{
	"id": "0b896b92-9319-48f8-a26a-297cc2ce8380",
	"created_at": "2026-04-06T00:17:37.038104Z",
	"updated_at": "2026-04-10T03:33:03.192303Z",
	"deleted_at": null,
	"sha1_hash": "a3aaf5ecd3ada502cd3a8fa5da4e1e76dd0ed47d",
	"title": "Cyble - DoNot APT Group Delivers A Spyware Variant Of Chat App",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1433337,
	"plain_text": "Cyble - DoNot APT Group Delivers A Spyware Variant Of Chat\r\nApp\r\nPublished: 2021-07-22 · Archived: 2026-04-05 17:11:04 UTC\r\nDoNot APT Group, also known as APT-C-35, is an Advanced Persistent Threat (APT) group targeting\r\ngovernment-related organizations. DoNot has a reputation for carrying out APT attacks against India, Pakistan,\r\nArgentina, and countries in South Asia. This group mainly spreads malware using malicious programs developed\r\nin C++, Python, .NET, and other languages.\r\nDoNot APT mainly spreads malware via spear-phishing emails containing malicious documents and files. In\r\naddition to spreading malware via spear-phishing emails with attachments that contain either a vulnerability\r\nor a malicious macro, this APT group leverages malicious Android APKs in their target attacks. \r\nWorld's Best AI-Native Threat Intelligence\r\nAndroid-based Spyware applications are often disguised as system tools and in some cases as\r\nfake apps, counterfeit mobile games, and fake news apps. Post installation, these apps perform Trojan functions in\r\nthe background and can remotely control the victim’s system, besides stealing confidential information from the\r\ntargeted device. \r\nDuring our Open-Source Intelligence (OSINT) research, Cyble researchers found a malware sample of the DoNot\r\nAPT group posted on Twitter. Upon analyzing the malware sample, the Cyble Research Lab discovered that it is a\r\nfake app disguised as a legitimate messaging app that collects sensitive information from the victim’s device.\r\nThe APT group uses the deobfuscation code along with some packers within the application to conceal malicious\r\nfunctionalities. This prevents the spyware from being detected during the static analysis of the app.\r\nTechnical Analysis:\r\nWe performed the technical analysis of an APK, with the following hash value: \r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 1 of 12\n\nfdb67688d92900226bf834ce67f4112f03e981611ee50e9c3102636574b05280. \r\nApp name: Mecaller.apk\r\nPackage name: com.chat.nsgnest\r\nSome of the applications’ permissions, activities, and services that may be used to perform malicious activities are\r\nlisted below: \r\nPermissions: \r\nandroid.permission.READ_CALENDAR\r\nandroid.permission.PROCESS_OUTGOING_CALLS\r\nandroid.permission.ACCESS_COARSE_LOCATION\r\nandroid.permission.INTERNET\r\nandroid.permission.ACCESS_FINE_LOCATION\r\nandroid.permission.READ_CALL_LOG\r\nandroid.permission.WRITE_EXTERNAL_STORAGE\r\nandroid.permission.RECEIVE_SMS\r\nandroid.permission.AUTHENTICATE_ACCOUNTS\r\nandroid.permission.CALL_PHONE\r\nandroid.permission.READ_PHONE_STATE\r\nandroid.permission.READ_SMS\r\nandroid.permission.RECORD_AUDIO\r\nandroid.permission.READ_CONTACTS\r\nActivities: \r\nime.serviceinfo.app.MainActivity\r\nime.serviceinfo.app.qsharehong.qsharelackhong\r\nServices: \r\nime.serviceinfo.app.qsynchong.qSyncServicehong\r\nime.serviceinfo.app.qsynchong.qAuthenticatorServicehong\r\nime.serviceinfo.app.qaleolehong.qdcerthong\r\nime.serviceinfo.app.qaleolehong.qnqwerhong\r\nime.serviceinfo.app.qstunthong.qSensorServicehong\r\nime.serviceinfo.app.qsharehong.qsttrServicehong\r\nime.serviceinfo.app.qsharehong.qServicehong\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 2 of 12\n\nime.serviceinfo.app.qaleolehong.qhepjshong\r\nime.serviceinfo.app.qhelphong.qgarohong\r\nime.serviceinfo.app.qaihihihong.tknnotify.sfsSr\r\nWe also performed a dynamic analysis and discovered that the app has an emulator check that avoids running the\r\napp in an emulator or VirtualBox, and only runs this app on legitimate devices. Further, on bypassing the scripts\r\nusing Frida and on loading the application, it displays a message as shown in the figure below.\r\nFigure 1 Error Message from The App on Loading It Through Frida Scripts\r\nUsing the same Frida scripts and on loading the various activities, the app requests users to enable the accessibility\r\nservice and on activating, it displays the below message as shown in Figure 2.\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 3 of 12\n\nFigure 2 – Message displayed on turning on the Accessibility Service\r\nThe malware then initiates malicious behavior from the application main\r\nclass, “ime.serviceinfo.app.MainActivity“. The entry point of the app is this class, which gets executed at first\r\nwhen the user starts the application.\r\nUsing the above permissions granted from users, the following data is fetched from the devices:  \r\nTracking the user’s location along with network operator details, device location, latitude, and longitude\r\nfrom the compromised device.\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 4 of 12\n\nFigure 3 Code to track the location of the device with Latitude and Longitude\r\nChecking for the availability of internet connection from the device to collect the network and connectivity\r\ninformation.\r\nFigure 4 Checks for Internet connection Availability\r\nThe application also has the capability to record audio and collect media files from the infected device\r\nwithout the user’s knowledge.\r\nFigure 5 Code to Record Audio/Media Files from the Infected Device\r\nSending text messages using permissions and SMS manager.\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 5 of 12\n\nFigure 6 Sends text Messages using SMS Manager and Android Permissions\r\nTracking the Service/Receiver that are registered post device reboot.\r\nFigure 7 Registers the service/receiver on phone reboot\r\nAfter the accessibility service is enabled, the application launcher icon is removed from the main screen,\r\nthereby allowing the app to stay hidden.\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 6 of 12\n\nFigure 8 Hides the Application launcher Icon from View\r\nCollecting the information on the running application processes or tasks.\r\nFigure 9 Collects list of running processes\r\nVerifying the infected device fingerprint, hardware, and model to find out whether the application is\r\nexecuted through emulator or through VirtualBox. If it is executed through emulator, the application will\r\nnot be performing any malicious activity to avoid any kind of detection.\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 7 of 12\n\nFigure 10 Code to detect the analysis device (Emulator Check)\r\nMonitoring the device phone number from both outgoing and incoming calls using broadcastreceiver and\r\nstoring the collected data into “CallLogs.txt“.\r\nFigure 11 Code that queries phone numbers from incoming and outgoing calls\r\nFigure 12 Code that monitors and collects call logs\r\nMonitoring the incoming messages, creating Protocol data unit (PDU), intercepting SMSes to collect\r\ninformation from them and storing the information in “sms.txt“.\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 8 of 12\n\nFigure 13 Code that monitors and collects SMS data\r\nFigure 14 Stores the collected SMS data\r\nCollecting phone contacts from the infected device and storing it in “contacts.txt” file.\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 9 of 12\n\nFigure 15 Collects and stores Phone contacts\r\nAlong with the above sensitive information, this malicious app has the code to fetch stored mail accounts\r\nand application accounts like Gmail, WhatsApp, besides storing the information in “accounts.txt“.\r\nFigure 16 Code that collects and stores mail, application accounts\r\nBase64 Encryption technique used in multiple classes and methods.\r\nFigure 17 Encrypted strings using Base64 encryption technique\r\nUpon decrypting the encrypted strings, we were able to determine that the data being collected by this app is sent\r\nto the C2 link through which the application communicates and uploads the information to the server.\r\nC2 Server: hxxp[:]//tinyshort[.]icu/\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 10 of 12\n\nCONCLUSION:\r\nSpyware apps have been around for a long time, yet they still pose a significant threat to sensitive data on victim\r\ndevices. The APT groups responsible for creating the spyware are constantly adapting and using various\r\nencryption techniques to avoid detection. This makes removal of the spyware nearly impossible, thus users should\r\nexercise caution while installing applications.\r\nSAFETY RECOMMENDATIONS:\r\nKeep your anti-virus software updated to detect and remove malicious software. \r\nUninstall the application if you find this malware in your device. \r\nKeep your system and applications updated to the latest versions. \r\nUse strong passwords and enable two-factor authentication. \r\nDownload and install software only from trusted sites and official app stores. \r\nVerify the privileges and permissions requested by apps before granting them access. \r\nPeople concerned about the exposure of their stolen credentials in the dark web can register\r\nat AmIBreached.com to ascertain their exposure. \r\nMITRE ATT\u0026CK® Techniques- for Mobile \r\nTactic   Technique ID   Technique Name  \r\nDefense Evasion  \r\nT1406  \r\nT1418 \r\nObfuscated Files or Information  \r\nApplication Discovery \r\nCredential Access  \r\nT1409  \r\nT1412 \r\nAccess Stored Application Data  \r\nCapture SMS Messages \r\nCollection  \r\nT1507  \r\nT1430  \r\nT1412 \r\nT1429 \r\nT1432 \r\nT1433 \r\nNetwork Information Discovery  \r\nLocation Tracking  \r\nCapture SMS Messages \r\nCapture Audio \r\nAccess Contact List \r\nAccess Call Log \r\nDiscovery  \r\nT1421 \r\nT1430 \r\nT1426 \r\nT1418 \r\nT1424 \r\nSystem Network Connections\r\nDiscovery  Location Tracking   \r\nSystem Information Discovery  \r\nApplication Discovery \r\nProcess Discovery \r\nCommand and Control  \r\nT1573 \r\nT1571  \r\nEncrypted Channel  \r\nNon-Standard Port \r\nExfiltration  T1532  Data Encrypted \r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 11 of 12\n\nIndicators of Compromise (IoCs): \r\nIOCs  IOC type \r\nfdb67688d92900226bf834ce67f4112f03e981611ee50e9c3102636574b05280 SHA256   \r\nhxxp[:]//tinyshort[.]icu/\r\nInteresting\r\nURL \r\n45.61.137[.]7 IP address \r\nAbout Cyble \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital\r\nrisk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by\r\nForbes as one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia,\r\nand with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit www.cyble.com. \r\nSource: https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nhttps://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/"
	],
	"report_names": [
		"donot-apt-group-delivers-a-spyware-variant-of-chat-app"
	],
	"threat_actors": [
		{
			"id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc",
			"created_at": "2022-10-25T16:07:23.546262Z",
			"updated_at": "2026-04-10T02:00:04.651083Z",
			"deleted_at": null,
			"main_name": "Donot Team",
			"aliases": [
				"APT-C-35",
				"Mint Tempest",
				"Origami Elephant",
				"SectorE02"
			],
			"source_name": "ETDA:Donot Team",
			"tools": [
				"BackConfig",
				"EHDevel",
				"Jaca",
				"yty"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cfdd350b-de30-4d29-bbee-28159f26c8c2",
			"created_at": "2023-01-06T13:46:38.433736Z",
			"updated_at": "2026-04-10T02:00:02.972971Z",
			"deleted_at": null,
			"main_name": "VICEROY TIGER",
			"aliases": [
				"OPERATION HANGOVER",
				"Donot Team",
				"APT-C-35",
				"SectorE02",
				"Orange Kala"
			],
			"source_name": "MISPGALAXY:VICEROY TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434657,
	"ts_updated_at": 1775791983,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3aaf5ecd3ada502cd3a8fa5da4e1e76dd0ed47d.pdf",
		"text": "https://archive.orkl.eu/a3aaf5ecd3ada502cd3a8fa5da4e1e76dd0ed47d.txt",
		"img": "https://archive.orkl.eu/a3aaf5ecd3ada502cd3a8fa5da4e1e76dd0ed47d.jpg"
	}
}