DONOT

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to intrusion sets

· Published 20/12/2025 23:42 · Modified 21/12/2025 08:26 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 20/12/2025 23:42
Modified: 21/12/2025 08:26
Updated at: 21/12/2025 08:26
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 2 reports, 26 attack patterns (mitre), 2 malware, 4 sectors, 5 countries, 56 indicators, 5 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (2)

ANDROID MALWARE IN DONOT APT OPERATIONS

1 Malware 6 Observables 1 APT
Attack On Maritime & Defense Manufacturing

10 MITREs 1 APT

Attack patterns (MITRE) (26)

Obfuscated Files or Information uses

T1406 MITRE
T1562 uses

Impair Defenses MITRE
T1574 uses

Hijack Execution Flow MITRE
T1055 uses

Process Injection MITRE
T1546 uses

Event Triggered Execution MITRE
T1204.002 uses

Malicious File MITRE
T1027 uses

Obfuscated Files or Information MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1059.001 uses

PowerShell MITRE
T1071.001 uses

Web Protocols MITRE
T1070 uses

Indicator Removal MITRE
T1137 uses

Office Application Startup MITRE

← Previous

Page / 3

1–12 of 26

Donot uses
Tanzeem uses

Family

Sectors (4)

Government targets
Defense ministries (including the military) targets
Manufacturing targets
Defense targets

Countries (5)

China targets
Pakistan targets
British Indian Ocean Territory targets
Sri Lanka targets
India targets

Indicators (56)

eaed560a605374fe23317c1c37bbd05383ceec09ff83975b989e4c5d612fc039 indicates
856264ab9b4ebdbebd4198a8a142a336d808a4d8d913f7d0991a0510e7cbcb80 indicates
updash.info indicates
orangevisitorss.buzz indicates
https://floridacloudcyberhydratedfloridatech.online/ indicates
ikhfaavpn.com indicates
56e60b355d08abe961ea28977472ae50aca3628e96b5f9f558737b884484f070 indicates
morphylogz.buzz indicates
https://safehydratedcloudcosmoswebglobe.cc/ indicates
sky.ydnmovers.buzz indicates
9f7324518de5725a6b162954d355291fc3775c17c8d96d8f570b7ebdffabf5d3 indicates
balancelogs.buzz indicates

← Previous

Page / 5

25–36 of 56

Vulnerabilities (CVE) (5)

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-21893 KEV targets