Is the DoNot Team Using Android Malware for Intelligence Collection?

In the ever-evolving landscape of cybersecurity, the DoNot Team, an Indian-origin hacking group also referred to as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, has emerged as a significant threat with their sophisticated methods of cyber attacks. This group, known for its persistent and targeted attacks, has recently been linked to a newly discovered Android malware called Tanzeem and Tanzeem Update. Identified by the cybersecurity firm Cyfirma in late 2024, these malware variants disguise themselves as chat applications but shut down shortly after installation, after obtaining the required permissions, signifying their role in intelligence collection. This deceptive tactic is emblematic of the DoNot Team’s commitment to continuous adaptation and persistence in their cyber threats.

The Evolution of DoNot Team’s Tactics

The DoNot Team has a documented history of employing spear-phishing emails and Android malware to exfiltrate sensitive data from specific targets. The group’s tactics have evolved over the years, becoming increasingly sophisticated. In 2023, they were noted for deploying a .NET-based backdoor, dubbed Firebird, that specifically targeted individuals in regions such as Pakistan and Afghanistan. Firebird’s ability to infiltrate systems and gather intelligence underscored the group’s evolving capabilities and strategic focus. The latest malware, Tanzeem and its update, continue this trend of targeted attacks aimed at harvesting crucial information. Though the specific victims of these new malware variants have not been disclosed, it is presumed that the DoNot Team’s targets are individuals of particular interest for internal intelligence purposes.

The Mechanics Behind Tanzeem Malware

At the core of this new threat is the functionality of the malicious Tanzeem app, which exploits OneSignal, a customer engagement platform. It is speculated that OneSignal is used to send phishing links that facilitate the malware download process. Upon installation, the app masquerades as a legitimate chat application, displaying a fake chat screen. It then prompts users to initiate a chat, subsequently requesting access to various device permissions. These permissions enable the malware to amass extensive amounts of data, including call logs, contacts, messages, location information, account details, and files. Additionally, the malware is capable of performing screen recordings and establishing a connection to a command-and-control server. This extensive access allows the DoNot Team to maintain a persistent presence on the targeted devices, continuously gathering valuable intelligence.

The Implications and Need for Vigilance

The innovative approach of using push notifications in the Tanzeem malware represents a significant escalation in the DoNot Team’s methods for ensuring persistence and successful data exfiltration. The use of push notifications as a technique to entice users into installing further malware exemplifies the group’s resourcefulness and adaptability. This evolution in their tactics underscores the necessity for heightened vigilance and robust cybersecurity measures. As cyber threats grow more advanced, individuals and organizations must be increasingly proactive in safeguarding their systems against such sophisticated attacks. The findings from Cyfirma’s investigation into the Tanzeem malware highlight the ongoing commitment of the DoNot Team to infiltrate and exploit targeted systems, reinforcing the importance of maintaining rigorous cybersecurity defenses.

Explore more

VodafoneThree Drives 5G Innovation With Network Automation

The rapid expansion of 5G Standalone infrastructure across the United Kingdom has necessitated a fundamental shift in how telecommunications giants manage the increasing complexity of modern cellular traffic. As VodafoneThree consolidates its dominant market position throughout 2026, the implementation of sophisticated network automation tools has transitioned from a competitive advantage to an absolute operational necessity. By moving away from legacy

Vulnerable Microsoft-Signed Shims Allow Secure Boot Bypass

The fundamental promise of UEFI Secure Boot relies on a chain of trust that ensures only verified, cryptographically signed code executes during the critical early stages of a computer’s power-on sequence. When this chain is compromised, the entire security foundation of a modern computing environment is placed at significant risk. Recent discoveries have highlighted vulnerabilities within several versions of the

How Do You Move Your GP General Ledger to Business Central?

The familiar rhythm of month-end procedures in Microsoft Dynamics GP has provided a reliable sanctuary for finance departments for decades, but that comfort is rapidly vanishing as the cloud transition becomes mandatory. For years, the legacy platform served as a fortress of stability, anchoring the financial operations of thousands of organizations through economic shifts and regulatory changes. However, the landscape

How Does Copilot Drive Real ROI in Dynamics 365?

Beyond the Hype: The Evolution of Copilot into a Standard Business Engine Modern business leaders are no longer asking if artificial intelligence works but are instead demanding granular proof that these sophisticated algorithms can actually generate a measurable impact on the quarterly balance sheet. Microsoft Copilot has transitioned rapidly from an experimental AI curiosity to a foundational element of the

Microsoft Business Central 2026 Wave 1 Boosts ERP Efficiency

As the enterprise landscape evolves, the upcoming Microsoft Business Central 2026 Release Wave 1 marks a significant shift toward deeper automation and more fluid system integrations. Dominic Jainy, an IT expert with a sharp focus on how emerging technologies like machine learning and blockchain intersect with business logic, provides a comprehensive look at these upcoming changes. This discussion explores the