DONOT

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to intrusion sets

· Published 20/12/2025 23:42 · Modified 21/12/2025 08:26 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 20/12/2025 23:42
Modified: 21/12/2025 08:26
Updated at: 21/12/2025 08:26
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 2 reports, 26 attack patterns (mitre), 2 malware, 4 sectors, 5 countries, 56 indicators, 5 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (2)

ANDROID MALWARE IN DONOT APT OPERATIONS

1 Malware 6 Observables 1 APT
Attack On Maritime & Defense Manufacturing

10 MITREs 1 APT

Attack patterns (MITRE) (26)

Obfuscated Files or Information uses

T1406 MITRE
T1562 uses

Impair Defenses MITRE
T1574 uses

Hijack Execution Flow MITRE
T1055 uses

Process Injection MITRE
T1546 uses

Event Triggered Execution MITRE
T1204.002 uses

Malicious File MITRE
T1027 uses

Obfuscated Files or Information MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1059.001 uses

PowerShell MITRE
T1071.001 uses

Web Protocols MITRE
T1070 uses

Indicator Removal MITRE
T1137 uses

Office Application Startup MITRE

← Previous

Page / 3

1–12 of 26

Donot uses
Tanzeem uses

Family

Sectors (4)

Government targets
Defense ministries (including the military) targets
Manufacturing targets
Defense targets

Countries (5)

China targets
Pakistan targets
British Indian Ocean Territory targets
Sri Lanka targets
India targets

Indicators (56)

salcomp.buzz indicates
48d5dcbc16d7c1712328ad7c397e564e62b4ec0794a21073c64e1d07c5518bbe indicates
a7893c54edaecaa0e56010576a8249ad9149456f5d379868a0ecaa4c5c33fa70 indicates
d17f86c4d6fdfda38d50ecfac53cda41457488a34b5909b5e08aa76ca0901321 indicates
8689d59aac223219e0fdb7886be289a9536817eb6711089b5dd099a1e580f8e4 indicates
mayosasa.buzz indicates
records.libutires.info indicates
grapehister.buzz indicates
84ff3cc715c4e408ddd71f15319a3034d70b7dd7c317e516ab2561618a42f609 indicates
8d4bd6c0c79aaa392f80e58b2b5448abf3d890f23cdeea024ee30fd0d840fa1e indicates
bloggerboy.buzz indicates
goldliney.buzz indicates

← Previous

Page / 5

37–48 of 56

Vulnerabilities (CVE) (5)

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2024-21893 KEV targets