The Donot APT group (APT-C-35) is an espionage group that focuses its attacks on Pakistan and other South Asian government agencies. One of their hallmarks has been using customized malicious Android APKs to spy on their targets of interest and steal sensitive information. Not much has been released about the group recently, but a recent investigation by RiskIQ has uncovered large swaths of its existing and past mobile C2 infrastructure. These attackers are constantly redeveloping and redeploying tools even though their activity levels may appear to taper off.
Donot has kept mostly quiet for the past year with hardly any new open-source intelligence on them published by the security community. However, on May 31 and then again on June 1, two new malware samples linked to the group surfaced on Twitter. These samples were all RiskIQ needed to leverage our Internet Intelligence Graph to build an update around this well-known APT's most recent activity and malware distribution framework.
Article Link: https://www.riskiq.com/blog/external-threat-management/donot-mobile-malware-espionage/