DoNot Team’s New Firebird Backdoor Hits Pakistan and Afghanistan

Oct 23, 2023NewsroomCyber ​​Espionage / Malware

Don't Team

The threat actor known as the DoNot Team has been linked to the use of a novel .NET-based backdoor called Firebird targeted some victims in Pakistan and Afghanistan.

Cybersecurity company Kaspersky, which revealed the findings in its APT trends report Q3 2023, said that the attack chains were also configured to deliver a downloader named CSVtyrei, named for in its likeness to Vtyrei.

“Some codes within the examples appear to be unavailable, indicating ongoing development efforts,” the Russian company SAYS.

Vtyrei (aka BREEZESUGAR) refers to an early stage payload and downloader strain previously used by the adversary to deliver a malware framework known as RTY.

The DoNot Team, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its attacks using spear-phishing emails and rogue applications in Android to spread malware.


The latest assessment from Kaspersky established a analysis in two consecutive threat actor attacks in April 2023 to deploy Agent K11 and RTY frameworks.

The disclosure also follows Zscaler ThreatLabz’s disclosure of new malicious activity by Pakistan-based Transparent Tribe (aka APT36) actors targeting the Indian government sector using an updated malware arsenal that includes a previously undocumented Windows trojan called ElizaRAT.

“ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, allowing threat actors to fully control the targeted endpoint,” security researcher Sudeep Singh said. THE audience Last month.

Active since 2013, Transparent Tribe has used credential harvesting and malware distribution attacks, often distributing trojanized installers of Indian government applications such as Kavach multi-factor authentication and weaponizing open-source command-and-control (C2) frameworks such as Mythic.

In a sign that hacking crews are also targeting Linux systems, Zscaler says it has identified a small set of desktop entry files that pave the way for killing binaries. Python-based ELF, including GLOBSHELL for file exfiltration and PYSHELLFOX for theft. session data from the Mozilla Firefox browser.

“Linux-based operating systems are widely used in the Indian government sector,” Singh said, adding that the targeting of the Linux environment was also likely inspired by India’s decision to replace Microsoft’s Windows OS with Maya OSan operating system based on Debian Linux, in the government and defense sectors.


Joining the DoNot Team and Transparent Tribe is another nation-state actor from the Asia-Pacific region focusing on Pakistan.

Codenamed Mysterious Elephant (aka APT-K-47), the hacking group is accused of a spear-phishing campaign that drops a novel backdoor called ORPCBackdoor that is able to execute files and commands on the victim’s computer, and receive files or commands from a malicious server.

According to Knownsec 404 TeamAPT-K-47 shares tooling and target overlap with other actors such as SideWinder, Patchwork, Confucius, and Bitter, most of which have been assessed as compatible with India.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment