ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > Donot Team

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Donot Team

NamesDonot Team (ASERT)
APT-C-35 (Qihoo 360)
SectorE02 (ThreatRecon)
CountryIndia India
MotivationInformation theft and espionage
First seen2016
Description(ASERT) In late January 2018, ASERT discovered a new modular malware framework we call “yty”. The framework shares a striking resemblance to the EHDevel framework. We believe with medium confidence that a team we call internally as “Donot Team” is responsible for the new malware and will resume targeting of South Asia.

In a likely effort to disguise the malware and its operations, the authors coded several references into the malware for football—it is unclear whether they mean American football or soccer. The theme may allow the network traffic to fly under the radar.

The actors use false personas to register their domains instead of opting for privacy protection services. Depending on the registrar service chosen, this could be seen as another cost control measure. The actors often used typo-squatting to slightly alter a legitimate domain name. In contrast, the registration information used accurate spelling, possibly indicating the domain naming was intentional, typos included. Each unique registrant usually registered only a few domains, but mistakenly reused phone numbers or the registration data portrayed a similar pattern across domains.
ObservedSectors: Embassies, Defense, Government.
Countries: Argentina, Bangladesh, India, Nepal, Pakistan, Philippines, Sri Lanka, Thailand, Togo, UAE, UK.
Tools usedBackConfig, EHDevel, yty.
Operations performedMar 2019From March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence.
Apr 2019StealJob: New Android Malware
Recently, we have observed a large-scale upgrade of its malicious Android APK framework to make it more stable and practical. Since the new APK framework is quite different from the one used in the past, we named it as StealJob since “job” is frequently used in the code.
Dec 2019Togo: Prominent activist targeted with Indian-made spyware linked to notorious hacker group
May 2020An Indicator From Twitter Brings The Donot Android Espionage Group Back Into Focus
2020ESET researchers take a deep look into recent attacks carried out by Donot Team throughout 2020 and 2021, targeting government and military entities in several South Asian countries
Aug 2022APT-C-35 Gets a New Upgrade
Jun 2023DoNot APT Elevates its Tactics by Deploying Malicious Android Apps on Google Play Store

Last change to this card: 29 November 2023

Download this actor card in PDF or JSON format

Previous: Domestic Kitten
Next: Doppel Spider

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]