DoNot APT Expands to Europe: Targets Foreign Ministry with LoptikMod Malware via Google Drive Phishing
Ddos 
Image: Trellix
In a newly uncovered campaign, the DoNot APT group—also tracked as APT-C-35, Mint Tempest, Origami Elephant, and Viceroy Tiger—has escalated its espionage efforts, this time targeting a European foreign affairs ministry using a refined blend of spear-phishing, stealthy malware, and cloud-based delivery. The operation, detailed in a report by Trellix, illustrates the group’s evolving tradecraft and a growing interest in European diplomatic affairs.
“The DoNot APT group is a persistent cyber-espionage threat, active since at least 2016,” notes Trellix, adding that its tactics have typically targeted South Asian entities, but are now “expanding scope towards European diplomatic communications and intelligence.”
The campaign begins with a spear-phishing email impersonating defense officials, referencing a legitimate-sounding event: “Italian Defence Attaché Visit to Dhaka, Bangladesh.” It included a Google Drive link pointing to a malicious RAR archive named SyClrLtr.rar, a tactic Trellix says underscores the group’s “adaptability in using common cloud services for initial infection.”
Once opened, the archive contains a disguised executable (notflog.exe) made to look like a PDF file. Upon execution, the file initiates a multi-stage infection chain, deploying a batch script (djkggosj.bat) and establishing persistence via a scheduled task named PerformTaskMaintain.
Telemetry linked the malware to LoptikMod, a backdoor known to be used exclusively by DoNot APT since 2018. The executable’s strings revealed markers like “Loptik” and selectively obfuscated code, making static analysis difficult. In one example, Trellix noted:
“Binary strings embedded in the malware are used to decode or restore other meaningful strings at runtime… This technique is a form of obfuscation to hinder static analysis.”
The use of dynamic API loading, minimal import tables, and anti-VM evasion tactics further solidifies the group’s attempt to evade detection and frustrate analysts.
The malware creates a mutex 08808 to ensure a single running instance and establishes persistence using scheduled tasks. Upon infection, it silently drops a DLL payload named socker.dll and another batch file (sfs.bat) that configures a second task named MicorsoftVelocity. This chain guarantees long-term access and command execution on the victim’s system.
The malware collects sensitive system metadata, including:
- CPU model
- OS version and build
- Username and hostname
- Installed applications
This data is encrypted using AES and Base64 encoding and sent via HTTPS POST requests to a command-and-control (C2) domain: https://totalservices[.]info/WxporesjaTexopManor/ptomekasresdkolerts
Though the C2 was inactive at the time of analysis, Trellix emphasizes the infrastructure mimics legitimate service domains, likely to avoid DNS-based detection.
Trellix links the campaign to DoNot APT, based on infrastructure, toolset, and TTPs. While previously centered on South Asia, the group now appears to be expanding into European spheres, aligning with broader geopolitical intelligence objectives.
“These operations underscore DoNot APT’s persistent and broadening efforts to gather sensitive political, military, and economic information,” the report concludes.
Related Posts:
- Donot APT Group Targets Android Devices with Malicious Chat Apps
- DONOT APT Group Targets Pakistan’s Maritime and Defense Sectors in New Campaign
- Rafel RAT Malware: A Growing Cybersecurity Threat to Android Devices
- China Targets U.S. Tech Startups through Investments, NCSC Reveals
- Anonymous hacks the Russian Defense Ministry
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
