DoNot Team is an APT group historically suspected of alignment with Indian state interests. The group is also known as APT-C-35, Viceroy Tiger, and Brainworm. Reporting in the provided content links DoNot Team to highly targeted campaigns against defense, diplomatic, government, and military entities across South Asia—specifically including India, Pakistan, Sri Lanka, and Bangladesh—active at least since 2016. In 2021, DoNot Team was attributed (by Proofpoint) to campaigns using a phishing attachment technique dubbed RTF template injection, abusing the RTF control word "\\template" to force Microsoft Word to retrieve remote content from a URL when the document is opened. DoNot Team’s implementation included obfuscating the remote template URL using Unicode-signed 16-bit character notation and embedding the malicious template control word within the "\\wgrffmtfilter" enclosing group. Observed lures included “defense proposal” themes and appeared to target entities in Pakistan and Sri Lanka; Word rendering artifacts included a download message that could reveal the URL and an invalid template error, with some samples showing blank documents. The content also links DoNot Team to malware development/usage across platforms: it notes the group has been linked to new Android malware in highly targeted attacks, and that a StreamSpy download site hosted Spyder variants with extensive data collection features. Additionally, the malware’s digital signature was reported to correlate with a Windows RAT called ShadowAgent attributed to DoNot Team. Separately, a DoNot Team-attributed payload was observed executing a known SideWinder loader in an attack targeting a victim in Pakistan, suggesting operational/tooling overlap in at least one incident.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
23 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 malware families attributed to this actor across reporting.
33 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Targeted operations using Android malware (Tanzeem/Tanzeem Update) for intelligence collection.
Suspected to share resources and malware with Patchwork/Maha Grass, known for using RATs like ShadowAgent for data collection and espionage.
APT group using SideWinder loader for targeted attacks, possibly in South Asia.
Used RTF template injection in phishing attachments (Feb–Jul 2021), including Unicode 16-bit obfuscation of remote template URLs; lures included “defense proposal” themes targeting Pakistan and Sri Lanka.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.