DoNot Go! Do not respawn!

Donot Team (also known as APT-C-35 and SectorE02) is a long-running South Asia-focused threat actor linked to Windows and Android malware, with Amnesty International alleging links to an Indian cybersecurity company that may sell spyware or hackers-for-hire services to regional governments. This post analyzes two malware variants, DarkMusical and Gedit, and details their attack chains, updates, and persistent targeting of specific South Asian entities including government and foreign affairs bodies.

Keypoints

Donot Team has operated since at least 2016, focusing on Bangladesh, Sri Lanka, Pakistan, and Nepal, with targets including government, military, and embassies.
The group uses the signature yty malware framework, a chain of downloaders leading to backdoors and data exfiltration.
Two Windows malware variants, DarkMusical and Gedit, dominate recent campaigns, with a Henos campaign described for Gedit.
Spearphishing with malicious Office documents (Word/PowerPoint macros, RTF CVE-2017-11882, and remote template injection) drives initial access.
Persistence is achieved via scheduled tasks; the malware spesso alternates between DLL and EXE components across campaigns.
The yty framework employs multiple languages (C++, Go, VBScript, Python, etc.) and frequently changes staging paths, URLs, and component filenames to evade detection.
Indicators of compromise include specific sample hashes and a variety of download/exfiltration domains and servers used across campaigns.

MITRE Techniques

[T1588.005] Obtain Capabilities: Exploits – Donot Team has used CVE‑2017‑11882 exploits to run its first-stage malware. “Exploits to run its first-stage malware.”
[T1566.001] Phishing: Spearphishing Attachment – Donot Team has sent spearphishing emails to its victims with malicious Word or PowerPoint attachments. “spearphishing emails with malicious attachments.”
[T1204.002] User Execution: Malicious File – Victims open malicious attachments, enabling execution. “Malicious attachments.”
[T1059.005] Command and Scripting Interpreter: Visual Basic – Macros in PowerPoint/Word documents.
[T1059.003] Command and Scripting Interpreter: Windows Command Shell – Backdoors execute via Shell commands; includes reverse shells.
[T1203] Exploitation for Client Execution – CVE‑2017‑11882 is used to exploit Office components and execute code on the victim’s machine.
[T1053.005] Scheduled Task: Scheduled Task – Persistence through scheduled tasks for execution of dropped components.
[T1036.005] Masquerading: Match Legitimate Name or Location – Filenames such as pytemp, javatemp mimic legitimate software.
[T1057] Process Discovery – Checks for older versions of the malware on victims’ systems.
[T1534] Internal Spearphishing – Lateral movement via spearphishing from within the targeted organization.
[T1005] Data from Local System – Data collection by traversing the filesystem for targeted files.
[T1025] Data from Removable Media – Copying files from USB drives.
[T1074.001] Data Staged: Local Data Staging – Data staged in a local folder before exfiltration.
[T1113] Screen Capture – Screenshots captured by components of the toolkit.
[T1071.001] Web Protocols: Application Layer Protocol – C2 and exfiltration over HTTP/S.
[T1048.003] Exfiltration Over Unencrypted/Non-C2 Protocol – Exfiltration to dedicated servers via HTTP/HTTPS, often unencrypted.

Indicators of Compromise

[SHA-1] 78E82F632856F293BDA86D77D02DF97EDBCDE918, D9F439E7D9EE9450CD504D5791FC73DA7C3F7E2E, CF7A56FD0613F63418B9DF3E2D7852FBB687BE3F
[Filename] cdc.dll, wuaupdt.exe, gedit.exe
[Domain] request.soundedge.live, submin.seasonsbackup.xyz, oceansurvey.club
[IP] 80.255.3.67, 37.48.122.145, 37.120.198.208