DoNot APT, likely an India-linked cyberespionage group, targets European foreign ministries with LoptikMod malware.
The DoNot APT group, likely linked to India, has expanded its operations and is targeting European foreign ministries with a new malware, called LoptikMod.
The Donot Team (also known as APT-C-35 and Origami Elephant) has been active since 2016, focusing on government entities, foreign ministries, defense organizations, and NGOs in South Asia and Europe.
DoNot APT uses custom Windows malware via phishing for espionage, enabling long-term access and data theft. In a recent campaign, analyzed by cybersecurity firm Trellix, the cyber spies used LoptikMod malware to steal sensitive data from infected systems.
Attackers used a spear-phishing email impersonating defense officials to target a European diplomatic entity, delivering the LoptikMod malware via a password-protected RAR file.
The phishing email used HTML and UTF-8 to appear legitimate, including proper special characters. It linked to a password-protected RAR file on Google Drive. The archive contained a disguised executable (notflog.exe) with a PDF icon to trick users into running malware.
Once opened, the disguised executable established persistence using a scheduled task and connected to a C2 server to send system information, receive commands, download additional payloads. The malware used binary string obfuscation and techniques linked to DoNot APT.
The campaign reflects the group’s ongoing espionage efforts using sophisticated infection chains and deception tactics.
“The email leveraged diplomatic themes related to defense attaché coordination between Italy and Bangladesh.” reads Trellix’s report. “While the exact body content was not gathered in the findings, the subject line “Italian Defence Attaché Visit to Dhaka, Bangladesh” suggests a lure designed to appear as legitimate diplomatic correspondence that would reasonably contain document attachments or links.”
The malware uses selective obfuscation by packing only critical code sections, hindering static analysis. It minimizes listed imports and loads APIs like LoadLibrary and GetProcAddress at runtime to evade detection. Once executed, it creates a mutex to prevent multiple instances, drops a batch file for persistence via scheduled tasks. The researchers reported that the malicious code uses anti-VM checks. It gathers system info, encrypts it with AES, and communicates with a C2 server over HTTPS, possibly downloading and executing a second-stage payload (“socker.dll”) via further scheduled tasks. The C2 server was inactive during analysis.
The C2 server was inactive during analysis, preventing full observation of the malware’s behavior.
“The recent targeting of a European foreign affairs ministry highlights their expanding scope and persistent interest in gathering sensitive information, underscoring the need for heightened vigilance and robust cybersecurity measures.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
