Ethical Hacking News
In a significant development, DoNot Team, an advanced persistent threat (APT) group believed to be linked to India, has targeted European foreign ministries with custom-built malware designed to harvest sensitive data. This expansion in their operations highlights the evolving sophistication of cyber espionage tactics and underscores the importance of proactive cybersecurity measures.
The DoNot Team, an advanced persistent threat (APT) group, has been identified by Trellix Advanced Research Center as a threat to European foreign ministries. The group uses custom-built malware capable of harvesting sensitive data from compromised hosts and has been targeting European foreign ministries with phishing emails. The attack chain involves phishing emails, LoptikMod remote access trojan, scheduled tasks, and connection to a remote server for data exfiltration. The DoNot Team's operations indicate an expansion of their interests towards European diplomatic communications and intelligence. The group uses sophisticated tactics, including anti-VM techniques and ASCII obfuscation, to hinder analysis efforts and avoid detection.
In a recent revelation, Trellix Advanced Research Center has identified an advanced persistent threat (APT) group known as DoNot Team, also referred to as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger. The group has been observed targeting European foreign ministries with custom-built malware capable of harvesting sensitive data from compromised hosts.
This particular operation marks a significant expansion in the DoNot Team's operations, as they previously focused on South Asian targets. According to Trellix researchers, the attack commences with phishing emails that trick recipients into clicking on a Google Drive link to trigger the download of a RAR archive. The malicious executable within the RAR archive mimics a PDF document and opens, which then executes the LoptikMod remote access trojan.
The LoptikMod malware is exclusively used by the DoNot Team as far back as 2018 and features anti-VM techniques and ASCII obfuscation to hinder execution in virtual environments. This makes it more challenging for security researchers to determine the tool's purpose, thereby hindering analysis efforts.
Furthermore, the attack ensures that only one instance of the malware is actively running on the compromised system to avoid potential interference with other running processes. The malicious emails originating from a Gmail address impersonate defense officials, with a subject line referencing an Italian Defense Attaché's visit to Dhaka, Bangladesh.
This sophisticated phishing tactic showcases attention to detail by using HTML formatting with UTF-8 encoding to properly display special characters like 'é' in 'Attaché', thereby increasing the legitimacy of the email. The attack chain also involves scheduled tasks and connection to a remote server for data exfiltration, sending system information, downloading additional modules, and exfiltrating data.
Due to the inactive state of the command-and-control (C2) server used in this campaign, it is not feasible to determine the exact set of commands transmitted to infected endpoints or the kinds of data sent back as responses. The Trellix researchers attribute this operation to a strong cyber espionage motive marked by persistent surveillance and long-term access.
Their operations indicate an expansion of their interests towards European diplomatic communications and intelligence, with the DoNot Team being known for using custom-built Windows malware, including backdoors like YTY and GEdit, delivered through spear-phishing emails or malicious documents. This attack highlights the evolving sophistication in cyber espionage tactics and emphasizes the importance of vigilance among government entities, foreign ministries, defense organizations, and NGOs.
The growing threat landscape demands proactive measures to safeguard sensitive information and prevent data exfiltration. It is imperative for organizations to maintain robust cybersecurity defenses, including regular updates, patching, and monitoring. Moreover, employees must be educated on the dangers of phishing attacks and the importance of reporting suspicious activity promptly.
As the DoNot Team continues to refine its tactics, it is crucial that security researchers stay vigilant in analyzing malicious malware and documenting patterns of behavior to enhance threat intelligence and inform mitigation strategies. The recent expansion of this APT group's operations underscores the need for collective vigilance against sophisticated cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/APT-Group-Targets-European-Foreign-Ministries-with-Custom-Built-Malware-ehn.shtml
https://thehackernews.com/2025/07/donot-apt-expands-operations-targets.html
Published: Wed Jul 9 11:31:32 2025 by llama3.2 3B Q4_K_M
