SYMBOLCOMMON_NAMEaka. SYNONYMS

VICEROY TIGER  (Back to overview)

aka: OPERATION HANGOVER, Donot Team, APT-C-35, SectorE02, Orange Kala

VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.


Associated Families
win.unidentified_102 apk.knspy apk.unidentified_005 win.backconfig win.donot win.yty

References
2023-02-23K7 SecurityVigneshwaran P
@online{p:20230223:donot:3806844, author = {Vigneshwaran P}, title = {{The DoNot APT}}, date = {2023-02-23}, organization = {K7 Security}, url = {https://labs.k7computing.com/index.php/the-donot-apt/}, language = {English}, urldate = {2023-07-24} } The DoNot APT
DONOT
2022-08-11MorphisecHido Cohen, Arnold Osipov
@online{cohen:20220811:aptc35:bc731cd, author = {Hido Cohen and Arnold Osipov}, title = {{APT-C-35 GETS A NEW UPGRADE}}, date = {2022-08-11}, organization = {Morphisec}, url = {https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed}, language = {English}, urldate = {2023-07-24} } APT-C-35 GETS A NEW UPGRADE
DONOT
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:thirsty:52ce329, author = {Unit 42}, title = {{Thirsty Gemini}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/thirstygemini/}, language = {English}, urldate = {2022-07-29} } Thirsty Gemini
BackConfig QUILTED TIGER
2022-04-28PWCPWC UK
@techreport{uk:20220428:cyber:46707aa, author = {PWC UK}, title = {{Cyber Threats 2021: A Year in Retrospect}}, date = {2022-04-28}, institution = {PWC}, url = {https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf}, language = {English}, urldate = {2023-07-02} } Cyber Threats 2021: A Year in Retrospect
BPFDoor APT15 APT31 APT41 APT9 BlackTech BRONZE EDGEWOOD DAGGER PANDA Earth Lusca HAFNIUM HAZY TIGER Inception Framework LOTUS PANDA QUILTED TIGER RedAlpha Red Dev 17 Red Menshen Red Nue VICEROY TIGER
2022-01-18ESET ResearchFacundo Muñoz, Matías Porolli
@online{muoz:20220118:donot:724cf3f, author = {Facundo Muñoz and Matías Porolli}, title = {{DoNot Go! Do not respawn!}}, date = {2022-01-18}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/}, language = {English}, urldate = {2022-01-18} } DoNot Go! Do not respawn!
yty
2021-10-07Amnesty InternationalAmnesty International
@techreport{international:20211007:hackersforhire:4147fd6, author = {Amnesty International}, title = {{Hackers-for-Hire in West Africa - Activist in Togo attacked with Indian-made Spyware}}, date = {2021-10-07}, institution = {Amnesty International}, url = {https://www.amnesty.org/en/wp-content/uploads/2021/10/AFR5747562021ENGLISH.pdf}, language = {English}, urldate = {2021-11-02} } Hackers-for-Hire in West Africa - Activist in Togo attacked with Indian-made Spyware
yty
2021-07-22cybleCyble
@online{cyble:20210722:donot:831e206, author = {Cyble}, title = {{DoNot APT Group Delivers A Spyware Variant Of Chat App}}, date = {2021-07-22}, organization = {cyble}, url = {https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/}, language = {English}, urldate = {2022-03-16} } DoNot APT Group Delivers A Spyware Variant Of Chat App
VICEROY TIGER
2021-04-21Cybleinccybleinc
@online{cybleinc:20210421:donot:3c9e847, author = {cybleinc}, title = {{Donot Team APT Group Is Back To Using Old Malicious Patterns}}, date = {2021-04-21}, organization = {Cybleinc}, url = {https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/}, language = {English}, urldate = {2023-07-24} } Donot Team APT Group Is Back To Using Old Malicious Patterns
KnSpy
2020-10-30360 Core Security360
@online{360:20201030:aptc35:0c53f1a, author = {360}, title = {{肚脑虫组织( APT-C-35)疑似针对巴基斯坦军事人员的最新攻击活动}}, date = {2020-10-30}, organization = {360 Core Security}, url = {https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html}, language = {Chinese}, urldate = {2023-07-24} } 肚脑虫组织( APT-C-35)疑似针对巴基斯坦军事人员的最新攻击活动
KnSpy
2020-10-29Cisco TalosWarren Mercer, Paul Rascagnères, Vitor Ventura
@online{mercer:20201029:donots:850f31b, author = {Warren Mercer and Paul Rascagnères and Vitor Ventura}, title = {{DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread}}, date = {2020-10-29}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/10/donot-firestarter.html}, language = {English}, urldate = {2023-07-24} } DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread
KnSpy
2020-09-30RiskIQJon Gross
@online{gross:20200930:diving:8e26441, author = {Jon Gross}, title = {{Diving Into DONOT's Mobile Rabbit Hole}}, date = {2020-09-30}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/6f60db72}, language = {English}, urldate = {2023-07-24} } Diving Into DONOT's Mobile Rabbit Hole
KnSpy
2020-06-03Palo Alto Networks Unit 42Doel Santos, Alex Hinchliffe
@online{santos:20200603:threat:37e881b, author = {Doel Santos and Alex Hinchliffe}, title = {{Threat Assessment: Hangover Threat Group}}, date = {2020-06-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/}, language = {English}, urldate = {2022-03-16} } Threat Assessment: Hangover Threat Group
BackConfig VICEROY TIGER
2020-06-01Twitter (@voodoodahl1)Matt Dahl
@online{dahl:20200601:malware:aa6f2ab, author = {Matt Dahl}, title = {{Tweet on malware called knspy used by Donot}}, date = {2020-06-01}, organization = {Twitter (@voodoodahl1)}, url = {https://twitter.com/voodoodahl1/status/1267571622732578816}, language = {English}, urldate = {2023-07-24} } Tweet on malware called knspy used by Donot
KnSpy
2020-05-11Palo Alto Networks Unit 42Alex Hinchliffe, Robert Falcone
@online{hinchliffe:20200511:updated:02c3515, author = {Alex Hinchliffe and Robert Falcone}, title = {{Updated BackConfig Malware Targeting Government and Military Organizations in South Asia}}, date = {2020-05-11}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/}, language = {English}, urldate = {2022-03-16} } Updated BackConfig Malware Targeting Government and Military Organizations in South Asia
VICEROY TIGER
2020-04-08TencentTencent
@online{tencent:20200408:donot:58c3513, author = {Tencent}, title = {{Donot team organization (APT-C-35) mobile terminal attack activity analysis}}, date = {2020-04-08}, organization = {Tencent}, url = {https://s.tencent.com/research/report/951.html}, language = {Chinese}, urldate = {2023-07-24} } Donot team organization (APT-C-35) mobile terminal attack activity analysis
KnSpy
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020SecureworksSecureWorks
@online{secureworks:2020:zinc:13667ec, author = {SecureWorks}, title = {{ZINC EMERSON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/zinc-emerson}, language = {English}, urldate = {2020-05-23} } ZINC EMERSON
yty QUILTED TIGER
2019-11-15Positive TechnologiesPositive Technologies
@online{technologies:20191115:studying:b64a9fd, author = {Positive Technologies}, title = {{Studying Donot Team}}, date = {2019-11-15}, organization = {Positive Technologies}, url = {http://blog.ptsecurity.com/2019/11/studying-donot-team.html}, language = {English}, urldate = {2020-01-05} } Studying Donot Team
yty
2019-08-02NSHCThreatRecon Team
@online{team:20190802:sectore02:c2237b1, author = {ThreatRecon Team}, title = {{SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government}}, date = {2019-08-02}, organization = {NSHC}, url = {https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/}, language = {English}, urldate = {2020-01-08} } SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government
yty
2019CrowdStrikeCrowdStrike
@online{crowdstrike:2019:viceroy:c209ad4, author = {CrowdStrike}, title = {{Viceroy Tiger}}, date = {2019}, organization = {CrowdStrike}, url = {https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger}, language = {English}, urldate = {2022-03-16} } Viceroy Tiger
VICEROY TIGER
2018-12-12360 Threat IntelligenceQi Anxin Threat Intelligence Center
@online{center:20181212:donot:32e8fb0, author = {Qi Anxin Threat Intelligence Center}, title = {{Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China}}, date = {2018-12-12}, organization = {360 Threat Intelligence}, url = {https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/}, language = {English}, urldate = {2020-01-13} } Donot (APT-C-35) Group Is Targeting Pakistani Businessman Working In China
VICEROY TIGER
2018-07-26奇安信威胁情报中心 | 事件追踪
@online{:20180726:analysis:66722b6, author = {奇安信威胁情报中心 | 事件追踪}, title = {{Analysis of the latest attack activities of APT-C-35}}, date = {2018-07-26}, url = {https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/}, language = {Chinese}, urldate = {2020-01-08} } Analysis of the latest attack activities of APT-C-35
yty VICEROY TIGER
2018-03-08NetScoutDennis Schwarz, Jill Sopko, Richard Hummel, Hardik Modi
@online{schwarz:20180308:donot:39171ec, author = {Dennis Schwarz and Jill Sopko and Richard Hummel and Hardik Modi}, title = {{Donot Team Leverages New Modular Malware Framework in South Asia}}, date = {2018-03-08}, organization = {NetScout}, url = {https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia}, language = {English}, urldate = {2019-10-16} } Donot Team Leverages New Modular Malware Framework in South Asia
VICEROY TIGER
2018-03-08NetScoutASERT Team
@online{team:20180308:donot:6f0c645, author = {ASERT Team}, title = {{Donot Team Leverages New Modular Malware Framework in South Asia}}, date = {2018-03-08}, organization = {NetScout}, url = {https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/}, language = {English}, urldate = {2020-01-09} } Donot Team Leverages New Modular Malware Framework in South Asia
yty
2013-11-06CrowdStrikeAdam Meyers
@online{meyers:20131106:viceroy:9e41682, author = {Adam Meyers}, title = {{VICEROY TIGER Delivers New Zero-Day Exploit}}, date = {2013-11-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/viceroy-tiger-delivers-new-zero-day-exploit/index.html}, language = {English}, urldate = {2022-03-16} } VICEROY TIGER Delivers New Zero-Day Exploit
VICEROY TIGER
2013-11-05F-SecureSnorre Fagerland
@techreport{fagerland:20131105:operation:20a8699, author = {Snorre Fagerland}, title = {{Operation Hangover: Unveiling an Indian Cyberattack Infrastructure}}, date = {2013-11-05}, institution = {F-Secure}, url = {https://github.com/jack8daniels2/threat-INTel/blob/master/2013/Unveiling-an-Indian-Cyberattack-Infrastructure-appendixes.pdf}, language = {English}, urldate = {2023-10-05} } Operation Hangover: Unveiling an Indian Cyberattack Infrastructure
VICEROY TIGER

Credits: MISP Project