• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

United Natural Foods Expects $400M revenue impact from June cyber attack

 | 

Cisco patches critical CVE-2025-20337 bug in Identity Services Engine with CVSS 10 Severity

 | 

UNC6148 deploys Overstep malware on SonicWall devices, possibly for ransomware operations

 | 

Operation Eastwood disrupted operations of pro-Russian hacker group NoName057(16)

 | 

Salt Typhoon breach: Chinese APT compromises U.S. Army National Guard network

 | 

Former US Army member confesses to Telecom hack and extortion conspiracy

 | 

CVE-2025-6554 marks the fifth actively exploited Chrome Zero-Day patched by Google in 2025

 | 

DDoS peaks hit new highs: Cloudflare mitigated massive 7.3 Tbps assault

 | 

U.S. CISA adds Wing FTP Server flaw to its Known Exploited Vulnerabilities catalog

 | 

Android Malware Konfety evolves with ZIP manipulation and dynamic loading

 | 

Belk hit by May cyberattack: DragonForce stole 150GB of data

 | 

North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

 | 

FBI seized multiple piracy sites distributing pirated video games

 | 

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

 | 

Interlock ransomware group deploys new PHP-based RAT via FileFix

 | 

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Intelligence
  • Malware
  • Donot Team targets a Togo prominent activist with Indian-made spyware

Donot Team targets a Togo prominent activist with Indian-made spyware

Pierluigi Paganini October 11, 2021

Donot Team targeted a Togolese human rights advocate with a mobile spyware that has been allegedly developed by an Indian firm.

Researchers from Amnesty International have uncovered a cyberespionage campaign tracked as ‘Donot Team‘ (aka APT-C-35), which was orchestrated by threat actors in India and Pakistan. Experts believe the attackers used a spyware developed by an Indian company called Innefu Labs.

Amnesty highlighted the risks for activists in Togo of being victims of operations conducted by cyber-mercenaries.

According to a new report released by the organization, the Donot Team APT group employed Android applications posing as secure chat application and malicious emails in attacks aimed at a prominent Togolese human rights defender. In the past, the Donot Team spyware was found in attacks outside of South Asia. The investigation also discovered links between the spyware and infrastructure used in these attacks, and Innefu Labs, a cybersecurity company based in India.

The attacks on the Togolese activists started in December 2019 and lasted two months.

“The Togolese activist, who wishes to remain anonymous for security reasons, has a history of working with civil society organizations and is an essential voice for human rights in the country. Their devices were targeted between December 2019 and January 2020, during a tense political climate ahead of the 2020 Togolese presidential election.” reads the post published by Amnesty. “The persistent attacks over WhatsApp and email tried to trick the victim into installing a malicious application that masqueraded as a secure chat application. The application was in fact a piece of custom Android spyware designed to extract some of the most sensitive and personal information stored on the activist’s phone.”

Donot Team APT

Threat actors used WhatsApp messages to spread the malware, the account was associated with an Indian phone number that’s registered in the state of Jammu and Kashmir.Once installed, the spyware would allow attackers to take over the device, controlling camera and microphone, access to sensitive information stored on the devices (i.e. photos, files), and spy on WhatsApp communications.

Threat actors also used email messages as attack vector, and the malicious messages were sent from a Gmail account (jimajemi096[@]gmail.com with the Togolese name “atwoki logo) and used a weaponized Word document that trigger the CVE-2017-0199 RCE flaw.

In this second attack chain, the first stage spyware would eventually load Donot Team’s full Window spying framework dubbed YTY. The YTY framework gives the attacker complete access to target system and any connected USB drives, the malicious code also records keystrokes, take regular screenshots of the computer, and download additional spyware components.

The investigation conducted by Amnesty’s researchers revealed that one of the domains employed in the operation (“server.authshieldserver.com”) that pointed to an IP address (122.160.158[.]3) was used by the India-based company named Innefu Labs.

The company denied any involvement in the surveillance campaign attributed to the Donot Team APT.

The surveillance market is very profitable and the report highlights that it is attracting many private businesses, especially those rated in different jurisdictions.

“The worrying trend of private companies actively performing unlawful digital surveillance increases the scope for abuse while reducing avenues for domestic legal redress, regulation, and judicial control,” concludes Amnesty. “The nature of cross-border commercial cyber surveillance where the surveillance targets, the operators, the end customer, and the attack infrastructure can all be located in different jurisdictions creates significant impediments to achieving remediation and redress for human rights abuses.”

Update as of 06/02/25
Cybersecurity company Innefu Labs contacted Security Affairs to issue a clarification regarding the alleged link with the Donot Team:

“Innefu Labs has no business affiliation with the Donot Team and has not engaged in any activities related to the sale or distribution of spyware to them.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Donot Team APT)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

APT hacking news information security news IT Information Security malware Security News spyware surveillance

you might also like

Pierluigi Paganini July 17, 2025
United Natural Foods Expects $400M revenue impact from June cyber attack
Read more
Pierluigi Paganini July 17, 2025
Cisco patches critical CVE-2025-20337 bug in Identity Services Engine with CVSS 10 Severity
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    United Natural Foods Expects $400M revenue impact from June cyber attack

    Security / July 17, 2025

    Cisco patches critical CVE-2025-20337 bug in Identity Services Engine with CVSS 10 Severity

    Security / July 17, 2025

    UNC6148 deploys Overstep malware on SonicWall devices, possibly for ransomware operations

    Hacking / July 17, 2025

    Operation Eastwood disrupted operations of pro-Russian hacker group NoName057(16)

    Cyber Crime / July 16, 2025

    Salt Typhoon breach: Chinese APT compromises U.S. Army National Guard network

    Intelligence / July 16, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT