A sophisticated cyber espionage campaign attributed to the notorious DoNot APT group has recently targeted a foreign affairs ministry in Europe. This incident, revealed by the Trellix Advanced Research Centre, marks a significant expansion of the group’s activities beyond their usual focus on South Asia.
Active since at least 2016, the DoNot APT group, also known by designations such as APT-C-35 and Mint Tempest, has consistently targeted government, military, and diplomatic entities. This latest breach suggests a strategic shift as the group appears to broaden its geopolitical interests into Europe, a region not previously associated with its operations.
Trellix’s researchers discovered the campaign by intercepting the initial email chain, allowing them to analyze the attack’s Tactics, Techniques, and Procedures (TTPs). The attackers employed a deceptive spear-phishing technique, impersonating European defense officials in an effort to deceive targets into clicking a harmful link purportedly leading to a Google Drive.
The spear-phishing email, which claimed to discuss an “Italian Defence Attaché Visit to Dhaka, Bangladesh,” originated from a Gmail account and was crafted with attention to detail, including proper HTML encoding. Clicking the malicious link resulted in unsuspecting victims downloading a disguised executable file, which installs the LoptikMod malware, a tool linked to the DoNot APT group since 2018. This malware enables the collection of system information and communicates with a command and control (C2) server.
This incident highlights the DoNot APT group’s increasing ambition in espionage operations against diplomatic entities, stressing an urgent need for enhanced cybersecurity measures. Organizations in government and diplomacy are advised to bolster their defenses through improved email security protocols, network traffic analysis, and the implementation of robust endpoint detection and response solutions (EDR) to mitigate the risks of such evolving threats.