Security researchers have uncovered a sophisticated cyber espionage campaign targeting European diplomatic institutions, attributed to the DoNot APT group (also known as APT-C-35 and Mint Tempest).
The state-sponsored threat actors, believed to have links to India and have been active since 2016, have expanded their operations beyond their traditional South Asian focus to target European foreign affairs ministries with custom-built Windows malware.
The attack began with a carefully crafted spear-phishing email sent from a Gmail address impersonating Italian defense officials.
The message, titled “Italian Defence Attaché Visit to Dhaka, Bangladesh,” contained a malicious Google Drive link leading to a password-protected RAR archive named “SyClrLtr.rar.”
This social engineering approach exploited diplomatic themes to appear legitimate and bypass initial security filters.
Once extracted, the malicious executable “notflog.exe” masqueraded as a PDF document using deceptive iconography.
Technical analysis revealed the presence of “LoptikMod” malware, a custom backdoor used exclusively by the DoNot APT group since 2018.
The malware employed sophisticated obfuscation techniques, including the use of binary-encoded ASCII strings as decryption keys and selective section packing to evade static analysis.
The malware established persistence through a scheduled task named “PerformTaskMaintain,” configured to execute every 10 minutes.
It also implemented anti-virtualization measures using x86 assembly instructions to detect sandbox environments and prevent analysis.
Following the initial infection, the malware collected comprehensive system information, including CPU model, operating system details, username, hostname, and installed software.
This data was encrypted using AES encryption, encoded with Base64, and transmitted via HTTPS POST requests to the command and control server at “totalservices[.]info” (IP: 64.52.80.252).
The malware was designed to download additional payloads, including a secondary component called “socker.dll” stored in the victim’s local application data directory.
A second scheduled task named “MicorsoftVelocity” ensured the execution of this payload’s export functions, demonstrating the attackers’ commitment to maintaining long-term access.
The campaign showcased multiple MITRE ATT&CK techniques, including spear-phishing links (T1566.002), scheduled task persistence (T1053.005), virtualization evasion (T1497.001), and data exfiltration over C2 channels (T1041).
This campaign represents a significant evolution in DoNot APT’s targeting strategy, expanding from traditional South Asian victims to European diplomatic entities.
The group’s use of legitimate cloud services, such as Google Drive, for malware delivery highlights their adaptation to modern security environments.
Security experts recommend enhanced email filtering, network traffic monitoring, and endpoint detection solutions to defend against such sophisticated state-sponsored operations.
Organizations should particularly monitor for the creation of unusual scheduled tasks and outbound connections to suspicious domains.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…