ETDA ThaiCERT
Report
Search
Home > List all groups > Donot Team

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Donot Team

NamesDonot Team (ASERT)
APT-C-35 (Qihoo 360)
SectorE02 (ThreatRecon)
Country[Unknown]
MotivationInformation theft and espionage
First seen2018
Description(ASERT) In late January 2018, ASERT discovered a new modular malware framework we call “yty”. The framework shares a striking resemblance to the EHDevel framework. We believe with medium confidence that a team we call internally as “Donot Team” is responsible for the new malware and will resume targeting of South Asia.

In a likely effort to disguise the malware and its operations, the authors coded several references into the malware for football—it is unclear whether they mean American football or soccer. The theme may allow the network traffic to fly under the radar.

The actors use false personas to register their domains instead of opting for privacy protection services. Depending on the registrar service chosen, this could be seen as another cost control measure. The actors often used typo-squatting to slightly alter a legitimate domain name. In contrast, the registration information used accurate spelling, possibly indicating the domain naming was intentional, typos included. Each unique registrant usually registered only a few domains, but mistakenly reused phone numbers or the registration data portrayed a similar pattern across domains.
ObservedSectors: Government.
Countries: Argentina, Bangladesh, India, Pakistan, Philippines, Sri Lanka, Thailand, UAE, UK.
Tools usedBackConfig, EHDevel, yty.
Operations performedMar 2019From March to July this year, the ThreatRecon team noticed a spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence.
<https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/>
Apr 2019StealJob: New Android Malware
Recently, we have observed a large-scale upgrade of its malicious Android APK framework to make it more stable and practical. Since the new APK framework is quite different from the one used in the past, we named it as StealJob since “job” is frequently used in the code.
<https://ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/>
May 2020An Indicator From Twitter Brings The Donot Android Espionage Group Back Into Focus
<https://www.riskiq.com/blog/external-threat-management/donot-mobile-malware-espionage/>
Information<https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/>
<https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia>
<http://blog.ptsecurity.com/2019/11/studying-donot-team.html>

Last change to this card: 19 October 2020

Download this actor card in PDF or JSON format

Previous: Domestic Kitten
Next: DragonOK

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key