{ "id": "1ce9dcb7-cd76-42f6-a57a-9de5bf8acf0a", "created_at": "2026-04-06T00:13:53.188272Z", "updated_at": "2026-04-10T03:33:03.137921Z", "deleted_at": null, "sha1_hash": "16cf2b9cd2857fe08e3cf519cd4adfae820884a9", "title": "The DoNot APT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63989, "plain_text": "The DoNot APT\r\nPublished: 2023-02-23 · Archived: 2026-04-05 17:29:29 UTC\r\nThe DoNot APT (aka APT-C-35) has been active since 2016. They have attacked many individuals and organisations in\r\nSouth Asia. DoNot APT is reported to be the main developers and users of frameworks for developing Windows and\r\nAndroid malware[1].\r\nThis group mainly targets organisations in India, Pakistan, Sri Lanka, Bangladesh and other South Asian countries[2][3].\r\nThey focus on government and military organisations, foreign ministries, and embassies.\r\nFor the initial access, DoNot APT uses phishing emails containing malicious attachments. To get to the next stage, they\r\nexecute a macro embedded in an MS Office document which drops a PE file and executes them. We have witnessed this PE\r\nfile being a DLL file in the past campaigns.  There is a change in the initial access of this APT group. The RedDrip Team,\r\ntagged a ZIP (filename: “Day .zip”) file being part of the DoNot APT campaigns. The lure was themed to leverage\r\ngeopolitical tensions between India and Pakistan as shown in Figure 1. The ZIP file is bundled with a WinRAR SFX\r\nexecutable, which contains a DLL file and PDF files under a folder named “Kashmir”.\r\nFigure 1: Components within in WinRAR SFX file\r\nThe SFX executable executes that DLL as shown in Figure 2. The DLL file is responsible for connecting to the C2. The C2\r\nServer was down at the time of writing this blog.\r\nFigure 2: Process execution\r\nThe domain registrar for the C2 domain (briefdeal.buzz) is NameSilo Inc, which seems to be a pattern since September\r\n2022. The DLL contains 2 export functions. The first function  creates mutex (“olgui1pigg”) as a marker for infection and\r\nthen establishing connection to C2 and the next function is for self copying itself to the %TEMP% folder and creating a\r\nscheduled task for persistence by setting a new Scheduled Task that runs every four minutes. The action assigned to the task\r\nis to run the first export function. The C2 server was down during our analysis.\r\nIt tries to send the basic info of the Victim’ PC to the C2 like Username, Computer Name, Processor ID.\r\nHere we mentioned the timeline of samples which are used by DoNot APT from Sep 2022 to Jan 2023.\r\nTime Samples File Name\r\nhttps://labs.k7computing.com/index.php/the-donot-apt/\r\nPage 1 of 4\n\nJan 2023\r\nKashmir Solidarity Day Material .exeRequirement of pattenization data for seamanship\r\nitems.xls\r\nDec\r\n2022\r\nspreadsheet.xlsdttcodexgigas.xlsSam.pptAccounts.xlsattachment.xlsff.xlstrix.xls\r\nNov\r\n2022\r\nRequirement list of spares.xls\r\nSept\r\n2022\r\nbodli.doc\r\nThe C2 URL TLD has been .buzz since the September 2022 campaign. The DNS registrar for the C2 URL is NameSilo Inc.\r\nand the IPs resolved to the ASN number 399629. Based on the ASN number we were able to deduce the ISP as BL\r\nNetworks, and from there we were able to track it to a Virtual Private Server (VPS) provider called BitLaunch, which\r\naccepts crypto payments. We found evidence of this particular VPS service being used for malicious campaigns in the past.\r\nWe found this pattern to be consistent since September 2022.\r\nWe at K7 labs provide detection against such threats. Users are advised to use a reliable security product such as “K7 Total\r\nSecurity” and keep it up-to-date so as to safeguard their devices.\r\nIOCs\r\nHASH File Name\r\n4EAA63DD65FC699260306C743B46303B Kashmir Solidarity Day Material .exe\r\n07A3C19BC67C5F44C888CE75D4147ECF dn2272iosUp.dll\r\n08E2FAA6D92A94A055579A5F4F3FCD04 spreadsheet.xls\r\n06ADBB4BA31A52CC5C9258BF6D99812C Requirement list of spares.xls\r\n795c0ee208d098df11d56d72236175b2 bodli.doc\r\n7662B07F747EAE8433E347B70A33F727 trix.xls\r\n24DEB1EEE361086268B2E462B9A42191 dttcodexgigas.xls\r\n65F904DC7F675B93C2DEC927D2B8E58F dttcodexgigas.xls\r\nDC6DF9BDEE372A00E5402C19D2D77DE9\r\nRequirement of pattenization data for seamanship\r\nitems.xls\r\n3e2b44bef17ae7bcce26e6211c68dc08 Sam.ppt\r\n64266FC0F0B37A26E14133AD19B98B7C Requirement list of spares.xls\r\nBE0B5518E4D7EDFED694E2CE1B2C3CEA Accounts.xls\r\n835AB3B85B3217722095CDD14A1157BF attachment.xls\r\n82938D802B72C043E549E973023974DC attachment.xls\r\nhttps://labs.k7computing.com/index.php/the-donot-apt/\r\nPage 2 of 4\n\n79B5D2DA98CCF99135FFF67D0AD48488 Accounts.xls\r\nD98E2D7C8E91A9D8E87ABE744F6D43F9 ff.xls\r\nA65F67D12C73E0FA71813A645A924DBC trix.xls\r\nF6FCEFD16C5D9A31AE19A3BCE709B31E spreedsheet.xls\r\n7662B7D42F74E5FAEF1EE953419A31D4 Attachments.xls\r\nC2 Domains\r\nhxxp://5[.]135[.]199[.]0/football/goal\r\nhxxps://briefdeal[.]buzz/Treolekomana/recopereta\r\nhxxp://orangevisitorss[.]buzz/QcM8y7FsH12BUbxY/XNJxFhZdMSJzq1tRyF47ZXLIdqNGRqiHQQHL6DJIjl2IoxUA[.]png\r\nhxxp://orangevisitorss[.]buzz/QcM8y7FsH12BUbxY/XNJxFhZdMSJzq1tRyF47ZXLIdqNGRqiHQQHL6DJIjl2IoxUA[.]mp4\r\nhxxp://one[.]localsurfer[.]buzz/jl60UwJBkaWEkCSS/MU3gLGSnHhfDHRnwhlILSB27KZaK2doaq8s9V5M2RIgpeaD8[.]mp4\r\nhxxp://one[.]localsurfer[.]buzz/jl60UwJBkaWEkCSS/MU3gLGSnHhfDHRnwhlILSB27KZaK2doaq8s9V5M2RIgpeaD8[.]ico\r\nhxxp://orangeholister[.]buzz/kolexretriya78ertdcxmega895200[.]php\r\nhxxp://one[.]localsurfer[.]buzz/jl60UwJBkaWEkCSS/MU3gLGSnHhfDHRnwhlILSB27KZaK2doaq8s9V5M2RIgpeaD8[.]png\r\nOne[.]localsurfer[.]buzz\r\nhxxp://morphylogz[.]buzz/Ik3EIidq3fc2GGig/aFwrDmHIiBWh62kZPVb4bmV0waydPv0WtgqM0QTte5iAFzF0[.]png\r\nhxxp://morphylogz[.]buzz/Ik3EIidq3fc2GGig/aFwrDmHIiBWh62kZPVb4bmV0waydPv0WtgqM0QTte5iAFzF0[.]ico\r\nhxxps://itygreyhound[.]buzz/Kolpt523ytcserstrew/torel\r\nitygreyhound[.]buzz\r\nC2 IP\r\n5.135.199.0\r\n168.100.9.5\r\n193.149.180.4\r\n168.100.9.216\r\n45.61.136.145\r\n162.33.178.22\r\n45.61.139.243\r\n168.100.9.216\r\nhttps://labs.k7computing.com/index.php/the-donot-apt/\r\nPage 3 of 4\n\n45.61.136.198\r\n45.61.139.243\r\nReferences:\r\n1. https://ti.qianxin.com/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/\r\n2. https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/\r\n3. https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-investigates-donot-team-cyberespionage-targeting-military-governments-in-south-asia/\r\nSource: https://labs.k7computing.com/index.php/the-donot-apt/\r\nhttps://labs.k7computing.com/index.php/the-donot-apt/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/index.php/the-donot-apt/" ], "report_names": [ "the-donot-apt" ], "threat_actors": [ { "id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc", "created_at": "2022-10-25T16:07:23.546262Z", "updated_at": "2026-04-10T02:00:04.651083Z", "deleted_at": null, "main_name": "Donot Team", "aliases": [ "APT-C-35", "Mint Tempest", "Origami Elephant", "SectorE02" ], "source_name": "ETDA:Donot Team", "tools": [ "BackConfig", "EHDevel", "Jaca", "yty" ], "source_id": "ETDA", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434433, "ts_updated_at": 1775791983, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/16cf2b9cd2857fe08e3cf519cd4adfae820884a9.pdf", "text": "https://archive.orkl.eu/16cf2b9cd2857fe08e3cf519cd4adfae820884a9.txt", "img": "https://archive.orkl.eu/16cf2b9cd2857fe08e3cf519cd4adfae820884a9.jpg" } }