LoptikMod is a remote access trojan (RAT) associated with the India-linked DoNot Team, also tracked as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02/SectorE02, and Viceroy Tiger. The malware has been described as used exclusively by DoNot Team since at least 2018 and was observed in a cyber espionage campaign targeting a European foreign affairs/foreign ministry. Reported targeting includes government entities, foreign ministries, defense organizations, and NGOs, with emphasis on South Asia and Europe.
In the described campaign, LoptikMod was delivered via spear-phishing emails sent from a Gmail address that impersonated defense officials and referenced an Italian Defense Attaché visit to Dhaka, Bangladesh. The phishing lure led victims to a Google Drive link that downloaded a RAR archive containing a malicious executable disguised as a PDF document. When executed, the file launched the LoptikMod RAT.
Capabilities directly described in the source material include establishing persistence via scheduled tasks, ensuring only one instance runs at a time, connecting to a command-and-control server, sending system information, receiving further commands, downloading additional modules or payloads, and exfiltrating data. The malware was also reported to use anti-VM techniques and ASCII obfuscation to hinder analysis and evade detection. One report noted that the command-and-control server identified in the campaign was inactive at the time of analysis. Overall, the activity was assessed as surveillance-oriented cyber espionage by DoNot Team against European diplomatic targets.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The RAR archive distributed via the emails contains a malicious executable that mimics a PDF document, opening which causes the execution of the LoptikMod remote access trojan that can establish persistence on the host via scheduled tasks and connect to a remote server to send system information, receive further commands, download additional modules, and exfiltrate data.
“The India-linked DoNot threat actor group… targeted a European foreign ministry using a new malware strain called LoptikMod… LoptikMod establishes persistence via scheduled tasks… connects to a C2 server to exfiltrate data and possibly download additional payloads.”
"DoNot, a hacking group suspected of having ties to India, has started targeting European foreign ministries using its LoptikMod malware. LoptikMod is delivered through phishing attacks and enables the hackers to surveil victims."
9 distinct techniques documented for this family, organized by ATT&CK tactic.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware used by DoNot Team in espionage targeting a European foreign affairs ministry (per summary).
A malware used by the DoNot threat group, delivered via phishing, that enables surveillance of infected victims.
LoptikMod is a remote access trojan (RAT) used by the DoNot Team for cyber espionage. It is capable of establishing persistence, exfiltrating data, executing commands, and downloading additional payloads. It employs anti-VM checks, ASCII obfuscation, and ensures only one active instance runs at a time to evade detection.
Custom Windows malware used in spear-phishing campaigns; delivered as a disguised executable inside a password-protected RAR, establishes persistence via scheduled tasks, uses obfuscation/packing and anti-VM techniques, and communicates with C2 for data exfiltration and potential secondary payload delivery.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.