Trellix researchers have uncovered a cyber espionage campaign conducted by the DoNot APT group, targeting a European foreign affairs ministry.
The attack used a malicious Google Drive link, which delivered a RAR archive containing malware previously linked to the DoNot APT.
Active since at least 2016, the DoNot APT (also tracked as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger) has long been linked by security researchers to interests aligned with India. The group’s campaigns typically center on South Asian geopolitical themes, with targets often including foreign ministries, defense agencies, and NGOs in South Asia and Europe.
The attack leveraged a Gmail account that appeared to be part of an official diplomatic exchange. Upon opening the Google Drive link, victims downloaded and executed a file named notflog.exe, which in turn launched a batch file in the temporary directory. To maintain access, the malware created a scheduled task called “PerformTaskMaintain” that executed every ten minutes, enabling consistent communication with a command-and-control (C2) server.
The campaign deployed the LoptikMod malware, a tool associated exclusively with DoNot APT since 2018. LoptikMod includes anti-virtualization techniques to avoid detection and gathers detailed system information, such as processor ID, operating system build, user credentials, and installed software. It then connects to a remote server and awaits further commands.
“While historically focused on South Asia, this incident targeting South Asian embassies in Europe, indicates a clear expansion of their interests towards European diplomatic communications and intelligence. These operations underscore DoNot APT's persistent and broadening efforts to gather sensitive political, military, and economic information,” the researchers noted in the report.