{ "id": "9385c023-420a-4b61-808d-fefadb1408a0", "created_at": "2026-04-06T00:19:20.917209Z", "updated_at": "2026-04-10T13:12:26.777882Z", "deleted_at": null, "sha1_hash": "9d193f30bcb7ec9d9db51ba3190be5ee92a05c23", "title": "ModifiedElephant APT and a Decade of Fabricating Evidence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 889166, "plain_text": "ModifiedElephant APT and a Decade of Fabricating Evidence\r\nBy Tom Hegel\r\nPublished: 2022-02-09 · Archived: 2026-04-05 17:07:47 UTC\r\nExecutive Summary\r\nOur research attributes a decade of activity to a threat actor we call ModifiedElephant.\r\nModifiedElephant is responsible for targeted attacks on human rights activists, human rights defenders,\r\nacademics, and lawyers across India with the objective of planting incriminating digital evidence.\r\nModifiedElephant has been operating since at least 2012, and has repeatedly targeted specific individuals.\r\nModifiedElephant operates through the use of commercially available remote access trojans (RATs) and\r\nhas potential ties to the commercial surveillance industry.\r\nThe threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire,\r\nDarkComet, and simple keyloggers with infrastructure overlaps that allow us to connect long periods of\r\npreviously unattributed malicious activity.\r\nRead the Full Report\r\nBackground\r\nIn September 2021, SentinelLabs published research into the operations of a Turkish-nexus threat actor we called\r\nEGoManiac, drawing attention to their practice of planting incriminating evidence on the systems of journalists to\r\njustify arrests by the Turkish National Police. A threat actor willing to frame and incarcerate vulnerable opponents\r\nis a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about\r\nthe integrity of devices introduced as evidence. Emerging details in an unrelated case caught our attention as a\r\npotentially similar scenario worthy of more scrutiny.\r\nLong-standing racial and political tensions in India were inflamed on January 1st, 2018 when critics of the\r\ngovernment clashed with pro-government supporters near Bhima Koregaon. The event led to subsequent protests,\r\nresulting in more violence and at least one death.\r\nIn the following months, Maharashtra police linked the cause of the violence to the banned Naxalite-Maoist\r\nCommunist party of India. On April 17th, 2018, police conducted raids and arrested a number of individuals on\r\nterrorism-related charges. The arresting agencies identified incriminating files on the computer systems of\r\ndefendants, including plans for an alleged assassination attempt against Prime Minister Modi.\r\nThanks to the public release of digital forensic investigation results by Arsenal Consulting and those referenced\r\nbelow, we can glean rare insights into the integrity of the systems of some defendants and grasp the origin of the\r\nincriminating files. It turns out that a compromise of defendant systems led to the planting of files that were later\r\nused as evidence of terrorism and justification for the defendants’ imprisonment. The intrusions in question were\r\nnot isolated incidents.\r\nhttps://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/\r\nPage 1 of 6\n\nOur research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and\r\nindividuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has\r\noperated for years, evading research attention and detection due to their limited scope of operations, the mundane\r\nnature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.\r\nModifiedElephant Targets \u0026 Objectives\r\nThe objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of\r\n‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.\r\nAfter careful review of the attackers’ campaigns over the last decade, we have identified hundreds of groups and\r\nindividuals targeted by ModifiedElephant phishing campaigns. Activists, human rights defenders, journalists,\r\nacademics, and law professionals in India are those most highly targeted. Notable targets include individuals\r\nassociated with the Bhima Koregaon case.\r\nInfection Attempts\r\nThroughout the last decade, ModifiedElephant operators sought to infect their targets via spearphishing emails\r\nwith malicious file attachments, with their techniques evolving over time.\r\nTheir primary delivery mechanism is malicious Microsoft Office document files weaponized to deliver the\r\nmalware of choice at the time. The specific payloads changed over the years and across different targets. However,\r\nsome notable trends remain.\r\nIn mid-2013, the actor used phishing emails containing executable file attachments with fake double\r\nextensions (filename.pdf.exe).\r\nAfter 2015, the actor moved on to less obvious files containing publicly available exploits, such as .doc ,\r\n.pps , .docx , .rar , and password protected .rar files. These attempts involved legitimate lure\r\ndocuments in .pdf , .docx , and .mht formats to captivate the target’s attention while also executing\r\nmalware.\r\nIn 2019 phishing campaigns, ModifiedElephant operators also took the approach of providing links to files\r\nhosted externally for manual download and execution by the target.\r\nAs first publicly noted by Amnesty in reference to a subset of this activity, the attacker also made use of\r\nlarge .rar archives (up to 300MB), potentially in an attempt to bypass detection.\r\nObserved lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice.\r\nThe spearphishing emails and lure attachments are titled and generally themed around topics relevant to the target,\r\nsuch as activism news and groups, global and local events on climate change, politics, and public service. A public\r\ndeconstruction of two seperate 2014 phishing emails was shared by Arsenal Consulting in early 2021.\r\nhttps://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/\r\nPage 2 of 6\n\nSpearphishing email containing malicious attachment attributed to ModifiedElephant\r\nModifiedElephant continually made use of free email service providers, like Gmail and Yahoo, to conduct their\r\ncampaigns. The phishing emails take many approaches to gain the appearance of legitimacy. This includes fake\r\nbody content with a forwarding history containing long lists of recipients, original email recipient lists with many\r\nseemingly fake accounts, or simply resending their malware multiple times using new emails or lure documents.\r\nNotably, in specific attacks, the actor would be particularly persistent and attempt to compromise the same\r\nindividuals multiple times in a single day.\r\nBy reviewing a timeline of attacker activity, we can observe clear trends as the attacker(s) rotate infrastructure\r\nover the years.\r\nTimeline sample of ModifiedElephant and SideWinder C2 Infrastructure\r\nFor example, from early-2013 to mid-2016, a reasonably clear timeline can be built with little overlap, indicating\r\na potential evolution or expansion of activities. Dates are based on first and last spearphishing emails observed\r\ndelivering samples that communicate with a given domain. Notably, a separate Indian-nexus threat actor,\r\nSideWinder, is placed alongside ModifiedElephant in this graph as they were observed targeting the same\r\nindividuals.\r\nhttps://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/\r\nPage 3 of 6\n\nWeapons of Choice\r\nThe malware most used by ModifiedElephant is unsophisticated and downright mundane, and yet it has proven\r\nsufficient for their objectives–obtaining remote access and unrestricted control of victim machines. The primary\r\nmalware families deployed were NetWire and DarkComet remote access trojans (RATs). Both of these RATs are\r\npublicly available, and have a long history of abuse by threat actors across the spectrum of skill and capability.\r\nOne particular activity revolves around the file Ltr_1804_to_cc.pdf , which contains details of an assassination\r\nplot against Prime Minister Modi. A forensic report by Arsenal Consulting showed that this file, one of the more\r\nincriminating pieces of evidence obtained by the police, was one of many files delivered via a NetWire RAT\r\nremote session that we associate with ModifiedElephant. Further analysis showed how ModifiedElephant was\r\nperforming nearly identical evidence creation and organization across multiple unrelated victim systems within\r\nroughly fifteen minutes of each other.\r\nIncubator Keylogger\r\nKnown victims have also been targeted with keylogger payloads stretching as far back as 2012\r\n(0a3d635eb11e78e6397a32c99dc0fd5a). These keyloggers, packed at delivery, are written in Visual Basic and are\r\nnot the least bit technically impressive. Moreover, they’re built in such a brittle fashion that they no longer\r\nfunction.\r\nThe overall structure of the keylogger is fairly similar to code openly shared on Italian hacking forums in 2012.\r\nFurther details of the ModifiedElephant variant can be found in our full report.\r\nIn some cases, the attacker conducted multiple unique phishing attempts with the same payloads across one or\r\nmore targets. However, ModifiedElephant generally conducts each infection attempt with new malware samples.\r\nAndroid Trojan\r\nModifiedElephant also sent multiple phishing emails containing both NetWire and Android malware payloads at\r\nthe same time. The Android malware is an unidentified commodity trojan delivered as an APK file\r\n(0330921c85d582deb2b77a4dc53c78b3).\r\nWhile the Android trojan bears marks of being designed for broader cybercrime, its delivery at the same time as\r\nModifiedElephant Netwire samples indicates that the same attacker was attempting to get full coverage of the\r\ntarget on both endpoint and mobile. The full report contains further details about the Android Trojan.\r\nRelations to Other Threat Clusters\r\nOur research into this threat actor reveals multiple interesting threads that highlight the complex nature of targeted\r\nsurveillance and tasking, where multiple actors swoop in with diverse mechanisms to track the same group of\r\nindividuals. These include private sector offensive actors (PSOAs) and groups with possible commercial facades\r\nto coordinate their illicit activities.\r\nhttps://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/\r\nPage 4 of 6\n\nBased on our analysis of ModifiedElephant, the group operates in an overcrowded target space and may have\r\nrelations with other regional threat actors. From our visibility, we can’t further disambiguate the shape of that\r\nrelationship–whether as part of an active umbrella organization, cooperation and sharing of technical resources\r\nand targets across threat groups, or simply coincidental overlaps. Some interesting overlaps are detailed below.\r\nMultiple individuals targeted by ModifiedElephant over the years have also been either targeted or\r\nconfirmed infected with mobile surveillance spyware. Amnesty International identified NSO Group’s\r\nPegasus being used in targeted attacks in 2019 against human rights defenders related to the Bhima\r\nKoregaon case. Additionally, the Bhima Koregaon case defendant Rona Wilson’s iPhone was targeted with\r\nPegasus since 2017 based on a digital forensics analysis of an iTunes backup found in the forensic disk\r\nimages analyzed by Arsenal Consulting.\r\nBetween February 2013 and January 2014 one target, Rona Wilson, received phishing emails that can be\r\nattributed to the SideWinder threat actor. The relationship between ModifiedElephant and SideWinder is\r\nunclear as only the timing and targets of their phishing emails overlap within our dataset. This could\r\nsuggest that the attackers are being provided with similar tasking by a controlling entity, or that they work\r\nin concert somehow. SideWinder is a threat actor targeting government, military, and business entities\r\nprimarily throughout Asia.\r\nModifiedElephant phishing email payloads (b822d8162dd540f29c0d8af28847246e) share infrastructure\r\noverlaps (new-agency[.]us) with Operation Hangover. Operation Hangover includes surveillance efforts\r\nagainst targets of interest to Indian national security, both foreign and domestic, in addition to industrial\r\nespionage efforts against organizations around the world.\r\nAnother curious finding is the inclusion of the string “Logs from Moosa’s” found in a keylogger sample\r\nclosely associated with ModifiedElephant activity in 2012 (c14e101c055c9cb549c75e90d0a99c0a). The\r\nstring could be a reference to Moosa Abd-Ali Ali, the Bahrain activist targeted around the same time, with\r\nFinFisher spyware. Without greater information, we treat this as a low confidence conjecture in need of\r\ngreater research.\r\nAttribution\r\nAttributing an attacker like ModifiedElephant is an interesting challenge. At this time, we possess significant\r\nevidence of what the attacker has done over the past decade, a unique look into who they’ve targeted, and a strong\r\nunderstanding of their technical objectives.\r\nWe observe that ModifiedElephant activity aligns sharply with Indian state interests and that there is an observable\r\ncorrelation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged\r\ncases.\r\nConclusion\r\nThe Bhima Koregaon case has offered a revealing perspective into the world of a threat actor willing to place\r\nsignificant time and resources into seeking the disruption of those with opposing views. Our profile of\r\nModifiedElephant has taken a look at a small subset of the total list of potential targets, the attackers techniques,\r\nand a rare glimpse into their objectives. Many questions about this threat actor and their operations remain;\r\nhttps://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/\r\nPage 5 of 6\n\nhowever, one thing is clear: Critics of authoritarian governments around the world must carefully understand the\r\ntechnical capabilities of those who would seek to silence them.\r\nFurther details, Indicators of Compromise and Technical References are available in the full report.\r\nRead the Full Report\r\nSource: https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/\r\nhttps://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/" ], "report_names": [ "modifiedelephant-apt-and-a-decade-of-fabricating-evidence" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67e56ffa-aad6-4a0d-89fe-ac443dfb2f1b", "created_at": "2023-01-06T13:46:39.364262Z", "updated_at": "2026-04-10T02:00:03.302769Z", "deleted_at": null, "main_name": "ModifiedElephant", "aliases": [], "source_name": "MISPGALAXY:ModifiedElephant", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434760, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d193f30bcb7ec9d9db51ba3190be5ee92a05c23.pdf", "text": "https://archive.orkl.eu/9d193f30bcb7ec9d9db51ba3190be5ee92a05c23.txt", "img": "https://archive.orkl.eu/9d193f30bcb7ec9d9db51ba3190be5ee92a05c23.jpg" } }