DONOT

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to intrusion sets

· Published 20/12/2025 23:42 · Modified 21/12/2025 08:26 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 20/12/2025 23:42
Modified: 21/12/2025 08:26
Updated at: 21/12/2025 08:26
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 2 reports, 26 attack patterns (mitre), 2 malware, 4 sectors, 5 countries, 56 indicators, 5 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (2)

ANDROID MALWARE IN DONOT APT OPERATIONS

1 Malware 6 Observables 1 APT
Attack On Maritime & Defense Manufacturing

10 MITREs 1 APT

Attack patterns (MITRE) (26)

Obfuscated Files or Information uses

T1406 MITRE
T1562 uses

Impair Defenses MITRE
T1574 uses

Hijack Execution Flow MITRE
T1055 uses

Process Injection MITRE
T1546 uses

Event Triggered Execution MITRE
T1204.002 uses

Malicious File MITRE
T1027 uses

Obfuscated Files or Information MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1059.001 uses

PowerShell MITRE
T1071.001 uses

Web Protocols MITRE
T1070 uses

Indicator Removal MITRE
T1137 uses

Office Application Startup MITRE

← Previous

Page / 3

1–12 of 26

Donot uses
Tanzeem uses

Family

Sectors (4)

Government targets
Defense ministries (including the military) targets
Manufacturing targets
Defense targets

Countries (5)

China targets
Pakistan targets
British Indian Ocean Territory targets
Sri Lanka targets
India targets

Indicators (56)

forum.winidowtech.info indicates
crezdlack.buzz indicates
83fe4fb0c944aa210ab2af579155ccee4612c6ca09117babbf1f50fadaed2467 indicates
b5d8736bec449e3463ad6f0460782453ed69bb81a1b4a78847815b4fb64bfe94 indicates
a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 indicates

stix 100/100 Revoked

Trojan:Win32/CoinMiner.AQ

· Valid until 28/09/2025 · Source: AlienVault
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 indicates

stix 100/100 Revoked

sandboxdetect_misc

· Valid until 28/09/2025 · Source: AlienVault
repidyard.buzz indicates
one.localsurfer.buzz indicates
appnsure.com indicates
https://internalfileserver.online:443/ indicates
cffe7eb01000de809b79a711702eaf3773f2e6167ce440f33f30bcd6fabcace3 indicates
saturn789454.appspot.com indicates

← Previous

Page / 5

13–24 of 56

Vulnerabilities (CVE) (5)

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-21893 KEV targets