Origami Elephant is an advanced persistent threat (APT) group specializing in cyber espionage, with operations traced back to at least 2016. The group is suspected to be India-linked and state-sponsored, focusing on intelligence gathering through persistent network access, surveillance, and data theft. It is known by multiple aliases, including DoNot Team, APT-C-35, SECTOR02, Mint Tempest, and Viceroy Tiger. Kaspersky first detailed the group in 2020, highlighting its use of custom Windows and Android malware against South Asian targets. By 2025, Origami Elephant has expanded geographically and technically, incorporating modular backdoors and targeting European diplomatic entities while maintaining its core focus on regional rivals.
Key Activities
Origami Elephant’s campaigns emphasize long-term access and exfiltration, often leveraging geopolitical tensions for lures. Initial infections typically occur via spear-phishing emails with malicious attachments or links, exploiting vulnerabilities like CVE-2017-11882 in Microsoft Office documents. Recent evolutions include:
• 2021 Android Campaigns: Delivery of Trojans via instant messaging (e.g., WhatsApp, Telegram) disguised as legitimate apps like VPNs or media players, targeting mobile devices for surveillance.
• 2023 Updates: Deployment of a novel .NET backdoor called Firebird, featuring a main loader and plugins protected by ConfuserEx obfuscation, with limited victims in Pakistan and Afghanistan.
• 2025 European Expansion: Multi-stage attacks on Southern European governments, including the Italian Ministry of Foreign Affairs. Attackers impersonated defense officials (e.g., referencing visits to Bangladesh) to deliver RAR archives via Google Drive links, deploying LoptikMod malware for data harvesting. This marks a shift from opportunistic hits to targeted diplomatic intelligence collection.
The group scans the internet proactively for new infrastructure clues and employs “low-and-slow” persistence to evade detection.
Targets
Primarily government, military, and diplomatic sectors in South Asia, driven by regional geopolitics:
• Core Focus: Pakistan (foreign affairs, military), Bangladesh, Nepal, Sri Lanka, Afghanistan.
• Expanded Scope (2025): European foreign ministries, including Italy and other Southern European entities, suggesting broader intelligence ambitions.
Victims include high-value individuals in national security and defense, with Android attacks hitting users in India, Pakistan, and Sri Lanka.
Tools and Tactics
Origami Elephant blends custom-developed and lesser-known malware, emphasizing obfuscation, anti-analysis (e.g., anti-VM checks, ASCII encoding), and modular designs for flexibility. Key components include:
• Downloaders/Loaders:
• VTYREI (aka BREEZESUGAR): First-stage payload for fetching subsequent malware.
• CSVtyrei: Variant resembling VTYREI, used in infection chains.
• Backdoors and RATs:
• Backconfig (aka Agent K1): Core backdoor for command execution and persistence.
• LoptikMod: Modular Windows malware (since 2018) for reconnaissance, keylogging, and exfiltration; unique to the group, with single-instance enforcement.
• Firebird: .NET-based backdoor with plugins for enhanced functionality; low detection due to obfuscation.
• YTY and GEdit: Custom backdoors delivered via phishing documents.
• Uploaders/Exfiltrators:
• Simple Uploader: For data theft and C2 communication.
• TTPs (Tactics, Techniques, Procedures):
• Initial Access: Spear-phishing with remote template injection in docs; direct Android APK delivery via social engineering.
• Execution/Persistence: PowerShell scripts, scheduled tasks; encoding of remote templates to bypass static detection.
• Defense Evasion: Code similarity to other groups (e.g., reused in Mysterious Elephant campaigns), non-functional code for testing, DNS over HTTPS in some implants.
• Exfiltration: Theft of documents, credentials, and mobile data; C2 via compromised hosts or cloud services.
The group’s infrastructure evolves with code changes for obfuscation, and it shares code overlaps with other Indian-linked APTs like SideWinder and Confucius, complicating attribution. As of late 2025, no public IOCs from recent campaigns are widely shared, but historical ones include active hosts from Kaspersky scans. Organizations in targeted regions should prioritize phishing awareness, endpoint detection, and mobile app vetting to mitigate risks.