Donot Team targets a Togo prominent activist with Indian-made spyware

Donot Team targeted a Togolese human rights advocate with a mobile spyware that has been allegedly developed by an Indian firm.

Researchers from Amnesty International have uncovered a cyberespionage campaign tracked as ‘Donot Team‘ (aka APT-C-35), which was orchestrated by threat actors in India and Pakistan. Experts believe the attackers used a spyware developed by an Indian company called Innefu Labs.

Amnesty highlighted the risks for activists in Togo of being victims of operations conducted by cyber-mercenaries.

According to a new report released by the organization, the Donot Team APT group employed Android applications posing as secure chat application and malicious emails in attacks aimed at a prominent Togolese human rights defender. In the past, the Donot Team spyware was found in attacks outside of South Asia. The investigation also discovered links between the spyware and infrastructure used in these attacks, and Innefu Labs, a cybersecurity company based in India.

The attacks on the Togolese activists started in December 2019 and lasted two months.

“The Togolese activist, who wishes to remain anonymous for security reasons, has a history of working with civil society organizations and is an essential voice for human rights in the country. Their devices were targeted between December 2019 and January 2020, during a tense political climate ahead of the 2020 Togolese presidential election.” reads the post published by Amnesty. “The persistent attacks over WhatsApp and email tried to trick the victim into installing a malicious application that masqueraded as a secure chat application. The application was in fact a piece of custom Android spyware designed to extract some of the most sensitive and personal information stored on the activist’s phone.”

Threat actors used WhatsApp messages to spread the malware, the account was associated with an Indian phone number that’s registered in the state of Jammu and Kashmir.Once installed, the spyware would allow attackers to take over the device, controlling camera and microphone, access to sensitive information stored on the devices (i.e. photos, files), and spy on WhatsApp communications.

Threat actors also used email messages as attack vector, and the malicious messages were sent from a Gmail account (jimajemi096[@]gmail.com with the Togolese name “atwoki logo) and used a weaponized Word document that trigger the CVE-2017-0199 RCE flaw.

In this second attack chain, the first stage spyware would eventually load Donot Team’s full Window spying framework dubbed YTY. The YTY framework gives the attacker complete access to target system and any connected USB drives, the malicious code also records keystrokes, take regular screenshots of the computer, and download additional spyware components.

The investigation conducted by Amnesty’s researchers revealed that one of the domains employed in the operation (“server.authshieldserver.com”) that pointed to an IP address (122.160.158[.]3) was used by the India-based company named Innefu Labs.

The company denied any involvement in the surveillance campaign attributed to the Donot Team APT.

The surveillance market is very profitable and the report highlights that it is attracting many private businesses, especially those rated in different jurisdictions.

“The worrying trend of private companies actively performing unlawful digital surveillance increases the scope for abuse while reducing avenues for domestic legal redress, regulation, and judicial control,” concludes Amnesty. “The nature of cross-border commercial cyber surveillance where the surveillance targets, the operators, the end customer, and the attack infrastructure can all be located in different jurisdictions creates significant impediments to achieving remediation and redress for human rights abuses.”

Update as of 06/02/25
Cybersecurity company Innefu Labs contacted Security Affairs to issue a clarification regarding the alleged link with the Donot Team:

“Innefu Labs has no business affiliation with the Donot Team and has not engaged in any activities related to the sale or distribution of spyware to them.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Donot Team APT)

[adrotate banner=”5″]

[adrotate banner=”13″]