DoNot APT targets European foreign affairs ministry in espionage campaign

DoNot APT targets European foreign affairs ministry in espionage campaign

Trellix researchers have uncovered a cyber espionage campaign conducted by the DoNot APT group, targeting a European foreign affairs ministry.

The attack used a malicious Google Drive link, which delivered a RAR archive containing malware previously linked to the DoNot APT.

Active since at least 2016, the DoNot APT (also tracked as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger) has long been linked by security researchers to interests aligned with India. The group’s campaigns typically center on South Asian geopolitical themes, with targets often including foreign ministries, defense agencies, and NGOs in South Asia and Europe.

The attack leveraged a Gmail account that appeared to be part of an official diplomatic exchange. Upon opening the Google Drive link, victims downloaded and executed a file named notflog.exe, which in turn launched a batch file in the temporary directory. To maintain access, the malware created a scheduled task called “PerformTaskMaintain” that executed every ten minutes, enabling consistent communication with a command-and-control (C2) server.

The campaign deployed the LoptikMod malware, a tool associated exclusively with DoNot APT since 2018. LoptikMod includes anti-virtualization techniques to avoid detection and gathers detailed system information, such as processor ID, operating system build, user credentials, and installed software. It then connects to a remote server and awaits further commands.

“While historically focused on South Asia, this incident targeting South Asian embassies in Europe, indicates a clear expansion of their interests towards European diplomatic communications and intelligence. These operations underscore DoNot APT's persistent and broadening efforts to gather sensitive political, military, and economic information,” the researchers noted in the report.


Back to the list

Latest Posts

Critical CrushFTP flaw exploited in the wild

Critical CrushFTP flaw exploited in the wild

According to Shadowserver, nearly 1,040 CrushFTP servers are still unpatched and exposed online.
21 July 2025
UK sanctions Russian hackers for malicious hybrid operations

UK sanctions Russian hackers for malicious hybrid operations

Additionally, UK’s NCSC has publicly attributed the deployment of a sophisticated new malware dubbed ‘AUTHENTIC ANTICS’ to the APT28 threat actor long thought to be a unit of the GRU (Military Unit 26165).
21 July 2025
APT28 targets Ukrainian defense sector using AI-powered Lamehug malware

APT28 targets Ukrainian defense sector using AI-powered Lamehug malware

Lamehug is integrated with Qwen 2.5-Coder-32B-Instruct, a powerful LLM accessed via the HuggingFace API.
21 July 2025