A significant discovery in threat intelligence reveals that APT-C-35, commonly known as DoNot, continues to maintain an active infrastructure footprint across the internet.
Security researchers have identified new infrastructure clusters linked to this India-based threat group, which has long been recognized as a state-sponsored actor with espionage capabilities targeting critical regions in South Asia.
APT-C-35 represents a persistent cybersecurity threat to organizations across government, defense, and diplomatic sectors.
The group’s operations have remained consistent, with researchers documenting infrastructure activities that show how attackers maintain command-and-control channels while evading traditional detection methods.
Recent findings show that the group’s web servers maintain distinct characteristics that can be traced and monitored by security teams.
At-Bay analyst and researcher Idan Tarab identified specific technical markers that distinguish APT-C-35 infrastructure from legitimate web servers.
These indicators provided the foundation for tracking the group’s recent activities and understanding their operational methods across multiple network segments.
Infrastructure Hunting and Detection Methods
The investigation employed a structured approach to identify APT-C-35 assets by examining Apache HTTP response characteristics combined with Autonomous System Number (ASN) 399629 analysis.
Security researchers discovered that the targeted infrastructure revealed consistent patterns in HTTP responses, including specific header configurations that served as reliable detection signatures.
The hunting queries revealed that servers associated with APT-C-35 returned specific Apache HTTP headers, including standardized expiration dates and content-length values.
One particular indicator identified HTTP responses with “Expires: Thu, 19 Nov 1981 08:52:00 GMT” paired with “HTTP/1.1 200 OK” status codes across ASN 399629, which significantly narrowed the search scope.
Analysis uncovered approximately 73 results representing 36 unique IP addresses within the infrastructure cluster.
The primary identified server, gilbertfix.info hosted on IP 149.248.76.43 in Wyoming, showed typical cache control headers including “Cache-Control: no-store, no-cache, must-revalidate” configurations.
These defensive measures suggest the infrastructure was designed to prevent caching and secure sensitive communications.
The discovery enables security teams to implement proactive threat detection by monitoring for these specific HTTP response patterns.
Organizations can now correlate network indicators of compromise with known APT-C-35 infrastructure, accelerating incident response times and improving threat characterization accuracy.
This research reinforces the importance of continuous infrastructure hunting in maintaining operational awareness against state-sponsored threat actors.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
