The DoNot APT group, also tracked by various security vendors as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger has been active since at least 2016 and is widely believed to have links to India. Operating within the broader landscape of state-sponsored cyber-espionage, DoNot APT is primarily focused on South Asian geopolitical interests. Its typical targets include government agencies, foreign ministries, defense organizations, and NGOs, particularly in South Asia and Europe.
The group is known for deploying custom-built Windows malware, such as the YTY and GEdit backdoors, often delivered via spear-phishing emails or malicious documents. Their operations are characterized by persistent surveillance, data exfiltration, and long-term access, all indicative of a strong espionage-driven objective. This report analyzes a recent campaign attributed to the DoNot APT group, shedding light on their evolving tactics and strategic goals.
Infection Chain:
DoNot APT Campaign – Attack Summary and Analysis:
In a recent campaign attributed to the DoNot APT group, attackers initiated the intrusion through a spear-phishing email containing a Google Drive link. When clicked, the link led the victim to download a compressed RAR archive file. This archive, once extracted, revealed malicious executables disguised as legitimate files. Upon execution, the malware dropped a batch script into the system's %TEMP% directory. This script then created a Scheduled Task, allowing the malware to maintain persistence across system reboots.
Once embedded in the host system, the malware established command-and-control (C2) communication with remote servers operated by the threat actor. This connection enabled the attackers to issue commands, download additional payloads, and ultimately exfiltrate sensitive data from the compromised system. The overall operation demonstrates a classic espionage-focused attack chain, marked by stealthy delivery, persistent access, and strategic data theft characteristics typical of DoNot APT’s previous activity targeting South Asian and European government and NGO entities.
Technical Analysis of the DoNot APT Campaign:
1. Initial Access – Spear Phishing via Google Drive
The campaign begins with a spear-phishing email containing a Google Drive link, exploiting the legitimacy of trusted cloud platforms to evade email security filters. These emails are typically crafted to appear credible and urgent, increasing the likelihood that the recipient will click the link.
2. Payload Delivery – RAR Archive Download
When the target accesses the Google Drive link, they are prompted to download a compressed RAR archive. This archive commonly contains decoy documents and malicious executables, designed to appear harmless or relevant, thereby encouraging the user to interact with them.
3. Execution – Launch of Malicious Executables
Upon extracting the archive, the user is deceived into executing one of the embedded malicious files, which may masquerade as a document viewer, PDF, or legitimate software utility. This initiates the malware deployment phase.
4. Staging – Batch Script Dropped in %temp%
Once executed, the malware drops a batch script into the system’s %temp% directory. This script is responsible for preparing the environment, deploying additional components, modifying registry keys, or configuring the system for long-term compromise.
5. Persistence – Scheduled Task Creation
To maintain access, the batch script sets up a Scheduled Task within the system. This ensures the malware is automatically executed on system startup or at defined intervals, allowing the attackers to retain a persistent foothold even after reboots or user logouts.
6. Command and Control (C2) Communication
Following successful deployment and persistence, the malware initiates communication with a command-and-control (C2) server, typically over HTTP or HTTPS. Through this secure channel, attackers can issue remote commands, deliver further payloads, and manage the infected system.
7. Data Exfiltration
In the final phase, the malware performs data collection and exfiltration. This may include gathering sensitive documents, credentials, system information, or other high-value data. The information is then transmitted back to the attacker-controlled C2 infrastructure, often using encrypted channels to avoid detection by network defenses.
Conclusion:
In a campaign attributed to the DoNot APT group, a file associated with the SHA-256 hash (5317f22c60a4e08c4caa28bc84f653b1902fa082d2d1d7fcf2cd0ce1d29798d6) was reportedly distributed via phishing emails containing Google Drive links. While this specific sample was not directly analyzed for this report, the observed tactics, techniques, and procedures (TTPs) are consistent with known DoNot APT activity.
The likely infection chain included a RAR archive containing malicious executables, the deployment of a batch script to the %temp% directory, the creation of Scheduled Tasks for persistence, and the establishment of command-and-control (C2) communication for data exfiltration. This attack pattern reflects DoNot APT’s ongoing emphasis on stealth, long-term access, and intelligence collection. In the upcoming days, we will publish a follow-up blog with detailed file analysis.
Stay vigilant and ensure robust email filtering, behavioral detection, and user awareness to defend against such targeted campaigns.
Happy Hunting!!