A threat actor, linked to an advanced persistent threat group called DoNot Team, has targeted a European foreign affairs ministry using custom-built malware to gather sensitive data. Active since 2016, DoNot Team, also known as APT-C-35, specializes in targeting government entities and NGOs, particularly in South Asia and Europe. The attack method includes phishing emails leading to malicious downloads via Google Drive links, deploying LoptikMod, a remote access trojan, allowing persistent control over infected hosts.
DoNot APT is known for using custom-built Windows malware, including backdoors like YTY and GEdit, often delivered through spear-phishing emails or malicious documents.
The attack chain commences with phishing emails that aim to trick recipients into clicking on a Google Drive link to trigger the download of a RAR archive.
The email used HTML formatting with UTF-8 encoding to properly display special characters, demonstrating attention to detail to increase legitimacy.
The RAR archive contains a malicious executable that mimics a PDF document, executing the LoptikMod remote access trojan to establish persistence.
Collection
[
|
...
]