{ "id": "f59cc8f3-ddfe-4389-bdef-40569a0934ed", "created_at": "2026-04-06T00:15:19.422144Z", "updated_at": "2026-04-10T13:12:24.303159Z", "deleted_at": null, "sha1_hash": "b6f156e50c618d6373a754cb11f62863fa3d40ef", "title": "DoNot Go! Do not respawn!", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 898493, "plain_text": "DoNot Go! Do not respawn!\r\nBy Facundo MuñozMatías Porolli\r\nArchived: 2026-04-05 19:22:38 UTC\r\nDonot Team (also known as APT-C-35 and SectorE02) is a threat actor operating since at least 2016 and known for targeting\r\norganizations and individuals in South Asia with Windows and Android malware. A recent report by Amnesty International\r\nlinks the group’s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire\r\nservice to governments of the region.\r\nWe have been closely following the activities of Donot Team, and have traced several campaigns that leverage Windows\r\nmalware derived from the group’s signature yty malware framework. According to our findings, the group is very persistent\r\nand has consistently targeted the same organizations for at least the last two years.\r\nIn this blogpost, we document two variants of the malware used in recent campaigns – DarkMusical and Gedit. For each of\r\nthe variants, we analyze the whole attack chain and provide insight into how the group updates its tools, tactics, and\r\ntechniques.\r\nTargets\r\nThe campaigns of Donot Team are motivated by espionage, using their signature malware: the “yty” malware framework,\r\nwhose main purpose is to collect and exfiltrate data. According to our telemetry, Donot Team focuses on a small number of\r\ntargets in South Asia – Bangladesh, Sri Lanka, Pakistan and Nepal – as seen in Figure 1.\r\nFigure 1. Countries targeted in recent Donot Team campaigns\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 1 of 20\n\nThese attacks are focused on:\r\nGovernment and military organizations\r\nMinistries of Foreign Affairs\r\nEmbassies\r\nGoing as far as targeting embassies of these countries in other regions, such as the Middle East, Europe, North America, and\r\nLatin America, is also not outside Donot Team’s realm.\r\nTry, try, try again\r\nIt’s not a rarity for APT operators to attempt to regain access to a compromised network after they have been ejected from it.\r\nIn some cases this is achieved through the deployment of a stealthier backdoor that remains quiet until the attackers need it;\r\nin other cases they simply restart their operation with new malware or a variant of the malware they used previously. The\r\nlatter is the case with Donot Team operators, only that they are remarkably persistent in their attempts.\r\nAccording to ESET telemetry, Donot Team has been consistently targeting the same entities with waves of spearphishing\r\nemails with malicious attachments every two to four months. Interestingly, emails we were able to retrieve and analyze did\r\nnot show signs of spoofing. Some emails were sent from the same organizations that were being attacked. It’s possible that\r\nthe attackers may have compromised the email accounts of some of their victims in earlier campaigns, or the email server\r\nused by those organizations.\r\nWith spearphishing emails, the attackers use malicious Microsoft Office documents to deploy their malware. We have seen\r\nDonot Team using at least three techniques. One is macros in Word, Excel and PowerPoint documents, such as the example\r\nseen in Figure 2.\r\nFigure 2. Malicious macro in a PowerPoint document that drops a downloader executable and creates a scheduled task to\r\nrun it\r\nThe second technique is RTF files with .doc extensions that exploit memory corruption vulnerability CVE‑2017‑11882 in\r\nEquation Editor, shown in Figure 3. These RTF documents also contain two embedded DLLs as OLE objects (see Figure 4)\r\nthat are used to install and download further components (both DLLs are described in the Gedit section). This allows the\r\nattackers to execute shellcode and requires no user interaction. The shellcode deploys the main components of the malware.\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 2 of 20\n\nFigure 3. CLSID of the COM object used by the RTF document to load the Equation Editor; the ensuing OLE object\r\ncontains the CVE‑2017‑1182 exploit\r\nFigure 4. The OLE object headers of the DLLs also embedded in the RTF document\r\nThe third technique is remote RTF template injection, which allows the attackers to have a payload downloaded from a\r\nremote server when the RTF document is opened. This is achieved by inserting a URL in the optional \\*\\template control\r\nword of the RTF file format, instead of the location of a local file resource. The payload that Donot Team uses is another\r\ndocument that exploits CVE-2017-11882 and is loaded automatically once it is downloaded. This is shown in Figure 5.\r\nFigure 5. When Word opens an RTF file with a remote template, it automatically attempts to download the resource\r\nThe yty malware framework\r\nDiscovered by NetScout in 2018, the yty malware framework is a less sophisticated and poorly developed successor to an\r\nolder framework called EHDevel. The yty framework consists of a chain of downloaders that ultimately download a\r\nbackdoor with minimal functionality, used to download and execute further components of Donot Team’s toolset.\r\nThese include file collectors based on file extension and year of creation, screen capturers, keyloggers, reverse shells, and\r\nmore. As seen in Figure 6, components for exfiltration gather the collected intelligence from staging folders and upload\r\nevery file to a designated server used only for this purpose.\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 3 of 20\n\nFigure 6. Component that resolves the folder name for staging JPEG screenshots (left) and exfiltration component that finds\r\nall files in the staging folder (right)\r\nStaging folder names and locations are changed with almost every new campaign, as well as some of the components’\r\nfilenames. However, there are cases in which the names of components have remained unchanged, for example: gedit.exe,\r\nwuaupdt.exe, lmpss.exe, disc.exe, among others. As seen in Figure 7, it seems that for every new campaign, in order to set\r\nnew paths and filenames, these values must be changed in the source code and then recompiled, as none of these\r\ncomponents use a configuration block or file.\r\nFigure 7. Encrypted strings containing locations and filenames that are regularly changed (top) and unencrypted values\r\nused in constructing the C\u0026C URL (bottom)\r\nThe malware uses scheduled tasks for persistence, and alternates between DLL and EXE files between campaigns. In the\r\ncase of DLLs, scheduled tasks execute rundll32.exe to load them and execute one of the exported functions.\r\nThe developers of the yty framework primarily rely on the C++ programming language. Likely in an attempt to evade\r\ndetection, they have also ported their components to other languages such as VBScript, Python (packaged with PyInstaller),\r\nVisual C#, and AutoIt, among others. However, since 2019 we have only seen them leveraging components programmed in\r\nC++ (Figure 8) and Go (Figure 9).\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 4 of 20\n\nFigure 8. Decompiled code of the component that captures screenshots, originally written in C++\r\nFigure 9. Decompiled code of the component that captures screenshots, for the version written in Go\r\nThe malware sometimes uses two or three servers during its deployment. It might use one server during its chain of\r\ndownloaders and a different server that the backdoor contacts in order to receive its commands and download further\r\ncomponents, or use the same server for both purposes. A different server is always used for the upload of collected\r\ninformation. In some attacks Donot Team has reused C\u0026C domains from previous attacks – both for downloads and\r\nexfiltration. As seen in Figure 10, Figure 11 and Figure 12, these components – later described as a variant we track as\r\nDarkMusical – used in the same attack, employed three different C\u0026C domains.\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 5 of 20\n\nFigure 10. The first downloader decrypts the URL of the server from which it downloads the next stage of the chain\r\nFigure 11. In later stages, the backdoor uses a different server for C\u0026C communications\r\nFigure 12. The exfiltration components use yet a third server to upload the collected files\r\nTimeline of attacks\r\nHere we describe the malware variants used in recent Donot Team campaigns, with a focus on their Windows malware,\r\nstarting from September 2020 until October 2021. For clarity, we have separated them into two variants of the yty malware\r\nframework: Gedit and DarkMusical, with one specific campaign using Gedit that we named Henos.\r\nIn Figure 13, we present a timeline, according to our telemetry, of the attacks. Also on our timeline we have included attacks\r\nfrom another variant, known as the “Jaca framework”. However, we will not describe it here as it has been described\r\nextensively in this report by CN-SEC.\r\nFigure 13. Timeline of Donot Team attacks from September 2020 to October 2021 according to ESET telemetry\r\nDarkMusical\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 6 of 20\n\nAccording to ESET telemetry, the first wave of attacks where this variant was used occurred in June 2021, targeting military\r\norganizations in Bangladesh. We were only able to recover its chain of downloaders and its main backdoor. Given the small\r\nnumber of victims, we believe this might have been a highly targeted attack.\r\nIn September, a second wave of attacks that targeted military organizations in Nepal used new C\u0026C servers and file and\r\nstaging folder names. We were able to recover a number of components downloaded by the backdoor, so we have decided to\r\ndescribe these attacks instead.\r\nSpearphishing emails were sent with PowerPoint documents containing a macro that deploys the first component of a chain\r\nof downloaders and persists using a scheduled task. When potential victims open these documents, they will be presented\r\nwith a fake error message, as seen in Figure 14, and the documents will remain devoid of any visible content.\r\nFigure 14. Screenshot of a blank, malicious PowerPoint document\r\nAs seen in Figure 15, the chain of downloaders aims to download a final component that works as a backdoor with minimal\r\nfunctionality: it downloads standalone components, executes them using the ShellExecute Windows API, get and saves new\r\nC\u0026C URLs.\r\nThe backdoor downloads the components that handle the collection and exfiltration of information to a dedicated server.\r\nThese components do not communicate with the backdoor or the C\u0026C to report on their activities – rather, they use a\r\ndesignated folder for the staging of the data, and a separate exfiltration component will collect everything and upload it.\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 7 of 20\n\nFigure 15. Observed chain of compromise for DarkMusical\r\nWe decided to call this campaign DarkMusical because of the names the attackers chose for their files and folders: many are\r\nwestern celebrities or characters in the movie High School Musical. Table 1 briefly describes the purpose of each of the\r\ncomponents in the chain of compromise.\r\nTable 1. Components in the DarkMusical campaign chain of compromise\r\nFilename Description\r\nrihana.exe\r\nThis executable is dropped by the malicious document to %public%\\Music\\rihana.exe and persistence established\r\nvia a scheduled task called musudt.\r\n  Downloads file to %public%\\Music\\acrobat.dll and drops a BAT file to %public%\\Music\\sidilieicaliei.bat.\r\n  The BAT file calls schtasks.exe to create the hmomci scheduled task to execute\r\nrundll32.exe %public%\\Music\\acrobat.dll, nikioioeioolla.\r\nacrobat.dll Downloads file and saves it as %public%\\Music\\swift\r\n  Additionally, can issue a systeminfo.exe command whose output is redirected to %public%\\Music\\justin. The\r\ncontents of the file are sent to its C\u0026C server.\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 8 of 20\n\nFilename Description\r\n  Drops and executes the file %public%\\Music\\janifer.bat that performs several tasks:\r\n • Creates the folders Troy, Gabriella, and Taylor in %public%\\Music with archive, hidden, and system attribut\r\n • Creates two scheduled tasks:\r\n  - sccmos to execute %public%\\Music\\Troy\\forbidden.exe\r\n  - msoudatee that executes %public%\\Music\\Gabriella\\remember.exe\r\n • Moves the swift file into the Gabriella folder and renames it to remember.exe\r\n • Attempts to delete acrobat.dll and rihana.exe\r\n • Deletes the scheduled tasks named hmomci and musudt\r\n • Deletes itself\r\nremember.exe Downloads file to %public%\\Music\\Troy\\forbidden.exe\r\nforbidden.exe\r\nUses the URL stored in %public%\\Music\\Taylor\\flag file; if there is no URL, it uses its default URL.\r\n  Accepts three commands:\r\n • Set URL in the flag file\r\n • Execute file with ShellExecute Windows API\r\n • Download file to %public%\\Music\\Taylor\r\nIn Table 2 we describe the purpose of each component of the attacker’s toolset.\r\nTable 2. Description of components in the attacker's toolset for DarkMusical\r\nFilename Description\r\nserviceup.exe Reverse shells\r\nsdudate.exe #rowspan#\r\nsrcot.exe Takes screenshots, saves them to %public%\\Music\\Symphony\r\nThree variants of\r\nnDExiD.exe\r\nCollects files created in 2021 and after, and copies them to the staging folder\r\n%public%\\Music\\Symphony\r\nCollects files by extension: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf,\r\ntxt, xls, xlsx\r\nSame as above, but files must have been created in 2020 or after.\r\nFile collector that monitors insertion of USB drives and changes within the file system. Collects\r\nthe same documents by extension as above, but also includes files with extensions: docm, mbox,\r\npst\r\nupsvcsu.exe\r\nExfiltrates collected files.\r\nEnumerates all files in %public%\\Music\\Symphony and uploads those that match the\r\nextensions: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx\r\nGedit\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 9 of 20\n\nWe detected the first attacks of the campaign using Gedit in September 2020, against organizations in Pakistan that had\r\nalready been targeted with spearphishing and malicious RTF documents that installed the Jaca framework. Since then, Donot\r\nTeam moved on to focus on targets in Bangladesh, Nepal and Sri Lanka. The malware is clearly derived from the yty\r\nmalware framework, but it is distinct enough to be separated from DarkMusical.\r\nWe were able to retrieve a spearphishing email corresponding to a Gedit campaign that occurred in February of 2021, which\r\nis shown in Figure 16. The first attachment contained a list of personnel from a military entity in Bangladesh (and no\r\nmalicious content). The second attachment showed nothing but a blank page, while executing malicious code.\r\nFigure 16. Screenshot of a spearphishing email sent by the attackers\r\nWe can see that the size of the second file is greater than 2 MB. It is an RTF file that exploits CVE-2017-11882 to drop two\r\nDLL files contained in the document and execute one of them. Other components are downloaded to the compromised\r\ncomputer in various stages. An overview of this attack chain and its malware components is shown in Figure 17.\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 10 of 20\n\nFigure 17. Chain of compromise in Gedit campaigns\r\nThe components were coded in Go, and C++ (with MinGW and Visual Studio compilers). We have chosen to describe the\r\ncomponents used in that campaign in February 2021, which are shown in Table 3.\r\nTable 3. Description of components for Gedit variant\r\nFilename Description\r\nvbtr.dll\r\nMoves the file %TEMP%\\bcs01276.tmp to %USERPROFILE%\\Documents\\msdn022.dll\r\nCreates a scheduled task MobUpdate to execute\r\nrundll32.exe %USERPROFILE%\\Documents\\msdn022.dll,iorpiyhduj\r\nmsdn022.dll\r\nDownloads a file to %APPDATA%\\mscx01102 (later renamed to Winhlp.exe).\r\nWrites and executes %APPDATA%\\test.bat, which:\r\n • Writes \u003cCOMPUTERNAME\u003e-\u003cRANDOM_NUMBER\u003e to %USERPROFILE%\\Policy\\en-us\\Files\\wizard\r\n • Creates the scheduled task TaskUpdate to execute %USERPROFILE%\\inf\\boost\\OOO\\nprint.exe\r\n • Creates the scheduled task MachineCore to execute\r\n%USERPROFILE%\\Cursor\\Size\\Dates\\Winhlp.exe\r\nWinhlp.exe\r\nDownloads a file to %USERPROFILE%\\inf\\boost\\OOO\\nprint.exe (if it doesn’t exist or its size is less\r\nthan 50 kB).\r\nnprint.exe Sends a request to a server and depending on the reply, three actions can be performed:\r\n • If qwertyuiop is in the reply headers, then a file is downloaded to\r\n%USERPROFILE%\\Policy\\en-us\\Active\\\u003cFILENAME\u003e, where \u003cFILENAME\u003e is also read from the\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 11 of 20\n\nFilename Description\r\nheaders\r\n • If asdfghjklzx is in the reply headers, then it tries to execute\r\n%USERPROFILE%\\Policy\\en-us\\Active\\wuaupdt.exe\r\n • If zxcvbnmlkjhgfd is in the reply headers, then it tries to execute\r\n%USERPROFILE%\\Policy\\en-us\\Active\\test.bat\r\n  If a file\r\n%USERPROFILE%\\Policy\\en-us\\Files\\wizard exists, then the URL of the server is retrieved from there\r\nand used instead of the one included in the executable.\r\nwuaupdt.exe Reverse shell.\r\nlmpss.exe Takes screenshots and saves them, in an infinite loop, to %USERPROFILE%\\Remote\\Desk\\Apps\r\ninnod.exe\r\nFile collector. Iterates recursively through drives, logging interesting files to\r\n%USERPROFILE%\\Policy\\en-us\\Files\\nohiucf. Files are copied to\r\n%USERPROFILE%\\Remote\\Desk\\Apps\r\nSeeks files with the extensions: doc, docx, xls, xlsx, ppt, pps, pptx, ppsx, pdf, inp, msg, jpg, jpeg, png,\r\ntxt\r\nExcludes the following files/folders: ., .., nohiucf, Windows, Recent Places, Temfile, Program Files,\r\nProgram Files (x86), ProgramData, Microsoft, Package Cache\r\nThis component runs in an infinite loop, iterating drives from C: to H:\r\ngedit.exe\r\nSends collected files to a server. All files that are in %USERPROFILE%\\Remote\\Desk\\Apps are sent\r\none by one, unencrypted. There is no check for extension, other than excluding . and ..\r\nThe victim identifier that was written to %USERPROFILE%\\Policy\\en-us\\Files\\wizard is appended to\r\nthe URL. If the file doesn’t exist, then the default string HeloBSiamabcferss is used instead. User-agent\r\nis:\r\nIf people are doubting how far you can go, go so far that you can not hear them anymore. Michele Ruiz.\r\nIt creates a system event aaaaaaaaa to make sure that only one instance of the component is running at a\r\ntime.\r\nHenos campaign\r\nFinally, it is worth mentioning a wave of attacks that occurred between February and March 2021, targeting military\r\norganizations in Bangladesh and Sri Lanka. These attacks used the Gedit variant of the malware, but with some minor\r\nmodifications. Therefore, we decided to name this campaign Henos in our timeline, after its backdoor DLL – henos.dll.\r\nSamples belonging to components of this wave of attacks were also reported online in February, which probably explains\r\nwhy the group didn’t use the components again (see this tweet by Shadow Chaser Group researchers, for example).\r\nAlthough we didn’t find the corresponding spearphishing emails or malicious documents, the attack chain is presumably the\r\nsame as we described above, with some minor differences in how the components are executed. An overview of this is\r\nshown in Figure 18.\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 12 of 20\n\nFigure 18. Chain of compromise of the Henos campaign\r\nWhile some of the components of this campaign are named javatemp.exe and pytemp.exe, these filenames were probably\r\nonly chosen in an attempt to mimic legitimate software such as Java or Python. While pytemp.exe and plaapas.exe were\r\ncoded in the Go language, javatemp.exe was coded in C++ (compiled with MinGW).\r\nOne final note is that the component that performs exfiltration of files, pytemp.exe, performs a check to see if gedit.exe is\r\nrunning. If two or more instances are found, it exits. We believe this is a mistake by the programmers, as it should check for\r\npytemp.exe instead. However, this simple mistake helps us tie the Henos campaign to the Gedit variant of the malware\r\n(added to code similarity).\r\nConclusion\r\nDonot Team makes up for its low sophistication with tenacity. We expect that it will continue to push on regardless of its\r\nmany setbacks. Only time will tell if the group evolves its current TTPs and malware.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nIndicators of Compromise (IoCs)\r\nA comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.\r\nGedit – October 2021\r\nSamples\r\nSHA-1 Filename ESET detection name\r\n78E82F632856F293BDA86D77D02DF97EDBCDE918 cdc.dll Win32/TrojanDownloader.Donot.C\r\nD9F439E7D9EE9450CD504D5791FC73DA7C3F7E2E wbiosr.exe Win32/TrojanDownloader.Donot.D\r\nCF7A56FD0613F63418B9DF3E2D7852FBB687BE3F vdsc.exe Win32/TrojanDownloader.Donot.E\r\nB2263A6688E512D90629A3A621B2EE003B1B959E wuaupdt.exe Win32/ReverseShell.J\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 13 of 20\n\nSHA-1 Filename ESET detection name\r\n13B785493145C85B005E96D5029C20ACCFFE50F2 gedit.exe Win32/Spy.Donot.A\r\nE2A11F28F9511753698BA5CDBAA70E8141C9DFC3 wscs.exe Win32/Spy.Donot.B\r\nF67ABC483EE2114D96A90FA0A39496C42EF050B5 gedit.exe Win32/Spy.Donot.B\r\nNetwork\r\nDownload servers\r\nhttps://request.soundedge[.]live/access/nasrzolofuju\r\nhttps://request.soundedge[.]live/access/birkalirajliruajirjiairuai\r\nhttps://share.printerjobs[.]xyz/id45sdjscj/\u003cVICTIM_ID\u003e\r\nExfiltration server\r\nhttps://submin.seasonsbackup[.]xyz/backup/\u003cVICTIM_ID\u003e\r\nReverse shell server\r\n80.255.3[.]67\r\nGedit – July 2021\r\nSamples\r\nSHA-1 Filename ESET detection name\r\nA71E70BA6F3CD083D20EDBC83C72AA823F31D7BF hxedit.exe Win32/TrojanDownloader.Donot.N\r\nE101FB116F05B7B69BD2CAAFD744149E540EC6E9 lmpss.exe Win64/HackTool.Ligolo.A\r\n89D242E75172C79E2F6FC9B10B83377D940AE649 gedit.exe WinGo/Spy.Donot.A\r\nB42FEFE2AB961055EA10D445D9BB0906144647CE gedit.exe WinGo/Spy.Donot.A\r\nB0704492382186D40069264C0488B65BA8222F1E disc.exe Win32/Spy.Donot.L\r\n1A6FBD2735D3E27ECF7B5DD5FB6A21B153FACFDB disc.exe Win32/Spy.Donot.A\r\nCEC2A3B121A669435847ADACD214BD0BE833E3AD disc.exe Win32/Spy.Donot.M\r\nCBC4EC0D89FA7A2AD1B1708C5A36D1E304429203 disc.exe Win32/Spy.Donot.A\r\n9371F76527CA924163557C00329BF01F8AD9E8B7 gedit.exe Win32/Spy.Donot.J\r\nB427744B2781BC344B96907BF7D68719E65E9DCB wuaupdt.exe Win32/TrojanDownloader.Donot.W\r\nNetwork\r\nDownload server\r\nrequest.submitonline[.]club/orderme/\r\nExfiltration servers\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 14 of 20\n\noceansurvey[.]club/upload/\u003cVICTIM_ID\u003e\r\nrequest.soundedge[.]live/\u003cCOMPUTERNAME\u003e/uload\r\nReverse shell servers\r\n80.255.3[.]67\r\n37.48.122[.]145\r\nGedit – February/March 2021\r\nSamples\r\nSHA-1 Filename ESET detection name\r\nA15D011BED98BCE65DB597FFD2D5FDE49D46CFA2\r\nBN_Webmail_List\r\n2020.doc\r\nWin32/Exploit.Agent.UN\r\n6AE606659F8E0E19B69F0CB61EB9A94E66693F35 vbtr.dll Win32/Spy.Donot.G\r\n0290ABF0530A2FD2DFB0DE29248BA3CABB58D2AD\r\nbcs01276.tmp\r\n(msdn022.dll)\r\nWin32/TrojanDownloader.Donot.P\r\n66BA21B18B127DAA47CB16AB1F2E9FB7DE3F73E0 Winhlp.exe Win32/TrojanDownloader.Donot.J\r\n79A5B10C5214B1A3D7CA62A58574346C03D54C58 nprint.exe Win32/TrojanDownloader.Donot.K\r\nB427744B2781BC344B96907BF7D68719E65E9DCB wuaupdt.exe Win32/TrojanDownloader.Donot.W\r\nE423A87B9F2A6DB29B3BA03AE7C4C21E5489E069 lmpss.exe WinGo/Spy.Donot.B\r\nF43845843D6E9FB4790BF70F1760843F08D43790 innod.exe Win32/Spy.Donot.G\r\n4FA31531108CC68FF1865E2EB5654F7B3DA8D820 gedit.exe Win32/Spy.Donot.G\r\nNetwork\r\nDownload servers\r\nfirm.tplinkupdates[.]space/8ujdfuyer8d8f7d98jreerje\r\nfirm.tplinkupdates[.]space/yu37hfgde64jskeruqbrgx\r\nspace.lovingallupdates[.]life/orderme\r\nExfiltration server\r\noceansurvey.club/upload/\u003cVICTIM_ID\u003e\r\nReverse shell server\r\n80.255.3[.]67\r\nGedit – September 2020\r\nSamples\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 15 of 20\n\nSHA-1 Filename ESET detection name\r\n49E58C6DE5245796AEF992D16A0962541F1DAE0C lmpss.exe Win32/Spy.Donot.H\r\n6F38532CCFB33F921A45E67D84D2796461B5A7D4 prodot.exe Win32/TrojanDownloader.Donot.K\r\nFCFEE44DA272E6EB3FC2C071947DF1180F1A8AE1 prodot.exe Win32/TrojanDownloader.Donot.S\r\n7DDF48AB1CF99990CB61EEAEB3ED06ED8E70A81B gedit.exe Win32/TrojanDownloader.Donot.AA\r\nDBC8FA70DFED7632EA21B9AACA07CC793712BFF3 disc.exe Win32/Spy.Donot.I\r\nCEF05A2DAB41287A495B9413D33F14D94A568C83 wuaupdt.exe Win32/Spy.Donot.A\r\nE7375B4F37ECEA77FDA2CEA1498CFB30A76BACC7 prodot.exe Win32/TrojanDownloader.Donot.AA\r\n771B4BEA921F509FC37016F5FA22890CA3338A65 apic.dll Win32/TrojanDownloader.Donot.A\r\nF74E6C2C0E26997FDB4DD89AA3D8BD5B270637CC njhy65tg.dll Win32/TrojanDownloader.Donot.O\r\nNetwork\r\nDownload servers\r\nsoundvista[.]club/sessionrequest\r\nsoundvista[.]club/orderme/\u003cVICTIM_ID\u003e\r\nsoundvista[.]club/winuser\r\nExfiltration server\r\nrequest.resolverequest[.]live/upload/\u003cCOMPUTERNAME\u003e-\u003cRandom_Number\u003e\r\nReverse shell server\r\n80.255.3[.]67\r\nDarkMusical – September 2021\r\nSamples\r\nSHA-1 Filename ESET detection name\r\n1917316C854AF9DA9EBDBD4ED4CBADF4FDCFA4CE rihana.exe Win32/TrojanDownloader.Donot.G\r\n6643ACD5B07444D1B2C049BDE61DD66BEB0BD247 acrobat.dll Win32/TrojanDownloader.Donot.F\r\n9185DEFC6F024285092B563EFA69EA410BD6F85B remember.exe Win32/TrojanDownloader.Donot.H\r\n954CFEC261FEF2225ACEA6D47949D87EFF9BAB14 forbidden.exe Win32/TrojanDownloader.Donot.I\r\n7E9A4A13A76CCDEC880618BFF80C397790F3CFF3 serviceup.exe Win32/ReverseShell.J\r\nBF183A1EC4D88034D2AC825278FB084B4CB21EAD srcot.exe Win32/Spy.Donot.F\r\n1FAA4A52AA84EDB6082DEA66F89C05E0F8374C4C upsvcsu.exe WinGo/Spy.Donot.A\r\n2F2EA73B5EAF9F47DCFB7BF454A27A3FBF253A1E sdudate.exe Win32/ReverseShell.J\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 16 of 20\n\nSHA-1 Filename ESET detection name\r\n39F92CBEC05785BF9FF28B7F33906C702F142B90 ndexid.exe Win32/Spy.Donot.C\r\n1352A8394CCCE7491072AAAC9D19ED584E607757 ndexid.exe Win32/Spy.Donot.E\r\n623767BC142814AB28F8EC6590DC031E7965B9CD ndexid.exe Win32/Spy.Donot.A\r\nNetwork\r\nDownload servers\r\ndigitalresolve[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\u003cHW_PROFILE_GUID\u003e/ekcvilsrkjiasfjkikiakik\r\ndigitalresolve[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\r\n\u003cHW_PROFILE_GUID\u003e/ziuriucjiekuiemoaeukjudjkgfkkj\r\ndigitalresolve[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\u003cHW_PROFILE_GUID\u003e/Sqieilcioelikalik\r\nprintersolutions[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\u003cHW_PROFILE_GUID\u003e/orderme\r\nExfiltration server\r\npacketbite[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\u003cHW_PROFILE_GUID\u003e/uload\r\nReverse shell servers\r\n37.120.198[.]208\r\n51.38.85[.]227\r\nDarkMusical – June 2021\r\nSamples\r\nSHA-1 Filename ESET detection name\r\nBB0C857908AFC878CAEEC3A0DA2CBB0A4FD4EF04\r\n6194E0ECA5D494980DF5B9AB5CEA8379665ED46A\r\nertficial.dll Win32/TrojanDownloader.Donot.X\r\nACB4DF8708D21A6E269D5E7EE5AFB5168D7E4C70 msofficedll.dll Win32/TrojanDownloader.Donot.L\r\nB38F3515E9B5C8F4FB78AD17C42012E379B9E99A sccmo.exe Win32/TrojanDownloader.Donot.M\r\n60B2ADE3B339DE4ECA9EC3AC1A04BDEFC127B358 pscmo.exe Win32/TrojanDownloader.Donot.I\r\nNetwork\r\nDownload servers\r\nbiteupdates[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\u003cVICTIM_ID\u003e/orderme\r\nbiteupdates[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\u003cVICTIM_ID\u003e/KdkdUe7KmmGFD\r\nbiteupdates[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\u003cVICTIM_ID\u003e/acdfsgbvdghd\r\ndataupdates[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\u003cVICTIM_ID\u003e/DKixeXs44skdqqD\r\ndataupdates[.]live/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e~\u003cVICTIM_ID\u003e/BcX21DKixeXs44skdqqD\r\nHenos – February/March 2021\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 17 of 20\n\nSamples\r\nSHA-1 Filename ESET detection name\r\n468A04B358B780C9CC3174E107A8D898DDE4B6DE\r\nProcurement Letter\r\nFeb 21.doc\r\nWin32/Exploit.CVE-2017-\r\n11882.CP\r\n9DD042FC83119A02AAB881EDB62C5EA3947BE63E ctlm.dll Win32/Spy.Donot.N\r\n25825268868366A31FA73095B0C5D0B696CD45A2\r\nstpnaqs.pmt\r\n(jptvbh.exe)\r\nWin32/TrojanDownloader.Donot.Z\r\n540E7338725CBAA2F33966D5C1AE2C34552D4988 henos.dll Win32/Spy.Donot.G\r\n526E5C25140F7A70BA9F643ADA55AE24939D10AE plaapas.exe WinGo/Spy.Donot.B\r\n89ED760D544CEFC6082A3649E8079EC87425FE66 javatemp.exe Win32/Spy.Donot.G\r\n9CA5512906D43EB9E5D6319E3C3617182BBF5907 pytemp.exe WinGo/Spy.Donot.A\r\nNetwork\r\nDownload servers\r\ninfo.printerupdates[.]online/\u003cUSERNAME\u003e/Xddv21SDsxDl\r\ninfo.printerupdates[.]online/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e/XddvInXdl\r\ninfo.printerupdates[.]online/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e/ZuDDey1eDXUl\r\ninfo.printerupdates[.]online/\u003cCOMPUTERNAME\u003e~\u003cUSERNAME\u003e/Vyuib45xzlqn\r\nExfiltration server\r\nhttps://manage.biteupdates[.]site/\u003cPC_NAME\u003e/uload\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 10 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1588.005 Obtain Capabilities: Exploits\r\nDonot Team has used CVE‑2017-11882\r\nexploits to run its first-stage malware.\r\nInitial Access T1566.001 Phishing: Spearphishing Attachment\r\nDonot Team has sent spearphishing emails\r\nto its victims with malicious Word or\r\nPowerPoint attachments.\r\nExecution\r\nT1204.002 User Execution: Malicious File\r\nDonot Team has lured its victims into\r\nopening malicious email attachments.\r\nT1059.005\r\nCommand and Scripting Interpreter:\r\nVisual Basic\r\nDonot Team has used macros contained in\r\nPower Point documents.\r\nT1059.003\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell\r\nDonot Team has used reverse shells on the\r\nsystem to execute commands.\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 18 of 20\n\nTactic ID Name Description\r\nT1203 Exploitation for Client Execution\r\nDonot Team has used CVE-2017-11882\r\nexploits to execute code on the victim’s\r\nmachine.\r\nPersistence T1053.005 Scheduled Task/Job: Scheduled Task\r\nDonot Team has created scheduled tasks for\r\npersistence of its malicious components.\r\nDefense\r\nEvasion\r\nT1036.005\r\nMasquerading: Match Legitimate\r\nName or Location\r\nDonot Team has used filenames such as\r\npytemp or javatemp to approximate the\r\nname of legitimate software.\r\nDiscovery T1057 Process Discovery\r\nDonot Team has implemented checks for\r\nolder versions of the malware running on\r\nthe victim’s system.\r\nLateral\r\nMovement\r\nT1534 Internal Spearphishing\r\nDonot Team has sent spearphishing emails\r\nto their victims that came from within the\r\nsame targeted organization.\r\nCollection\r\nT1005 Data from Local System\r\nDonot Team has used malicious modules\r\nthat traverse the victim’s filesystem looking\r\nfor files with various extensions.\r\nT1025 Data from Removable Media\r\nDonot Team has used a malicious module to\r\ncopy files from removable drives.\r\nT1074.001 Data Staged: Local Data Staging\r\nDonot Team has staged files for exfiltration\r\nin a single location, a folder in the victim’s\r\ncomputer.\r\nT1113 Screen Capture\r\nDonot Team has used malicious modules to\r\ntake screenshots from victims.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nDonot Team has used HTTP/S for C\u0026C\r\ncommunications and data exfiltration.\r\nExfiltration T1048.003\r\nExfiltration Over Alternative\r\nProtocol: Exfiltration Over\r\nUnencrypted/Obfuscated Non-C2\r\nProtocol\r\nDonot Team has used dedicated servers for\r\nexfiltration, sending the data over HTTP or\r\nHTTPS, unencrypted.\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 19 of 20\n\nSource: https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nhttps://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/" ], "report_names": [ "donot-go-do-not-respawn" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc", "created_at": "2022-10-25T16:07:23.546262Z", "updated_at": "2026-04-10T02:00:04.651083Z", "deleted_at": null, "main_name": "Donot Team", "aliases": [ "APT-C-35", "Mint Tempest", "Origami Elephant", "SectorE02" ], "source_name": "ETDA:Donot Team", "tools": [ "BackConfig", "EHDevel", "Jaca", "yty" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434519, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6f156e50c618d6373a754cb11f62863fa3d40ef.pdf", "text": "https://archive.orkl.eu/b6f156e50c618d6373a754cb11f62863fa3d40ef.txt", "img": "https://archive.orkl.eu/b6f156e50c618d6373a754cb11f62863fa3d40ef.jpg" } }