Ethical Hacking News
A new India-linked cyberespionage group, known as DoNot APT, has expanded its scope to target European foreign ministries using custom Windows malware via phishing attacks. The group's ability to evade detection and gather sensitive information highlights the need for heightened vigilance and robust cybersecurity measures among European governments and organizations.
The DoNot APT group has expanded its scope to target European foreign ministries using custom Windows malware via phishing attacks. The group's modus operandi involves using spear-phishing emails that appear to be from legitimate sources to trick users into opening malicious attachments or clicking on links. The DoNot APT group uses various obfuscation techniques, such as binary string obfuscation and selective obfuscation by packing only critical code sections, to hinder static analysis. The group's ability to evade detection is attributed to its use of anti-VM checks and communication with a C2 server over HTTPS. The targeting of European foreign affairs ministries highlights the group's expanding scope and persistent interest in gathering sensitive information.
DoNot APT, a group of Indian origin that has been linked to various cyber espionage operations in recent years, has recently expanded its scope to target European foreign ministries. According to reports, the group has been using custom Windows malware via phishing attacks to gain access to sensitive data from infected systems.
The DoNot APT group, also known as the Donot Team, Origami Elephant, and APT-C-35, has been active since 2016, focusing on government entities, foreign ministries, defense organizations, and NGOs in South Asia and Europe. The group's modus operandi involves using spear-phishing emails that appear to be from legitimate sources, such as defense officials, to trick users into opening malicious attachments or clicking on links.
In a recent campaign, analyzed by cybersecurity firm Trellix, the DoNot APT group used LoptikMod malware to steal sensitive data from infected systems. The malware was delivered via a password-protected RAR file that was linked to a Google Drive account. Once opened, the disguised executable established persistence using a scheduled task and connected to a C2 server to send system information and receive commands.
The DoNot APT group's tactics, techniques, and procedures (TTPs) are consistent with other Indian-linked cyber espionage groups. The group uses various obfuscation techniques, such as binary string obfuscation and selective obfuscation by packing only critical code sections, to hinder static analysis. It also minimizes listed imports and loads APIs like LoadLibrary and GetProcAddress at runtime to evade detection.
The DoNot APT group's ability to evade detection is attributed to its use of anti-VM checks and its communication with a C2 server over HTTPS. The C2 server was inactive during analysis, preventing full observation of the malware's behavior.
The recent targeting of a European foreign affairs ministry by the DoNot APT group highlights their expanding scope and persistent interest in gathering sensitive information. This underscores the need for heightened vigilance and robust cybersecurity measures among European governments and organizations.
Furthermore, the DoNot APT group's use of custom Windows malware via phishing attacks demonstrates its ability to adapt to new environments and evade detection. The group's sophistication and persistence pose a significant threat to the security of European foreign ministries and other government entities.
In light of this latest development, it is essential for governments, organizations, and individuals to be aware of the risks posed by DoNot APT and take proactive measures to prevent infection. This includes implementing robust cybersecurity measures, such as regular software updates, secure password management, and employee education on phishing attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/DoNot-APT-The-India-Linked-Cyberespionage-Group-Expanding-its-Scope-to-Target-European-Foreign-Ministries-ehn.shtml
https://securityaffairs.com/179774/apt/donot-apt-is-expanding-scope-targeting-european-foreign-ministries.html
Published: Wed Jul 9 20:39:14 2025 by llama3.2 3B Q4_K_M
