{
	"id": "c886bbec-656f-4731-9a3e-334134473616",
	"created_at": "2026-04-06T00:08:12.364023Z",
	"updated_at": "2026-04-10T03:30:13.389583Z",
	"deleted_at": null,
	"sha1_hash": "3698c6650183a3aefeadddd1ae68a604bd0a10e0",
	"title": "Mysterious Elephant - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45747,
	"plain_text": "Mysterious Elephant - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 16:26:59 UTC\r\nHome \u003e List all groups \u003e Mysterious Elephant\r\n APT group: Mysterious Elephant\r\nNames\r\nMysterious Elephant (Kaspersk)\r\nAPT-K-47 (Knownsec 404)\r\nCountry [Unknown]\r\nMotivation Information theft and espionage\r\nFirst seen 2023\r\nDescription\r\n(Knownsec 404) Recently, in the course of daily APT tracking,the Knownsec 404 Advanced\r\nThreat Intelligence team discovered an attack campaign by the APT-K-47 organization using\r\nthe topic of “Hajj”, and the attackers used a CHM file to execute a malicious payload in the\r\nsame directory. The final payload is relatively simple, supporting only the cmd shell, and is\r\nimplemented using asynchronous programming, which is very similar to the “Asynshell” that\r\nwas used by the organization several times during Our team’s tracking cycle from 2023 to the\r\nfirst half of 2024. Based on our tracking observations, the previously captured Asynshell has\r\nbeen updated in several versions, and based on the logic and functionality of the code, we have\r\nreason to suspect that this sample is an upgraded version of Asynshell.\r\nObserved Countries: Pakistan.\r\nTools used ORPCBackdoor.\r\nInformation\r\n\u003chttps://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-\r\nweapon-asyncshell-5a98f75c2d68\u003e\r\n\u003chttps://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477\u003e\r\nLast change to this card: 26 December 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7a5bd493-2c51-4878-bc60-7639d7e9da21\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=7a5bd493-2c51-4878-bc60-7639d7e9da21\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=7a5bd493-2c51-4878-bc60-7639d7e9da21"
	],
	"report_names": [
		"showcard.cgi?u=7a5bd493-2c51-4878-bc60-7639d7e9da21"
	],
	"threat_actors": [
		{
			"id": "f5339d7c-473e-4b49-b44c-189b4f72b585",
			"created_at": "2024-12-28T02:01:54.8259Z",
			"updated_at": "2026-04-10T02:00:04.778045Z",
			"deleted_at": null,
			"main_name": "Mysterious Elephant",
			"aliases": [
				"APT-K-47"
			],
			"source_name": "ETDA:Mysterious Elephant",
			"tools": [
				"ORPCBackdoor"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434092,
	"ts_updated_at": 1775791813,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3698c6650183a3aefeadddd1ae68a604bd0a10e0.pdf",
		"text": "https://archive.orkl.eu/3698c6650183a3aefeadddd1ae68a604bd0a10e0.txt",
		"img": "https://archive.orkl.eu/3698c6650183a3aefeadddd1ae68a604bd0a10e0.jpg"
	}
}