YTY is a custom-built Windows spyware/backdoor framework used by the DoNot Team (also known as APT-C-35), a South Asia-focused threat actor active since at least 2016. Morphisec Labs refers to the framework as YTY/Jaca. Reported targeting includes government and military entities across South Asia, including Pakistan’s defense sector, and DoNot operations more broadly have targeted individuals and organizations in India, Pakistan, Sri Lanka, and Bangladesh.
Observed delivery is via spear-phishing emails with malicious attachments, including RTF documents that fetch remote templates over HTTP and deliver macro-enabled payloads. The infection chain described includes a macro that injects shellcode, downloads encrypted second-stage content disguised as .ico or .png files, and writes artifacts including %tmp%\syswow64.dll and %tmp%\document.doc. The malware checks for security-product drivers under C:\Windows\System32\drivers and includes date-based logic tied to products such as Bitdefender, Kaspersky, Avast, ESET, QuickHeal, and Qihoo360.
After execution, the main DLL establishes persistence via Windows Scheduled Tasks, including creation through COM objects and use of schtasks.exe; one described command creates a task named "wakeup," and another persistence mechanism runs every three minutes and triggers an exported function from the main DLL. The malware creates a mutex to prevent multiple instances and performs VM detection via WMI queries for VMware and VirtualBox.
YTY profiles infected hosts by collecting the victim username, screenshots, keystrokes through a keylogger plugin, running process information via tasklist, local network configuration via ipconfig /all including the domain name, and remote system information using net view. It also enumerates folder names under C:\Program Files and C:\Program Files (x86), and collects system information via WMI including OS caption, build number, CPU name, and processor ID. A victim ID is defined as Username-ComputerName-ProcessorId.
For collection, YTY can steal files with extensions including .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, and .vcf and send them to command-and-control infrastructure. Its modular framework can download and execute components including ieflagKlo.dll (keylogger), ieflagUl.dll (uploader), ieflagSp.dll (screenshot), ieflagTr.dll (file collection), ieflagUsd.dll (removable disk collection), ieflagBr.dll (browser stealer), and ieflagRvso.dll (reverse shell). The upgraded browser stealer uses helper executables WinBroGogle.exe, WinBroGoMoH.exe, WinBroMozla32.exe, and WinBroMozla64.exe to steal Chrome and Firefox credentials and history, storing encrypted output as .rnm files. The reverse shell module was changed from an EXE to a DLL and connects to 162.33.177[.]41, spawns a hidden cmd.exe, and binds standard I/O to the socket until receiving "exit\n".
YTY communicates with C2 using AES-256-encrypted and Base64-encoded traffic. A module-downloader stage identified as WavemsMp.dll retrieves an encrypted C2 address from a Google Drive document; other references describe YTY communicating to C2 by retrieving a Google Doc. Plugins have been packed with UPX. Example infrastructure in the reporting includes hxxp://mak.logupdates.xyz/DWqYVVzQLc0xrqvt/HG5HlDPqsnr3HBwOKY0vKGRBE7V0sDPdZb09n7xhp0klyT5X.mp3 and a corresponding .doc URL.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
DoNot APT is known for using custom-built Windows malware, including backdoors like YTY and GEdit, often delivered through spear-phishing emails or malicious documents.
Morphisec Labs has tracked the group’s activity and now exclusively details the latest updates to the group’s Windows framework, a.k.a. YTY, Jaca.
29 distinct techniques documented for this family, organized by ATT&CK tactic.
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
“Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.” / “APT29 used scheduler and schtasks to create new tasks on remote host as part of their lateral movement… updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.”
“...downloads from [1] to [3], modifies 3 first bytes back to their original form. This technique is used to evade security solutions and keep them from scanning the executable.”
"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."
“The function injects a shellcode (32-bit/64-bit) into the process memory and invokes it.”
“Before the execution of the payload, the shellcode decrypts itself... followed by xor with a two-byte key, which changes between stages.”
“...remote template injection... When the RTF document is opened, it tries to fetch a malicious remote template from its C2...”
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
During the 2015 Ukraine Electric Power Attack, Sandworm Team remotely discovered systems over LAN connections. OT systems were visible from the IT network as well, giving adversaries the ability to discover operational assets.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content is a long ATT&CK-style listing of malware and threat actors that collect host details such as OS version, hostname, architecture, CPU, memory, BIOS, language, and other basic system characteristics; examples include use of commands like systeminfo, ver, uname, sw_vers, and WMI queries.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
“...performs VM detection using WMI queries: Looking for VMware... and VirtualBox in csproduct name”
The content repeatedly describes threat actors and malware collecting, stealing, identifying, copying, or staging files, documents, credentials, logs, databases, and other information from compromised hosts or local systems.
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
“...fetch a malicious remote template from its C2 by sending an HTTP GET request... The first message to the server is sent as a POST request...”
The adversaries had communicated to both Dropbox and Pastebin. APT28 has used Google Drive for C2. APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.
"APT39 has communicated with C2 through files uploaded to and downloaded from DropBox."; "RIFLESPINE can retrieve C2 commands from an encrypted file on Google Drive then upload the results ... back to Google Drive."; "CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data"
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom-built Windows backdoor used by DoNot Team.
A modular Windows spyware/backdoor framework attributed to the DoNot Team, delivered via spearphishing and macro/RTF-based execution, using staged shellcode loaders and multiple DLL modules for data theft and remote access (keylogging, screenshots, file collection, browser credential/history theft, file upload, and reverse shell). Uses scheduled tasks for persistence and AES-256/Base64 for C2 communications; can fetch updated C2 addresses via Google Drive.
Backdoor that establishes persistence via a daily scheduled task.
Backdoor that retrieves a Google Doc to communicate with command-and-control.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.