DoNot Team is an advanced persistent threat group active since at least 2016 and widely tracked under aliases including APT-C-35, Origami Elephant, Mint Tempest, SECTOR02, and Viceroy Tiger. The group is broadly assessed by multiple security vendors as India-aligned and is commonly characterized as a state-sponsored espionage actor focused primarily on South Asia, while more recent operations have also targeted European diplomatic entities. DoNot Team primarily conducts cyber-espionage against government, military, diplomatic, defense, and civil society targets. Reported victimology includes organizations and individuals in Pakistan, Bangladesh, Sri Lanka, Kashmir-related environments, and neighboring countries, as well as at least one European foreign affairs ministry. The group has also been associated with targeting Kashmiri non-profit organizations, Pakistani government officials, and other politically sensitive regional targets. The actor is known for sustained spear-phishing operations using decoy documents themed around defense, diplomatic, or government matters. Observed delivery methods include malicious RTF documents using remote template injection, macro-enabled lures, archives containing executables disguised as documents, and Microsoft Excel add-in payloads. DoNot has shown repeated use of staged malware chains, selective payload delivery, and victim filtering mechanisms such as geofencing and request fingerprinting to reduce exposure and improve targeting precision. Its Windows tradecraft includes shellcode-based loaders, multi-stage downloaders, scheduled-task persistence, host profiling, anti-virtualization checks, and encrypted command-and-control communications. Public reporting links the group to malware families and components including YTY, Jaca, GEdit, LoptikMod, and modular spyware frameworks capable of reconnaissance, data exfiltration, keylogging, screenshot capture, browser credential theft, file collection, removable-media collection, and reverse shell access. Some campaigns have used modular follow-on payload delivery and cloud-hosted or dynamically updated infrastructure to maintain operational flexibility. DoNot Team has also operated Android spyware and loaders. One documented Android loader, Firestarter, used Firebase Cloud Messaging as a covert control channel to deliver payload locations and redirect infected devices after installation. Reported Android capabilities associated with the group include collection of device, communications, location, and application data, reflecting a mature mobile surveillance capability alongside its Windows tooling. The group demonstrates ongoing malware development and adaptation. Reported innovations include abuse of legitimate cloud services for staging or control, use of XLL-based payloads as an alternative to traditional macro delivery, encrypted configuration and communications, and infrastructure patterns consistent across campaigns. Researchers have also noted overlaps in tradecraft and payload chaining with SideWinder in operations targeting Pakistan, suggesting at minimum operational alignment or shared ecosystem characteristics, though the precise relationship remains unclear. Overall, DoNot Team is a persistent espionage-focused threat actor with a long-running emphasis on regional geopolitical intelligence collection, especially involving South Asian military, diplomatic, and government interests, and with an expanding record of targeting beyond its traditional theater.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
Attributed origin per open-source reporting.
29 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 malware families attributed to this actor across reporting.
86 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a targeted cyber-espionage intrusion against Bangladesh military and defence personnel using spear-phished RTF lures, remote template injection, staged shellcode delivery, and a DLL implant with scheduled-task persistence and HTTPS C2.
Conducting an active multi-stage cyber-espionage campaign against Bangladeshi military and defence targets using spear-phished RTF lures, remote template injection, staged shellcode loaders, persistent DLL implants, and encrypted HTTPS C2 communications.
Suspected India-linked APT targeting a European foreign ministry; uses LoptikMod malware for data harvesting.
APT-C-35 is a state-sponsored threat actor known for conducting espionage campaigns targeting government, defense, and diplomatic sectors in South Asia. The group maintains persistent infrastructure and employs technical measures to evade detection and secure communications.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.