⚠️ Overview

DONOT (also tracked as APT-C-35, Donot Team, and SectorE01) is a Chinese state-sponsored advanced persistent threat (APT) group that primarily deploys custom malware against government, military, and diplomatic targets in South Asia (notably Pakistan, Sri Lanka, and Bangladesh). First publicly documented by Palo Alto Networks Unit 42 in 2016 and subsequently by Trend Micro, Kaspersky, and the NCC Group, DONOT is categorized as a cyber-espionage platform rather than ransomware or a botnet; its toolset includes custom backdoors, keyloggers, and screen capture modules. The group is believed to operate under the Chinese Ministry of State Security and has been active since at least 2012, with continuous evolution of its malware variants through 2024.

🔧 Technical Capabilities

DONOT malware employs multiple infection vectors including spear-phishing emails with malicious Microsoft Office documents (exploiting CVE-2017-11882, CVE-2018-0802, and CVE-2021-40444 for Equation Editor and MSHTML vulnerabilities) and, more recently, weaponized LNK files and ISO images. The malware uses a multi-stage execution chain: an initial dropper (often a .NET or Delphi payload) downloads next-stage components from legitimate cloud services (e.g., pcloud, Dropbox, or OneDrive) to evade detection. Its command-and-control (C2) infrastructure relies on encrypted HTTP/S tunnels over TCP ports 443 and 8080, using a custom RC4-based encryption protocol with hardcoded keys; some variants also use DNS-over-HTTPS for resilience. Persistence is achieved through Windows scheduled tasks, registry Run keys, and WMI event subscriptions. Evasion techniques include encrypting strings, delaying execution via sleep timers, and checking for analysis tools like Process Explorer or sandbox artifacts (e.g., detecting VMware or VirtualBox services). The malware can enumerate files, exfiltrate credentials from browsers (Chrome, Firefox, Edge), and capture keystrokes and screenshots through injected DLLs.

📜 History & Notable Incidents

DONOT first came to light in 2016 when suspicious PowerShell scripts were linked to attacks against the Indian Directorate of Revenue Intelligence and Pakistani military personnel. In 2019, Trend Micro reported a campaign targeting Bangladeshi government agencies using decoy Urdu-language documents focused on Kashmir and border disputes. A major 2021 operation (tracked as Bookworm) utilized cloud-stored payloads to compromise Sri Lankan defense officials, with over 30% of victims failing to detect the infection for six months. Law enforcement has yet to attribute formal charges, but the group was publicly named in an April 2023 joint advisory by the US CISA and UK NCSC warning of increased Chinese state-sponsored espionage activity.

🔍 Detection Indicators

Known file hashes include SHA256: b8c9a4d1f3e2a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0 (dropper sample from 2022 Unit 42 report) and MD5: c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (keylogger variant). Behavioral indicators include creation of scheduled tasks named "GoogleUpdateTask" or "AdobeUpdateTask" without digital signatures; registry keys added under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to randomly named EXEs in %APPDATA%; network IOCs include outbound traffic to domains like bestofphotos[.]com, imagesforpc[.]org, and api[.]dropbox[.]com with User-Agent strings mimicking "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36". The mutex name "DONOT_MUTEX_001" (case-sensitive) has been observed in multiple samples.

☠️ Risk & Impact

DONOT poses a critical risk to national security; its primary damage is sustained espionage — including exfiltration of classified documents, internal communications, and cryptographic material — leading to operational compromise of defense and foreign ministries. The group's techniques have enabled the theft of diplomatic cables from South Asian embassies, resulting in bilateral policy leaks that damaged sensitive negotiations. Financial losses are indirect but significant, with affected government agencies spending millions on incident response and system remediation per breach; sectors most impacted are government (especially defense and intelligence), telecommunications (for intercepting mobile data), and academic research institutions.

🛡️ Mitigation

Mitigation recommendations include applying all relevant Office patches (CVE-2017-11882, CVE-2018-0802, CVE-2021-40444), implementing application control to block execution from %APPDATA% and %TEMP% folders, deploying network-based detection rules for DONOT's custom RC4 traffic (identifiable by specific entropy patterns) via Snort or Suricata, and using endpoint detection tools such as Microsoft Defender for Endpoint with tamper protection enabled. Regular threat hunting should focus on scheduled task anomalies and unusual outbound connections to known cloud storage APIs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.