Full Report
A threat actor with suspected ties to India has been observed targeting a European foreign affairs ministry with malware capable of harvesting sensitive data from compromised hosts. The activity has been attributed by Trellix Advanced Research Center to an advanced persistent threat (APT) group called DoNot Team, which is also known as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and
Analysis Summary
# Threat Actor: DoNot APT
## Attribution & Identity
* **Primary Identification:** DoNot Team (APT Group)
* **Suspected Ties:** Suspected ties to India.
* **Known Aliases:** APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, Viceroy Tiger.
## Activity Summary
* **Historical Activity:** Assessed to be active since 2016.
* **Recent Campaign:** Targeted a European foreign affairs ministry.
* **Campaign Method:** Spear-phishing emails originating from a Gmail address, impersonating defense officials (e.g., referencing an Italian Defense Attaché's visit to Dhaka, Bangladesh). The emails utilized HTML formatting with UTF-8 encoding for high legitimacy.
* **Infection Chain:** Emails contained links to a Google Drive download initiating a RAR archive, which deployed the LoptikMod malware.
* **Objective Implied:** Persistent surveillance, data exfiltration, and long-term access, characteristic of cyber espionage.
## Tactics, Techniques & Procedures
* **Delivery/Initial Access:** Spear-phishing emails delivered via Gmail accounts.
* **Execution:** Deployment via malicious RAR archive containing an executable disguised as a PDF document when opened.
* **Persistence:** Establishing persistence via scheduled tasks post-compromise.
* **Command and Control (C2):** Establishing contact with a remote server to receive commands, send system information, download additional modules, and exfiltrate data.
* **Evasion/Defense Evasion:**
* Employing anti-VM techniques to hinder analysis in virtual environments.
* Using ASCII obfuscation to evade analysis.
* Employing logic to ensure only one instance of the malware runs concurrently on the host.
* **Known Malware Families (Historical/Associated):** YTY, GEdit (backdoors).
## Targeting
* **Sectors:** Government entities, foreign ministries, defense organizations, and NGOs.
* **Geography:** South Asia and Europe (specifically mentioned targeting a Southern European government entity).
* **Victims:** A European foreign affairs ministry.
## Tools & Infrastructure
* **Malware Families Used:** LoptikMod (a remote access trojan used since at least 2018, exclusively by this group).
* **Infrastructure (C2, domains, IPs):** The C2 server observed in the recent campaign was reported as inactive at the time of the report. (No specific active IPs/URLs provided).
## Implications
DoNot APT continues to conduct targeted, sophisticated espionage operations, leveraging custom-built malware and high-quality social engineering (deceptive email formatting) to gain deep persistence within sensitive government networks, particularly those in Europe and South Asia. The use of custom malware (LoptikMod) and defense evasion techniques suggests a well-resourced and capable threat actor.
## Mitigations
* Scrutinize incoming emails, especially those referencing diplomatic or defense topics, even if they appear professionally formatted (HTML verification).
* Implement robust email filtering to block or sandbox links originating from file-sharing services like Google Drive in unsolicited content.
* Implement strict controls and monitoring around the creation of scheduled tasks.
* Deploy endpoint detection and response (EDR) solutions capable of detecting anti-VM and obfuscation techniques.
* Monitor for single-instance execution logic deviations common among custom malware.