{ "id": "2ae62c10-37f8-4d66-b7e4-39a61b641203", "created_at": "2026-04-06T00:19:16.694659Z", "updated_at": "2026-04-10T13:11:45.060996Z", "deleted_at": null, "sha1_hash": "4437e5e4dcfd0f7412108400967d0e3ac4ed238c", "title": "Donot Team - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 68511, "plain_text": "Donot Team - Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 20:13:44 UTC\r\n APT group: Donot Team\r\nNames\r\nDonot Team (ASERT)\r\nAPT-C-35 (Qihoo 360)\r\nSectorE02 (ThreatRecon)\r\nMint Tempest (Microsoft)\r\nOrigami Elephant (Kaspersky)\r\nCountry India\r\nMotivation Information theft and espionage\r\nFirst seen 2016\r\nDescription\r\n(ASERT) In late January 2018, ASERT discovered a new modular malware\r\nframework we call “yty”. The framework shares a striking resemblance to the\r\nEHDevel framework. We believe with medium confidence that a team we call\r\ninternally as “Donot Team” is responsible for the new malware and will resume\r\ntargeting of South Asia.\r\nIn a likely effort to disguise the malware and its operations, the authors coded\r\nseveral references into the malware for football—it is unclear whether they mean\r\nAmerican football or soccer. The theme may allow the network traffic to fly under\r\nthe radar.\r\nThe actors use false personas to register their domains instead of opting for privacy\r\nprotection services. Depending on the registrar service chosen, this could be seen as\r\nanother cost control measure. The actors often used typo-squatting to slightly alter a\r\nlegitimate domain name. In contrast, the registration information used accurate\r\nspelling, possibly indicating the domain naming was intentional, typos included.\r\nEach unique registrant usually registered only a few domains, but mistakenly reused\r\nphone numbers or the registration data portrayed a similar pattern across domains.\r\nObserved\r\nSectors: Embassies, Defense, Government.\r\nCountries: Argentina, Bangladesh, India, Nepal, Pakistan, Philippines, Sri Lanka,\r\nThailand, Togo, UAE, UK.\r\nTools used BackConfig, EHDevel, yty.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=15dd32b1-f4c1-4a96-bf89-02ff532b1540\r\nPage 1 of 3\n\nOperations performed\nMar 2019\nFrom March to July this year, the ThreatRecon team noticed a spear\nphishing campaign by the SectorE02 group going on against the\nGovernment of Pakistan and organizations there related to defense and\nintelligence.\nApr 2019\nStealJob: New Android Malware\nRecently, we have observed a large-scale upgrade of its malicious\nAndroid APK framework to make it more stable and practical. Since\nthe new APK framework is quite different from the one used in the\npast, we named it as StealJob since “job” is frequently used in the\ncode.\nDec 2019\nTogo: Prominent activist targeted with Indian-made spyware linked to\nnotorious hacker group\nMay 2020\nAn Indicator From Twitter Brings The Donot Android Espionage\nGroup Back Into Focus\n2020\nESET researchers take a deep look into recent attacks carried out by\nDonot Team throughout 2020 and 2021, targeting government and\nmilitary entities in several South Asian countries\nAug 2022\nAPT-C-35 Gets a New Upgrade\nJun 2023\nDoNot APT Elevates its Tactics by Deploying Malicious Android\nApps on Google Play Store\nOct 2024\nAndroid Malware in DONOT APT Operations\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=15dd32b1-f4c1-4a96-bf89-02ff532b1540\nPage 2 of 3\n\nInformation\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=15dd32b1-f4c1-4a96-bf89-02ff532b1540\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=15dd32b1-f4c1-4a96-bf89-02ff532b1540\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=15dd32b1-f4c1-4a96-bf89-02ff532b1540" ], "report_names": [ "showcard.cgi?u=15dd32b1-f4c1-4a96-bf89-02ff532b1540" ], "threat_actors": [ { "id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc", "created_at": "2022-10-25T16:07:23.546262Z", "updated_at": "2026-04-10T02:00:04.651083Z", "deleted_at": null, "main_name": "Donot Team", "aliases": [ "APT-C-35", "Mint Tempest", "Origami Elephant", "SectorE02" ], "source_name": "ETDA:Donot Team", "tools": [ "BackConfig", "EHDevel", "Jaca", "yty" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434756, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4437e5e4dcfd0f7412108400967d0e3ac4ed238c.pdf", "text": "https://archive.orkl.eu/4437e5e4dcfd0f7412108400967d0e3ac4ed238c.txt", "img": "https://archive.orkl.eu/4437e5e4dcfd0f7412108400967d0e3ac4ed238c.jpg" } }