U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Esperts found new DoNot Team APT group’s Android malware

Researchers linked the threat actor DoNot Team to a new Android malware that was employed in highly targeted cyber attacks. CYFIRMA researchers linked a recently discovered Android malware to the Indian APT group known as DoNot Team. The Donot Team (aka APT-C-35 and Origami Elephant) has been active since 2016, it focuses on government and military organizations, […]

DoNot Team

Researchers linked the threat actor DoNot Team to a new Android malware that was employed in highly targeted cyber attacks.

CYFIRMA researchers linked a recently discovered Android malware to the Indian APT group known as DoNot Team.

The Donot Team (aka APT-C-35 and Origami Elephant) has been active since 2016, it focuses on government and military organizations, ministries of foreign affairs, and embassies in India, Pakistan, Sri Lanka, Bangladesh, and other South Asian countries.

The malware was named “Tanzeem” and “Tanzeem Update” (meaning “organization” in Urdu), CYFIRMA spotted the malware in October and December 2024 respectively. The two artifacts share the same code, with minor differences in the user interface.

The Tanzeem App mimics chat functionality and prompts users to enable accessibility access. Variants show minor differences, like color changes.

The DoNot APT group has been observed misusing the OneSignal platform, which typically provides tools for sending push notifications, in-app messages, emails, and SMS widely used in mobile and web applications. In this case, the group is leveraging OneSignal to deliver phishing links through notifications. This tactic represents a new development in the group’s methods, as it’s the first time they’ve been seen utilizing OneSignal for such purposes.

The app shuts down after gaining permissions, its name implies targeting specific individuals or groups domestically and abroad.

Upon clicking “START CHAT”, a pop-up message asks the user to turn on accessibility access for the Tanzeem App.” reads the report published by CYFIRMA. “The user is then directed to the accessibility settings page.”

The app can gather call logs, contacts, SMS messages, precise locations, account information, and files stored in external storage. The malicious code can also record the screen.

The DONOT APT targets South Asian organizations for India’s strategic intelligence, using push notifications to install persistent Android malware, signifying evolving tactics and ongoing operations.

“The cybersecurity community is well aware that the DONOT group is actively targeting organizations and individuals across the South Asia region. The group persistently employs similar techniques in their Android malware.” concludes the report, which includes Indicators of Compromise (IoCs). “Recently, we observed the implementation of OneSignal in their latest attack, further demonstrating their efforts to maintain persistence. As the group continues to evolve, we can expect further modifications in their tactics, aiming to strengthen their ability to maintain persistence in future cyberattacks using Android malware.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)