals and organizations across South Asia, the Middle East, and South Africa. The disclosure came through Meta's Quarterly Conflict Threat Report for Q2 2022. Although this incident dates to 2022, the tactics used by both groups remain directly relevant in 2026: social media based social engineering, mobile malware, and spear phishing continue to be among the most common initial access techniques used by state sponsored threat actors globally. Learn more: What Is Phishing and How To Protect Yourself From It.

Meta’s Security Response Against Bitter APT

Bitter APT is a cyber espionage group primarily targeting New Zealand, India, Pakistan, and the UK through elaborate social engineering and malware tactics. Though Bitter APT’s operations are considered low complexity, they are notable for their persistence and ability to evade detection. Here’s an in depth look at Bitter’s strategies and Meta’s counteractions.

How Bitter APT Executes Cyber Attacks

Bitter APT uses multiple tactics to distribute malware and deceive its targets, typically involving:

Social engineering techniques: Bitter APT often uses fake profiles and carefully crafted messages to trick users into sharing sensitive information or clicking on malicious links.
Malicious domains and compromised websites: They set up deceptive websites that appear trustworthy to lure victims into downloading malware.
Link shortening services and third party hosting: These services make it challenging to track and block malicious links, allowing Bitter to reach more victims with disguised URLs.

Tactics, Techniques, and Procedures (TTPs)

Bitter’s TTPs often involve using an iOS app, Android based malware known as Dracarys, and various social engineering adaptations to avoid detection. While the group’s technical complexity is relatively low, their understanding of user behavior allows them to bypass initial security measures effectively.

Meta’s threat analysis identified and removed these malicious networks and enhanced monitoring to prevent future incidents. By neutralizing Bitter’s activities, Meta significantly disrupted the group’s cyber espionage operations, limiting its access to victims on Meta’s platforms.

The Tactics Behind APT36’s Campaigns

APT36 has been known to leverage phishing attacks, malicious attachments, and spear phishing to access classified or sensitive information. Though APT36’s clearance level for TTPs is relatively low, they utilize methods that are effective in targeting specific groups. Their approach commonly includes:

Phishing attacks via email and social media: These attempts to steal login credentials often use urgent or fear inducing messages to persuade users to respond.
Malicious attachments and links: These infect a target’s device upon download, potentially giving APT36 remote access to sensitive data.
Spear phishing campaigns: APT36 carefully researches and tailors messages to appeal directly to high value targets, such as government officials or military personnel.

Meta’s investigative team was able to identify APT36’s tactics and prevent their activities on its platforms. The efforts taken reflect Meta’s ongoing mission to protect user data and disrupt coordinated cyber threats.

Global Impact and Implications for Cybersecurity

The crackdown on Bitter APT and APT36 exemplifies how social media and technology companies can mitigate cyber espionage threats. As these groups increasingly rely on sophisticated social engineering tactics and malware, global platforms like Meta play a critical role in identifying and curtailing malicious operations.

Understanding the Global Threat Landscape

Both Bitter APT and APT36 showcase how state sponsored and independent cyber espionage groups can exploit platforms to distribute malware and infiltrate organizations. By targeting a range of industries and sectors, these groups illustrate the broad impact of cyber espionage in today’s digital landscape.

Meta’s Proactive Measures in Cybersecurity

Meta’s success in countering these operations also underscores the importance of proactive monitoring, data sharing, and collaboration among tech companies and governments. With its quarterly threat reports, Meta provides transparency into emerging threats and a model for other companies to emulate in their security measures.

Why Bitter APT and APT36 Tactics Still Matter in 2026

The methods used by Bitter APT and APT36 in 2022 remain highly relevant today. Social engineering through fake social media profiles, mobile malware delivered via messaging platforms, and spear phishing targeting government officials and military personnel are all techniques that continue to be widely used by state affiliated threat actors in 2026. The groups that succeed in cyber espionage rarely invent new techniques. They refine and persist with proven ones.

For organizations, the lesson is clear: protecting against APT style attacks requires a combination of technical controls and trained employees who recognize social engineering attempts. Attackers who cannot compromise technical defenses will target the human layer. They will pose as recruiters, journalists, researchers, or colleagues on LinkedIn, WhatsApp, Facebook, and email to establish trust before delivering malware or harvesting credentials.

Keepnet's platform directly addresses the human layer vulnerabilities that groups like Bitter APT and APT36 exploit most effectively.

Phishing Simulator: Trains employees to recognize and report spear phishing emails, fake credential harvesting pages, and social engineering lures that mirror real APT tactics.
Security Awareness Training: Delivers role based training on identifying suspicious social media contact, malicious attachments, and fake profiles used in social engineering campaigns.
Vishing Simulator: Tests employee resilience against voice based social engineering, a technique APT groups use to establish initial contact or verify targets before deploying malware.
Incident Responder: Enables rapid triage and removal of suspicious emails from all inboxes, reducing the window between delivery of a malicious message and containment.

Editor's Note: This article was updated on May 20, 2026.

Schedule your 30-minute demo now

You'll learn how to:

Implement proactive threat detection to prevent social engineering attacks and phishing schemes.

Protect against malware and cyber espionage through customized, comprehensive security solutions.

Enhance your organization’s security posture by identifying and mitigating human risk factors.

Frequently Asked Questions

What is Bitter APT and who does it target?

Bitter APT (also tracked as T-APT-17) is a cyber espionage group believed to operate with ties to South Asia. It primarily targets government, defense, and energy sector organizations in New Zealand, India, Pakistan, Bangladesh, and the United Kingdom. The group is notable for its persistence rather than its technical sophistication, using fake social media profiles, social engineering, and mobile malware including the Android based Dracarys malware to compromise targets over extended periods.

What is APT36 and what are its primary targets?

APT36, also known as Transparent Tribe or ProjectM, is a Pakistan linked threat actor that has been active since at least 2013. It primarily targets Indian government and military personnel, defense contractors, and educational institutions. APT36 is known for using spear phishing emails with malicious attachments, fake job offers, and compromised websites to deliver custom malware including CrimsonRAT and ObliqueRAT. The group frequently creates fake personas on social media platforms to establish contact with targets before delivering malware.

What is the Dracarys malware used by Bitter APT?

Dracarys is an Android based spyware used by Bitter APT. It is delivered through trojanized apps, often disguised as messaging applications. Once installed, Dracarys can harvest call logs, contacts, SMS messages, device location, and files, and can silently capture screenshots and activate the microphone. It was specifically designed to evade detection by masquerading as legitimate applications, making it particularly effective against targets who are not trained to scrutinize the permissions requested by apps.

How do APT groups use social media platforms for cyber espionage?

APT groups use social media platforms in several ways: creating fake personas that mimic recruiters, journalists, researchers, or colleagues to establish trust with targets; sending malicious links or files through direct messages that bypass email security filters; using platform messaging to conduct initial reconnaissance before moving to other channels; and leveraging stolen profile information to craft highly personalized spear phishing messages. Meta's takedown of Bitter APT and APT36 networks in 2022 disrupted these operations, but the underlying tactics continue to be used by multiple threat actor groups.

Why did Meta take action against these groups in 2022?

Meta's Threat Intelligence team identified networks of fake accounts operated by Bitter APT and APT36 on Facebook and Instagram that were being used to distribute malware, harvest credentials, and conduct social engineering against targets in South Asia, the Middle East, and South Africa. Meta removed these accounts, blocked associated malicious domains, and shared indicators of compromise with law enforcement and security researchers. The action was disclosed in Meta's Q2 2022 Quarterly Conflict Threat Report as part of the company's ongoing transparency efforts.

Are Bitter APT and APT36 still active in 2026?

Yes. Despite the 2022 disruption of their social media operations by Meta, both Bitter APT and APT36 continue to operate. Security researchers have documented ongoing campaigns by both groups after the takedown, targeting the same industries and geographies using updated toolsets. APT groups are rarely permanently disrupted by single platform takedowns because they operate across multiple channels simultaneously and quickly adapt their infrastructure. The 2022 action reduced their reach on Meta's platforms but did not eliminate the threat.

What is spear phishing and how is it used in APT campaigns?

Spear phishing is a targeted form of phishing in which attackers research specific individuals and craft personalized messages designed to appear credible to that person. APT groups like APT36 invest significant time in researching targets before sending spear phishing emails, using details about the target's role, colleagues, or current projects to make the message convincing. Unlike broad phishing campaigns, spear phishing has a high success rate because recipients are less likely to be suspicious of messages that reference real context. Read more about how to recognize and prevent spear phishing.

How can organizations protect themselves against APT style social engineering?

Defense against APT social engineering requires a combination of technical controls and human layer training. Technically, organizations should enforce MFA on all accounts, restrict which file types can be opened from email attachments, deploy endpoint detection, and monitor for anomalous login behavior. From the human layer perspective, employees need regular training on identifying fake personas, suspicious contact requests, and unsolicited attachments or links. Running phishing simulations that replicate the tactics APT groups use helps employees build the pattern recognition skills needed to respond correctly under real conditions.

What role do technology platforms play in disrupting cyber espionage?

Technology platforms like Meta play a critical role in cyber espionage disruption because they sit between attackers and their targets at scale. When a platform identifies and removes coordinated inauthentic behavior or malware distribution networks, it cuts off a major communication and delivery channel for APT groups. Meta's quarterly threat reports also serve an important public function by providing indicators of compromise, describing tactics, and alerting the broader security community to active operations. This transparency helps other organizations and platforms implement protective measures.

What should employees do if they receive a suspicious social media contact or message?

Employees should treat unsolicited contact from unknown individuals on professional or personal social media platforms with caution, particularly if the contact requests to share files, click links, or communicate via other messaging channels. They should verify the identity of any contact that claims to be a recruiter, journalist, or known colleague before engaging further. Any suspicious message containing links or attachments should be reported to the security team without clicking. Organizations should publish a clear reporting procedure and use tools like Keepnet's Incident Responder to streamline the triage and response process when suspicious contacts are reported.