DoNot APT, also known as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger, has demonstrated a notable uptick in activity in recent months. Multiple cybersecurity reports published in June and July 2025 confirm a series of sophisticated campaigns targeting European foreign ministries and diplomatic entities, marking a significant escalation in both scope and frequency
DoNot APT—also known as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger—is a sophisticated advanced persistent threat (APT) group believed to have links to India. Active since at least 2016, the group is known for targeting:
- Government entities
- Foreign ministries
- Defense organizations
- NGOs
Their operations have traditionally focused on South Asia, but recent campaigns show a clear expansion into Europe, especially targeting diplomatic and governmental sectors.
Recent Campaigns Against European Foreign Ministries
Attack Vector
- Spear-phishing emails: The group uses highly targeted phishing campaigns, often impersonating defense officials and referencing diplomatic activities to appear legitimate.
- Malicious attachments: Emails contain links to Google Drive hosting password-protected RAR archives.
- Payload delivery: The archive includes a disguised executable (e.g.,
notflog.exewith a PDF icon) designed to trick recipients into launching the malware.
Infection Chain
- Victim receives a spear-phishing email—often crafted with attention to detail, including correct formatting and special characters to increase credibility.
- Clicking the link—downloads a malicious RAR archive from Google Drive.
- Execution of disguised executable—runs a batch file, establishes persistence via scheduled tasks (e.g., “PerformTaskMaintain”).
- Malware deployment—installs the LoptikMod malware, which connects to a command-and-control (C2) server for further instructions.
LoptikMod Malware
LoptikMod is a custom remote access trojan (RAT) used exclusively by DoNot APT since at least 2018. Key features include:
- Persistence mechanisms: Scheduled tasks ensure the malware remains active on infected systems.
- Data exfiltration: Capable of harvesting system information, user credentials, installed software details, and more.
- Command execution: Receives commands from C2 servers to download additional payloads or perform further malicious actions.
- Obfuscation techniques: Uses binary string encoding and anti-virtualization checks to evade detection and hinder analysis.
- Single-instance enforcement: Ensures only one copy runs at a time to avoid interference and detection.
Attribution and Motive
- Attribution: Multiple cybersecurity firms have linked DoNot APT to Indian interests based on malware code, targeting patterns, and infrastructure.
- Motivation: The group’s campaigns are believed to be driven by geopolitical intelligence gathering, focusing on sensitive political, military, and economic information relevant to South Asian and increasingly European affairs.
