DoNot APT Expands Scope: Targeting European Foreign Ministries with LoptikMod Malware
The DoNot APT group, likely linked to India, has expanded its operations to target European foreign ministries using LoptikMod malware. Discover the sophisticated tactics and implications of this cyberespionage campaign.
TL;DR
The DoNot APT group, believed to be connected to India, has broadened its cyberespionage activities to target European foreign ministries using LoptikMod malware. This campaign highlights the group’s evolving tactics and the need for robust cybersecurity measures.
DoNot APT Expands Scope: Targeting European Foreign Ministries
The DoNot APT group, likely linked to India, has expanded its operations to target European foreign ministries with a new malware called LoptikMod. This group, also known as APT-C-35 and Origami Elephant, has been active since 2016, focusing on government entities, defense organizations, and NGOs in South Asia and Europe.
Sophisticated Cyberespionage Campaign
DoNot APT employs custom Windows malware via phishing for espionage, enabling long-term access and data theft. In a recent campaign analyzed by cybersecurity firm Trellix, the group used LoptikMod malware to steal sensitive data from infected systems.
Spear-Phishing Tactics
Attackers utilized a spear-phishing email impersonating defense officials to target a European diplomatic entity. The email delivered the LoptikMod malware through a password-protected RAR file hosted on Google Drive. The archive contained a disguised executable (notflog.exe) with a PDF icon to deceive users into running the malware.
Malware Deployment and Persistence
Once opened, the disguised executable established persistence using a scheduled task and connected to a command and control (C2) server. The malware sent system information, received commands, and downloaded additional payloads, employing binary string obfuscation and techniques linked to DoNot APT.
Evasion Techniques
The malware uses selective obfuscation by packing only critical code sections, hindering static analysis. It minimizes listed imports and loads APIs like LoadLibrary and GetProcAddress at runtime to evade detection. The malicious code also includes anti-VM checks and encrypts gathered system information with AES before communicating with the C2 server over HTTPS.
Implications and Recommendations
The campaign reflects the group’s ongoing espionage efforts using sophisticated infection chains and deception tactics. The targeting of a European foreign affairs ministry underscores their expanding scope and persistent interest in gathering sensitive information, highlighting the need for heightened vigilance and robust cybersecurity measures.
“The email leveraged diplomatic themes related to defense attaché coordination between Italy and Bangladesh.” 1
Additional Resources
For further insights, check:
References
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
For more details, visit the full article: source
-
Trellix (2025). “From Click to Compromise: Unveiling the Sophisticated Attack of DoNot APT Group on Southern European Government Entities”. Trellix Blogs. Retrieved 2025-07-10. ↩︎