MEII6 Agents: More East Indies Intrusion
- Javier Conejo del Cerro
- 10 jul
- 3 Min. de lectura
In a calculated expansion of its global cyberespionage footprint, the India-linked APT group DoNot (APT-C-35) has shifted its focus from South Asia to the heart of European diplomacy. Known by multiple aliases—Mint Tempest, Origami Elephant, Viceroy Tiger, SECTOR02, and APT-C-35—the group has historically prioritized targets across Pakistan, Sri Lanka, and Bangladesh. But recent operations mark a notable shift: for the first time, DoNot has deployed its signature malware, LoptikMod, against European government institutions.
The current operation, detailed by researchers at Trellix Advanced Research Center, targeted a European foreign affairs ministry and embassies of South Asian nations operating within Europe. The victims are high-level diplomatic networks handling foreign policy coordination, strategic communication, and confidential intelligence. This pivot underscores a transition from opportunistic regional targeting to deliberate collection of Western diplomatic data, likely in response to the growing geopolitical weight of Europe’s engagement in South Asia.
This is not entirely uncharted territory for DoNot. The group has previously been linked to attacks on European entities, including a 2016 incident targeting a Norwegian telecom company and reported compromises involving U.K.-based organizations. However, Trellix notes that this campaign represents a tactical evolution: the first documented case in which LoptikMod was deployed directly against a European state-level ministry, indicating enhanced operational sophistication and escalated intelligence collection priorities.
Spearheading the Phish
The campaign began with spear-phishing emails crafted with a high degree of legitimacy. Sent from a Gmail address, the messages impersonated defense officials, with subject lines referencing authentic diplomatic events—such as the visit of an Italian Defense Attaché to Dhaka. The emails were formatted using HTML with UTF-8 encoding to display special characters correctly, mimicking official communications and increasing the chance of user interaction.
Within these phishing messages, the attackers embedded a Google Drive link leading to a RAR archive. Once downloaded, the archive contained a malicious executable that masqueraded as a harmless PDF document. Launching the file activated LoptikMod, a custom remote access trojan (RAT) in use by DoNot since at least 2018.
Once active on the system, LoptikMod performs a multi-phase intrusion process:
Persistence: It configures scheduled tasks to maintain a foothold on the infected system.
Command and Control (C2): The malware connects to an attacker-controlled server to send host information and receive further instructions.
Data Exfiltration: It silently exports sensitive files and system telemetry, likely including diplomatic documents and credential caches.
Modular Downloads: LoptikMod can fetch additional payloads or plugins for further spying, access escalation, or sabotage.
To evade forensic inspection and sandbox analysis, LoptikMod incorporates multiple stealth mechanisms:
Anti-VM techniques prevent the malware from executing in virtualized or analysis environments.
ASCII-level obfuscation conceals malware functionality within code strings.
Singleton enforcement ensures only one copy of the malware runs at a time, reducing its detection footprint.
While the C2 infrastructure observed in this case is now inactive, Trellix notes that the impact of the campaign remains severe. The malware’s modular nature and anti-analysis safeguards indicate that this was not a one-off incident, but rather part of a long-term espionage framework designed to monitor diplomatic communications and influence regional policy indirectly.
“DoNot” let them in
Foreign ministries, diplomatic missions, and government-affiliated institutions must strengthen their defenses not only against malware, but against the precise social engineering tactics employed in modern APT campaigns. Recommended countermeasures include:
Phishing resilience training: Staff should be trained to identify high-fidelity spoofed messages, even those using real-world event references and correct formatting.
Zero trust for cloud links: Block access to public file-sharing services like Google Drive and Dropbox, especially in environments dealing with sensitive content.
System auditing: Inspect scheduled tasks and user-created binaries regularly, particularly if downloaded from unknown archives.
Threat hunting for LoptikMod: Security teams should scan for indicators such as disguised executables, suspicious tasks, and anomalous outbound traffic patterns.
Deep Packet Inspection (DPI): Implement network-level monitoring capable of flagging encrypted C2 communication, including DNS over HTTPS (DoH) and covert TLS channels.
Behavioral detection: Augment endpoint protection with heuristics that flag obfuscation, VM-aware malware, and anti-debugging routines.
This campaign reinforces a familiar but increasingly urgent truth: espionage has gone digital, and foreign policy is now a prime target. The tools used in this operation are not just malware—they are instruments of statecraft, wielded in silence and aimed at reshaping the diplomatic equilibrium of entire regions.
Comentarios