Full Report
The Threat actor known as DoNot Team has been linked to a new Android malware as part of highly targeted cyber attacks. The artifacts in question, named Tanzeem (meaning "organization" in Urdu) and Tanzeem Update, were spotted in October and December 2024 by cybersecurity company Cyfirma. The apps in question have been found to incorporate identical functions, barring minor modifications to the
Analysis Summary
# Threat Actor: DoNot Team
## Attribution & Identity
* **Primary Name:** DoNot Team
* **Known Aliases:** APT-C-35, Origami Elephant, SECTOR02, Viceroy Tiger
* **Attribution:** Believed to be of Indian origin.
## Activity Summary
DoNot Team has been linked to cyber attacks utilizing a new Android malware nicknamed **Tanzeem** (and **Tanzeem Update**). These artifacts were observed in October and December 2024. The malware masquerades as a chat application but shuts down after initial permissions are granted, suggesting a single purpose: intelligence collection against specific individuals or groups. Historically, the group has used spear-phishing emails and Android malware for information gathering. They were also linked to the .NET-based backdoor **Firebird** in October 2023.
## Tactics, Techniques & Procedures
* Malware delivery via malicious Android applications disguised as legitimate chat tools.
* Use of legitimate third-party services (OneSignal) to potentially distribute phishing links leading to malware deployment.
* Tricking users into granting high-level permissions by displaying a fake chat screen ("Start Chat" button).
* Abusing the **accessibility services API** upon user interaction to gain elevated privileges on the Android device.
* Historical TTPs include using spear-phishing emails.
## Targeting
* **Sectors:** Not explicitly detailed for the latest campaign, but the group generally targets entities related to intelligence collection.
* **Geography:** Implied targeting of specific individuals both inside and outside the actor's home country. Previous activity targeted victims in Pakistan and Afghanistan.
* **Victims:** Exact targets for the Tanzeem malware are unclear, but investigations suggest a focus on collecting intelligence against perceived internal threats.
## Tools & Infrastructure
* **Malware Families Used:** Tanzeem, Tanzeem Update (Android malware), Firebird (.NET-based backdoor).
* **Infrastructure:** Abuses the **OneSignal** library, potentially for C2 communication or phishing link distribution.
## Implications
DoNot Team remains an active, sophisticated threat actor focused on targeted espionage and intelligence collection, leveraging convincing social engineering tactics on the Android platform. Their use of legitimate services like OneSignal demonstrates an effort to blend into normal network traffic and complicate detection.
## Mitigations
* Strictly monitor and review requests for granting Accessibility Services API permissions on mobile devices.
* Implement strong vetting processes for third-party application sources, especially those disguised as communication tools.
* Investigate and block suspicious push notifications or in-app messages originating from seemingly legitimate platforms if they prompt immediate action or permission grants.