The DoNot Team (also known as APT-C-35) has been linked to a new Android malware, Tanzeem, used in targeted cyberattacks. Disguised as a chat app, the malware shuts down after installation, requesting sensitive permissions to access call logs, SMS, contacts, location, and files. The app uses OneSignal for push notifications to deliver phishing links and deploy further malware. Tanzeem is believed to target specific individuals for intelligence gathering, with capabilities including screen recording and C2 server communication. This tactic marks an evolution in the group’s malware strategy, aiming for persistent access on infected devices.

‍