Indian Hackers Target Italian Government in Cyber Espionage
▼ Summary
– The DoNot APT group targeted the Italian Ministry of Foreign Affairs in a cyber espionage campaign, impersonating European defense officials to lure victims via a malicious Google Drive link.
– Researchers noted this attack marks an expansion of DoNot APT’s focus from South Asia to European diplomatic communications and intelligence.
– DoNot APT, active since 2016, is known for cyber espionage in South Asia, using custom malware like YTY and GEdit delivered through spear-phishing.
– The attack involved a spear-phishing email with a Google Drive link leading to a malicious RAR archive, deploying malware to establish persistence and exfiltrate data.
– The payload was linked to LoptikMod malware, exclusively used by DoNot APT, showcasing a sophisticated multi-stage attack to evade detection and maintain long-term access.
A sophisticated cyber espionage operation has targeted Italian diplomatic networks, with evidence pointing to an advanced hacking group linked to India. Security researchers uncovered a multi-phase attack campaign against the Italian Ministry of Foreign Affairs, marking a notable shift in the threat actors’ geographic focus beyond their usual South Asian targets.
The attackers posed as European defense officials, crafting deceptive emails referencing a diplomatic visit to Bangladesh. These messages contained a malicious Google Drive link disguised as legitimate correspondence. When opened, the link delivered a harmful RAR archive designed to infiltrate systems and steal sensitive data. Experts note this represents a strategic expansion of the group’s operations into European government networks.
Known by various aliases including APT-C-35 and Origami Elephant, this hacking collective has operated since at least 2016, specializing in cyber espionage with strong ties to South Asian geopolitical interests. Their toolkit includes custom-built malware like YTY and GEdit, often deployed through carefully crafted phishing emails.
In this latest attack, the hackers used a Gmail account to impersonate official diplomatic communications. The email’s subject line, “Italian Defence Attaché Visit to Dhaka, Bangladesh”, suggested authentic defense-related discussions, increasing the likelihood of targets engaging with the malicious content. The attached Google Drive link led to a file named SyClrLtr.rar, which executed a stealthy infection sequence.
Once activated, the malware created a scheduled task called “PerformTaskMaintain”, ensuring persistent access by connecting to the attackers’ command servers every 10 minutes. Forensic analysis identified the payload as LoptikMod, a malware variant exclusively linked to this group since 2018. The attack aimed to establish long-term surveillance within the victim’s network, enabling continuous data theft.
This incident highlights the growing sophistication of state-aligned cyber espionage groups, particularly their ability to tailor attacks to diplomatic and defense sectors. The shift toward European targets suggests evolving priorities, with attackers refining their tactics to bypass security measures while maintaining covert access to high-value networks.
(Source: InfoSecurity Magazine)
