Jul 09, 2025Ravie LakshmananMalware / Cyber Espionage
A risk actor with suspected ties to India has been noticed focusing on a European international affairs ministry with malware able to harvesting delicate knowledge from compromised hosts.
The exercise has been attributed by Trellix Superior Analysis Heart to a sophisticated persistent risk (APT) group referred to as DoNot Crew, which is often known as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger. It has been assessed to be lively since 2016.
“DoNot APT is thought for utilizing custom-built Home windows malware, together with backdoors like YTY and GEdit, typically delivered by way of spear-phishing emails or malicious paperwork,” Trellix researchers Aniket Choukde, Aparna Aripirala, Alisha Kadam, Akhil Reddy, Pham Duy Phuc, and Alex Lanstein stated.
“This risk group usually targets authorities entities, international ministries, protection organizations, and NGOs particularly these in South Asia and Europe.”
The assault chain commences with phishing emails that intention to trick recipients into clicking on a Google Drive hyperlink to set off the obtain of a RAR archive, which then paves the best way for the deployment of a malware dubbed LoptikMod, which is completely put to make use of by the group way back to 2018.
The messages, per Trellix, originate from a Gmail handle and impersonate protection officers, with a topic line that references an Italian Protection Attaché’s go to to Dhaka, Bangladesh.
“The e-mail used HTML formatting with UTF-8 encoding to correctly show particular characters like ‘é’ in ‘Attaché,’ demonstrating consideration to element to extend legitimacy,” Trellix famous in its deconstruction of the an infection sequence.
The RAR archive distributed through the emails comprises a malicious executable that mimics a PDF doc, opening which causes the execution of the LoptikMod distant entry trojan that may set up persistence on the host through scheduled duties and hook up with a distant server to ship system data, obtain additional instructions, obtain extra modules, and exfiltrate knowledge.
It additionally employs anti-VM methods and ASCII obfuscation to hinder execution in digital environments and evade evaluation, thereby making it much more difficult to find out the device’s function. Moreover, the assault makes certain that just one occasion of the malware is actively working on the compromised system to keep away from potential interference.
Trellix stated the command-and-control (C2) server used within the marketing campaign is at the moment inactive, which means the infrastructure has been both briefly disabled or not practical, or that the risk actors have moved to a very totally different server.
The inactive state of the C2 server additionally signifies that it is at the moment not possible to find out the precise set of instructions which can be transmitted to contaminated endpoints and the sorts of knowledge which can be despatched again as responses.
“Their operations are marked by persistent surveillance, knowledge exfiltration, and long-term entry, suggesting a robust cyber espionage motive,” the researchers stated. “Whereas traditionally targeted on South Asia, this incident focusing on South Asian embassies in Europe, signifies a transparent growth of their pursuits in direction of European diplomatic communications and intelligence.”
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.
