Cyber Espionage Unveiled: Indian-Linked APT Group Targets European Diplomats

By /

Listen to this Post

Featured Image

Rising Threat in Cyber Diplomacy: A Deep Dive into the DoNot APT Campaign

A recent cybersecurity investigation has revealed a highly targeted cyberattack against a European foreign affairs ministry. The attack has been attributed to an advanced persistent threat (APT) group known as the DoNot Teamā€”also tracked under names like APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger. Believed to be linked to India and active since 2016, this group has a long-standing history of targeting strategic institutions, including government bodies, defense agencies, foreign ministries, and NGOsā€”particularly across South Asia and Europe.

According to the Trellix Advanced Research Center, the DoNot Teamā€™s latest campaign began with phishing emails impersonating military officials, particularly referencing an Italian Defense AttachĆ©’s visit to Dhaka, Bangladesh. These emails, crafted using UTF-8 HTML encoding to enhance authenticity, directed recipients to a Google Drive link containing a malicious RAR file. Disguised as a PDF, the executable inside the archive deployed LoptikMod, a sophisticated Remote Access Trojan (RAT) used exclusively by DoNot Team since 2018.

Once activated, LoptikMod gains persistent access to the infected host via scheduled tasks and connects to a remote command-and-control (C2) server. It collects sensitive system information, supports command execution, module downloads, and large-scale data exfiltration. Advanced features such as anti-VM detection, ASCII obfuscation, and single-instance execution control ensure the malware avoids detection and minimizes interference with itself.

Interestingly, Trellix reported the campaignā€™s C2 server is now inactive, which limits visibility into the full scope of stolen data or commands issued. However, the infrastructure shutdown may suggest the attackers are either transitioning to new operations or shifting to fresh infrastructure.

This attack marks a notable geopolitical shift, with DoNot Team expanding its cyber espionage efforts from traditional South Asian targets to European diplomatic missions, signaling growing interest in global intelligence and foreign policy affairs.

šŸ” What Undercode Say:

Profiling the Adversary

The DoNot Team has become synonymous with nation-state cyber espionage. Their tactics, tools, and procedures (TTPs) consistently reflect precision targeting, high operational security, and deep strategic intent. They prioritize stealth and long-term surveillance over loud, ransomware-style attacks, showcasing a sophisticated intelligence-gathering agenda.

Malware Analysis ā€“

LoptikMod is not your average RAT. Beyond standard backdoor functions, it integrates evasion techniques to bypass security mechanisms and sandbox analysis. Its ability to detect virtual environments suggests itā€™s designed for real-world deployment, not just experimentation. The malware’s modular nature enables attackers to dynamically inject or execute additional payloads, keeping their tactics adaptive.

Infrastructure Strategy

The sudden inactivity of the C2 server hints at intentional burn-and-replace tactics, often used by state-sponsored actors. This might indicate the end of a testing phase or a pivot in focus. DoNot’s operational agility is a hallmark of experienced threat actors, capable of pulling back infrastructure without leaving major digital traces.

Psychological and Tactical Engineering

The phishing campaignā€™s use of linguistic precision, particularly in replicating military communication styles, underscores a high level of social engineering awareness. By invoking diplomatic events and targeting embassies, the group ensures their emails are not just believable but compelling to the recipient, maximizing click-through rates.

Strategic Implications

DoNotā€™s shift toward European entities could have far-reaching diplomatic consequences. Targeting embassies isnā€™t just about data theftā€”itā€™s about intelligence dominance and strategic foresight. If adversaries can monitor diplomatic traffic, it offers insight into global alliances, policy discussions, and internal government communicationsā€”giving attackers a strategic advantage in international relations.

āœ… Fact Checker Results:

DoNot Team has been active since 2016 with strong indicators of Indian origin
LoptikMod malware has been used exclusively by this group since 2018
The C2 infrastructure used in this specific campaign is confirmed inactive at present

šŸ”® Prediction:

Given DoNot Teamā€™s evolving tactics and growing international footprint, itā€™s highly likely they will intensify campaigns targeting Western governments and international organizations. As geopolitical tensions rise, cyber espionage will continue to play a critical role in foreign policy intelligence collection, and groups like DoNot are poised to become key players in future digital conflicts. Expect more tailored phishing campaigns, custom malware variants, and deeper penetration into high-value diplomatic networks across Europe and beyond.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

šŸ”JOIN OUR CYBER WORLD [ CVE News ā€¢ HackMonitor ā€¢ UndercodeNews ]

šŸ’¬ Whatsapp | šŸ’¬ Telegram

šŸ“¢ Follow UndercodeNews & Stay Tuned:

š• formerly Twitter šŸ¦ | @ Threads | šŸ”— Linkedin

Related posts:

  1. MTN Nigeria Unveils $150 Million Data Centre to Power West Africaā€™s Digital Future
  2. AI-Powered Epilepsy Forecasting App: Otsuka, eMind & Tohoku University Join Forces
  3. Nayax Lays Off 70 Employees Amid Record Growth and Revenue Surge

Explore More: