DoNot APT targets European foreign affairs ministry in espionage campaign

DoNot APT targets European foreign affairs ministry in espionage campaign

Trellix researchers have uncovered a cyber espionage campaign conducted by the DoNot APT group, targeting a European foreign affairs ministry.

The attack used a malicious Google Drive link, which delivered a RAR archive containing malware previously linked to the DoNot APT.

Active since at least 2016, the DoNot APT (also tracked as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger) has long been linked by security researchers to interests aligned with India. The group’s campaigns typically center on South Asian geopolitical themes, with targets often including foreign ministries, defense agencies, and NGOs in South Asia and Europe.

The attack leveraged a Gmail account that appeared to be part of an official diplomatic exchange. Upon opening the Google Drive link, victims downloaded and executed a file named notflog.exe, which in turn launched a batch file in the temporary directory. To maintain access, the malware created a scheduled task called “PerformTaskMaintain” that executed every ten minutes, enabling consistent communication with a command-and-control (C2) server.

The campaign deployed the LoptikMod malware, a tool associated exclusively with DoNot APT since 2018. LoptikMod includes anti-virtualization techniques to avoid detection and gathers detailed system information, such as processor ID, operating system build, user credentials, and installed software. It then connects to a remote server and awaits further commands.

“While historically focused on South Asia, this incident targeting South Asian embassies in Europe, indicates a clear expansion of their interests towards European diplomatic communications and intelligence. These operations underscore DoNot APT's persistent and broadening efforts to gather sensitive political, military, and economic information,” the researchers noted in the report.


Back to the list

Latest Posts

Four arrested over cyberattacks targeting major UK retailers, including M&S

Four arrested over cyberattacks targeting major UK retailers, including M&S

The ransomware attack in April, forced Marks & Spencer to suspend online clothing sales for 46 days.
10 July 2025
Initial access broker exploits leaked machine keys to access targeted orgs

Initial access broker exploits leaked machine keys to access targeted orgs

The campaign exploits leaked Machine Keys used in ASP.NET applications.
10 July 2025
AI voice impersonator posed as US Secretary of State Marco Rubio to contact foreign ministers

AI voice impersonator posed as US Secretary of State Marco Rubio to contact foreign ministers

The impersonator contacted the targets in mid-June using the encrypted messaging app Signal.
9 July 2025