DONOT

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to intrusion sets

· Published 20/12/2025 23:42 · Modified 21/12/2025 08:26 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 20/12/2025 23:42
Modified: 21/12/2025 08:26
Updated at: 21/12/2025 08:26
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 2 reports, 26 attack patterns (mitre), 2 malware, 4 sectors, 5 countries, 56 indicators, 5 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (2)

ANDROID MALWARE IN DONOT APT OPERATIONS

1 Malware 6 Observables 1 APT
Attack On Maritime & Defense Manufacturing

10 MITREs 1 APT

Attack patterns (MITRE) (26)

Obfuscated Files or Information uses

T1406 MITRE
T1562 uses

Impair Defenses MITRE
T1574 uses

Hijack Execution Flow MITRE
T1055 uses

Process Injection MITRE
T1546 uses

Event Triggered Execution MITRE
T1204.002 uses

Malicious File MITRE
T1027 uses

Obfuscated Files or Information MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1059.001 uses

PowerShell MITRE
T1071.001 uses

Web Protocols MITRE
T1070 uses

Indicator Removal MITRE
T1137 uses

Office Application Startup MITRE

← Previous

Page / 3

1–12 of 26

Donot uses
Tanzeem uses

Family

Sectors (4)

Government targets
Defense ministries (including the military) targets
Manufacturing targets
Defense targets

Countries (5)

China targets
Pakistan targets
British Indian Ocean Territory targets
Sri Lanka targets
India targets

Indicators (56)

toolgpt.buzz indicates
3113cf51bf37ef8ac7cc750bc06fd542e294ea31e8a333de9e728d8d4d997290 indicates
briefdeal.buzz indicates
crushter.info indicates
d512664df24b5f8a2b1211d240e3e767f5dd06809bb67afa367cdc06e2366aec indicates
6863edff3663f155dd208b967e18666d87b21708fd7d947fd142ffa969283157 indicates
e3cb6720510d0b4df4104fbe36ca7e01cab6915cc546f630d715c847f0fdfea2 indicates
7f9f76732cd786aa03558ef4a14eb033990b59a226653d578db30e4975541314 indicates
468df06adb851ed1e59363ca163d279089928b4d200bf7bd333eeb45b07a83b1 indicates
0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 indicates

stix 100/100 Revoked

Trojan.Agent-134041 SHA256 of bbcf7a68f4164a9f5f5cb2d9f30d9790

· Valid until 28/09/2025 · Source: AlienVault
monitoriing.buzz indicates
m.seasurfer.buzz indicates

← Previous

Page / 5

1–12 of 56

Vulnerabilities (CVE) (5)

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-21893 KEV targets