⚠

LoptikMod

backdoor1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

LoptikMod

CATEGORY:

BACKDOOR

DESCRIPTION:

LoptikMod is malware used by the DoNot APT group that primarily targets South Asian countries including Pakistan, Bangladesh, and Sri Lanka to conduct cyber-espionage activities against government agencies, defense and military, diplomatic sector, and important business figures. The group has dual-platform attack capabilities for Windows and Android, often using PDF document decoys, malicious Office documents with macro code, and EXE files disguised as PDF documents. They employ sophisticated attack chains including phishing links, scheduled tasks for persistence, and AES encryption for data exfiltration.

ALIASES:

loptik

TAGS:

cyber_espionagesouth_asiapdf_decoymacro_malwarescheduled_taskspersistenceaes_encryptionmulti_stage

[MUTEX_SIGNATURES](1)

[MUTEX_01]

08808

ANALYST: @adhikara13 DATE: 2025-01-15

REFERENCES:

https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activity-of-the-apt-q-38-using-pdf-document-decoys-en/?utm_source=chatgpt.com

https://www.trellix.com/blogs/research/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠DoNot APT group

⚠APT-Q-38

⚠APT-C-35

⚠Mint Tempest

⚠Origami Elephant

⚠SECTOR02

⚠Viceroy Tiger

FIRST_OBSERVED:

2018

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:1

THREAT_ACTORS:7

ALIASES:1

TAGS:8

CATEGORY:BACKDOOR

Malware profile loaded successfully