{ "id": "cbabc543-09df-42d2-8fd0-f509cfd4ccd6", "created_at": "2026-04-06T00:14:45.51259Z", "updated_at": "2026-04-10T03:33:54.606326Z", "deleted_at": null, "sha1_hash": "e09dab2f5f93efe72777a3158469e5c0b11d3350", "title": "Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode - Arctic Wolf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3272603, "plain_text": "Dropping Elephant APT Group Targets Turkish Defense Industry With\r\nNew Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted\r\nShellcode - Arctic Wolf\r\nBy Arctic Wolf\r\nPublished: 2025-07-23 · Archived: 2026-04-05 19:13:30 UTC\r\nExecutive Summary\r\nThe Arctic Wolf® Labs team has identified a new campaign by cyber-espionage group Dropping Elephant targeting Turkish\r\ndefense contractors, specifically a manufacturer of precision-guided missile systems. The campaign employs a five-stage\r\nexecution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning\r\nmore about unmanned vehicle systems.\r\nThe attack leverages legitimate binaries (VLC Media Player and Microsoft Task Scheduler) for defense evasion through\r\nDLL side-loading techniques. This represents a significant evolution of this threat actor’s capabilities, transitioning from the\r\nx64 DLL variants observed in November 2024, to the current x86 PE executables with enhanced command structures.\r\nThe campaign’s timing appears to coincide with heightened Türkiye*-Pakistan defense cooperation and recent India-Pakistan military tensions, suggesting the targeting may be geopolitically motivated. Infrastructure analysis reveals\r\ndeliberate operational security measures, including the impersonation of legitimate websites for command-and-control (C2)\r\ninfrastructure.\r\nThe campaign demonstrates how threat actors combine social engineering with precisely crafted lures to gather strategic\r\nintelligence from their targets. In this blog, we’ll break down the attack step-by-step to show how this is achieved, as well as\r\ndiscussing proactive steps organizations can take to defend themselves against this type of attack.\r\n* The Republic of Turkey changed its official name to The Republic of Türkiye on 26 May 2022.\r\nKey Intelligence Findings:\r\nThreat Attribution and Evolution\r\nThreat Actor: Dropping Elephant (aka Patchwork or Quilted Tiger).\r\nTechnical Evolution: Diversification from x64 DLL to x86 PE architecture, with reduced library dependencies.\r\nCampaign Scope: Multi-country targeting in prior campaigns, with Türkiye-specific operational focus in this\r\nspecific campaign.\r\nAttack Methodology\r\nInitial Access: Spear-phishing, with conference-themed LNK files.\r\nExecution: Five-component PowerShell-based download chain from malicious domain expouav[.]org.\r\nDefense Evasion: VLC DLL side-loading, file extension manipulation, scheduled task persistence.\r\nCommand Structure: Enhanced C2 protocol, using C-standard library’s strtok() for parsing and CreateThread\r\nexecution.\r\nTarget Profile\r\nPrimary Target: A Turkish precision-guided systems manufacturer.\r\nSector: Defense industrial base, specifically missile and rocket systems.\r\nGeopolitical Context: Türkiye’s military cooperation with Pakistan amid regional tensions.\r\nInfrastructure Assessment\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 1 of 18\n\nDelivery: expouav[.]org (created 2025-06-25). This malicious domain mimics the legitimate conference website\r\nwaset.org.\r\nC2: roseserve[.]org (registered 2025-06-23). This malicious site impersonates the Pardus project, a Linux distribution\r\nproject developed with support from the government of Türkiye.\r\nHosting: DEDIPATH-LLC/STARK-INDUSTRIES (U.S./GB hosting for Türkiye-focused operations).\r\nPTR records points to tk99671283030[.]avanetco[.]com (Created on 2025-06-27 over 2.56.127[.]187). Avanetco is a\r\nvirtual private server (VPS) reseller headquartered in Iran.\r\nOperational timeline: Infrastructure preparation began in June 2025 and has been in active operation since July\r\n2025.\r\nIntroducing Dropping Elephant\r\nDropping Elephant (also known as Patchwork or Quilted Tiger) is a relatively new advanced persistent threat (APT) group\r\nsuspected to be of Indian origin. First identified in December 2015, the group has been observed using social engineering\r\ntechniques, including spear-phishing and watering hole attacks, which involve compromising or impersonating legitimate\r\nwebsites known to be frequented by the groups’ targets.\r\nIt has also been known to exploit malware distribution vulnerabilities, and has used fake downloadable apps to drop\r\nmalware such as VajraSpy, an Android-targeted remote access trojan (RAT), and BADNEWS RAT.\r\nBased on campaign analysis, Dropping Elephant’s primary motivation is most likely espionage. Initially targeting South and\r\nSoutheast Asia, the group has since expanded its sights to include victims worldwide, including Europe and the United\r\nStates. It uses a range of custom tooling and techniques for intelligence-gathering, particularly focusing on individuals,\r\norganizations and sectors with diplomatic and economic ties to China.\r\nThe industry sectors most highly targeted by this APT group to date include Defense, Energy, Financial, Government, IT,\r\nAviation, NGOs, Think Tanks, and Pharmaceutical.\r\nAttack Chain Breakdown\r\n1. The Conference Invitation\r\nThe threat actor kicks off the attack by delivering a malicious LNK file to the intended targets:\r\nUnmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk\r\n– an opportunity for defense industry professionals working on drone and missile technologies to attend a conference. The\r\ntechnical details of this file are shown in the table below.\r\nField Value\r\nName Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk\r\nSHA-256 341f27419becc456b52d6fbe2d223e8598065ac596fa8dec23cc722726a28f62\r\nFile Type/ Signature .lnk file\r\nSize 5.11KB\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 2 of 18\n\nFigure 1: Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk structure.\r\nUpon execution, the lnk file invokes PowerShell, which in turn reaches out via Wget to a Cloudflare-protected hosting site –\r\nexpouav[.]org – and retrieves several files.\r\nPester.bat is a Windows batch file that is part of the PowerShell Pester testing framework. It’s classified as a Living Off the\r\nLand Binary and Script (LOLBAS) due to its potential for abuse by threat actors. In this campaign, extra quotation marks\r\nare inserted into the commands by the threat actor to evade common string-matching detections for potentially suspicious\r\ncommands.\r\nAs part of the process of establishing persistence, a scheduled task is created which abuses VLC, the popular legitimate\r\nmedia player software, to side-load malicious DLL files. VLC Media Player’s popularity springs a trap on the unwitting\r\ntargets, playing on the user’s trust in familiar software to help advance the threat actor’s attack chain.\r\n2. Silent Execution\r\nThe PowerShell code is executed in a manner which enables it to bypass restrictions (should they be enabled) as well as hide\r\nany progress indicators of its functionality from the user, to remain stealthy during execution.\r\n\"sleep 1;$ProgressPreference = 'SilentlyContinue'\"\r\n3. Downloads Multiple Files from expouav[.]org\r\nThe expouav[.]org domain referenced within the LNK file was registered on 06/25/2025. It hosts a PDF lure mimicking\r\nhttps://waset.org/unmanned-vehicle-systems-conference-in-july-2025-in-istanbul (a legitimate website). The real conference\r\nname is “ICUVS 2025: 19. International Conference on Unmanned Vehicle Systems”, and it takes place on July 28th and\r\n29th, 2025 in Istanbul, Türkiye.\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 3 of 18\n\nFigure 2: Legitimate waset.org website with the same conference information used by the fake PDF-based replica.\r\nAssets used in the PDF lure were copied from the official website. The copy is nearly identical and even includes the\r\noriginal conference code.\r\nThe PDF document serves as a visual decoy, designed to distract the user while the rest of the execution chain runs silently\r\nin the background.\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 4 of 18\n\nFigure 3: Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf PDF lure content.\r\nThis targeting occurs as Türkiye commands 65% of the global UAV export market and develops critical hypersonic missile\r\ncapabilities, while simultaneously strengthening defense ties with Pakistan during a period of heightened India-Pakistan\r\ntensions.\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 5 of 18\n\nIt specifically reflects the strategic value of technologies and intelligence services to understand Türkiye and possibly NATO\r\ncapabilities. Access to NATO-standard defense technologies and interoperability protocols provides insights into Western\r\nmilitary capabilities and strategic planning.\r\n4. File Evasion Technique\r\nThe simultaneous download of five distinct files represents a carefully orchestrated operation. Each component serves a\r\nspecific purpose.\r\nFiles are dropped to the user’s Tasks folder, with additional characters in the extension to bypass detection by security\r\nsystems. Once the file is saved to disk, the command automatically removes the extra characters, leaving the file with an\r\nexecutable extension, ready to run.\r\nDetailed Technical Analysis\r\nThe first stage of the execution of Dropping Elephant’s attack chain is a .LNK file that contains PowerShell code. This script\r\nloads five files sequentially:\r\n1. Visual Lure for Distraction\r\nFile: Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf\r\nSHA-256: 588021b5553838fae5498de40172d045b5168c8e608b8929a7309fd08abfaa93\r\n2. Legitimate VLC Video Player File\r\nVLC Video Player is a free and open-source cross-platform multimedia player from VideoLAN, a non-profit organization.\r\nThe player itself is legitimate, but (as with many digital tools) can be abused by cybercriminals.\r\nOriginal downloaded name: “lama” → renamed to C:\\Windows\\Tasks\\vlc.exe\r\nSHA-256: 4cc729b554326ccc62205d46b95353dcb34cadf095b904e941814e902e0925b2\r\nFigure 4: Legitimate VLC.exe file information.\r\n3. Malicious DLL Library\r\nOriginal file name: “lake” → renamed to libvlc.dll\r\nPurpose: This library is responsible for running and decoding the shellcode.\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 6 of 18\n\nSHA-256: 2cd2a4f1fc7e4b621b29d41e42789c1365e5689b4e3e8686b80f80268e2c0d8d\r\nProject file name: newdll.dll\r\nCompilation date: 2025-06-26 08:54:47\r\n4. Legitimate Microsoft Task Scheduler\r\nOriginal downloaded name: “dalai” → renamed to C:\\Windows\\Tasks\\Winver.exe\r\nDescription: Legitimate Microsoft Task Scheduler file\r\nSHA-256: 013c013e0efd13c9380fad58418b7aca8356e591a5cceffdb910f7d8b0ad28ef\r\nFigure 5: Legitimate schtask.exe (Microsoft Task Scheduler).\r\n5. Encrypted Shellcode\r\nFile: vlc.log\r\nLocation: C:\\Windows\\Tasks\\vlc.log\r\nSHA-256: 89ec9f19958a442e9e3dd5c96562c61229132f3acb539a6b919c15830f403553\r\nFigure 6: Encrypted shellcode.\r\nExecution Process\r\nThe following command creates a scheduled task using PowerShell and a pre-loaded legitimate Schtasks.exe Microsoft file:\r\nPowerShell scheduled task:\r\nsaps \"C:\\Windows\\Tasks\\Winver\" -a \"/Create\", '/sc', 'minute', '/tn', 'NewErrorReport', '/tr', \"C:\\Windows\\Task\r\nThis scheduled task executes a legitimate VLC Player file which runs a DLL. The DLL acts as a shellcode loader that\r\ndecrypts the ciphertext shellcode stored in vlc.log. The payload is launched in the VLC Player memory address space.\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 7 of 18\n\nShellcode Decryption\r\nDecryption key: “76bhu93FGRjZX5hj876bhu93FGRjX5”\r\nFigure 7: Shellcode decryption code.\r\nOnce decrypted, the shellcode becomes the final payload:\r\nField Value\r\nName N/A\r\nSHA-256 8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2\r\nFile Type/ Signature x86 PE\r\nSize 139.37 KB (142,712 bytes)\r\nDeclared Timestamp Fri Jul 26 09:12:19 2024\r\nFigure 8: Decrypted shellcode header.\r\nDigital Reconnaissance\r\nOnce executed in the system, the malware performs a series of actions that facilitate profiling of the infected device:\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 8 of 18\n\nCreates mutex ghjghkj to prevent multiple instances from running at once.\r\nGathers victim’s computer name via GetComputerNameW.\r\nCollects username via GetUserNameW.\r\nRetrieves system firmware information.\r\nChecks processor features and capabilities for sandboxing evasion.\r\nPerforms system time and performance counter queries.\r\nTakes screenshots of the screen and saves them as JPGs for C2 upload. This technique can be particularly useful\r\nwhen the targeted users work in a remote environment, where the sought-after data is stored not on the infected\r\nendpoint, but on a remote server. Screen-capturing is therefore vital to capture sensitive data, such as diagrams or\r\nclassified projects stored on a clean remote server.\r\nFigure 9: Screenshot-capture command.\r\nNetwork Communication\r\nTo assess outside network connectivity, several external sites are queried.\r\nExternal Services Contact:\r\ncom/raw is used to determine external IP address\r\niplocation.net/?cmd=ip-country is used for geolocation\r\nco is used for additional IP information\r\nMozilla/5.0 user-agent is used to blend with legitimate traffic\r\nCommand and Control:\r\nC2 Server: roseserve[.]org\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 9 of 18\n\nFigure 10: The threat actor’s C2 server.\r\nReporting to C2 is based on the /post action, with structured parameters.\r\nFigure 11: /post action via YcKOjLMxiwCZfSS//comrCVPEffFiPvF.php to C2.\r\nDropping Elephants’ RAT: Version Comparison Analysis\r\nWhen comparing code between older versions of Dropping Elephants’ RAT from November 2024 and newer versions, we\r\nobserved several key differences:\r\nArchitecture Change\r\nNew version: x86 EXE executable\r\nOld versions: x64 DLL\r\nReferential Samples:\r\nNovember 2024 version: 01a635a11a140aef906efe9db22fb66b0d6510e1e702870c4c728099fd5ab455\r\nVersion targeting Türkiye: 8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2\r\nCode Optimization\r\nAnother interesting difference is that the threat group has begun using fewer library functions. For example, C2 command\r\nparsing in the new version is done with raw code, while the old version used the “C function” – memcmp, a function in C\r\nand C++ used to compare the contents of two memory blocks.\r\nCommand Processing\r\nAfter receiving C2 commands, the code next compares them with a command list. Then, using CreateThread, it transfers\r\nexecution to the appropriate code thread. Any string received by the server is split into tokens using the strtok function with\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 10 of 18\n\n‘$’ delimiters.\r\nFigure 12: Splitting into tokens with ‘$’ delimiter.\r\nNetwork Infrastructure Analysis\r\nroseserve[.]org serves as the malicious C2 for the attack we observed on Türkiye.\r\nInfrastructure Details:\r\nPTR DNS record: tk99671283030.avanetco.com (avanetco.com is a legitimate commercial web hosting provider\r\nheadquartered in Iran).\r\nTitle response: “Pardus \u0026#8211; TÜBİTAK”\r\nRedirect: Clicking “Turkish language” takes you to https://pardus.org.tr/en/ (a legitimate website with a very similar\r\ndesign). This choice demonstrates cultural and technical knowledge of the technology landscape in Türkiye, and the\r\ncountry’s technological independence.\r\nFigure 13: Fake website hosted on rosereserve[.]org, mimicking the legitimate Pardus website.\r\nTimeline:\r\nJune 12-18, 2025: Threat actor prepares and configures 2.56.127[.]187.\r\nJune 23, 2025: roseserve[.]org domain is purchased.\r\nJune 29, 2025: Historical snapshot shows an impersonation of the Anadolu Agency (a news agency headquartered in\r\nTürkiye) website – see Figure 14, below.\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 11 of 18\n\nFigure 14: An early attempt at impersonating a real news agency’s website on rosereserve[.]org.\r\nHosting Information:\r\nThe C2 server roseserve[.]org runs on 2.56.127[.]187.\r\nOwner: DEDIPATH-LLC\r\nASN: AS 35913\r\nCountry: U.S.\r\nCIDRs: 2[.]56.127.0/24\r\nSecondary owner: STARK-INDUSTRIES\r\nASN: AS 44477\r\nCountry: GB\r\nCIDRs: 2[.]56.127.0/24\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 12 of 18\n\nWebsite Comparison:\r\nHunting pivot for fake Pardus banner: \\n\\t\\tPardus – TÜBİTAK\\t\r\nOriginal header: “Home – Pardus – TÜBİTAK” (TÜBİTAK is the Scientific and Technological Research Council of\r\nTürkiye, the developer of the Pardus operating system).\r\nOriginal/legitimate pardus.org.tr: Points to real domain on IP address 193.140.63.90 (Türkiye).\r\nFigure 15: Legitimate Pardus website.\r\nFigure 16: Network infrastructure and implant deployment timeline (Click to enlarge). \r\nRemote Control Arsenal:\r\nThe code receives data in this order: C2 command + arguments.\r\nAvailable Commands:\r\n3Up3 – Downloads a file from a remote server, adds the .exe extension to it, and runs it. The URL is passed to this\r\nfunction as a parameter. This command transforms victim workstations into staging platforms for additional malware\r\ndeployment, enabling the threat actor to adapt their tools based on discovered network data and security measures.\r\n3gnfm9 – Unknown function.\r\n3gjdfghj6 – Executes threat actor commands via cmd.exe and reports results to C2. It provides direct system access,\r\nenabling the threat actor to operate with the same privileges as a legitimate employee.\r\n3ngjfng5 – Uploads stolen data to C2.\r\n3CRT3 – Unknown function.\r\n3APC3 – Shellcode loader command: Receives filename and process startup string. The process is launched via cmd,\r\nwith the code injecting data from the file into the running process. Essentially, this is a shellcode loader command.\r\nThe process can be any process, and the file can be any file, but it must already exist in the system. They most likely\r\ndeploy it to the victim using other commands. In this context, the C2 code launches QueueUserAPC for\r\nasynchronous thread execution.\r\n3SC3 – Screenshot command: Takes a screenshot and sends it to the server. (“SC” in this command is likely an\r\nabbreviation for Screenshot)\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 13 of 18\n\nVictimology\r\nThe target of the campaign analyzed in this report is Türkiye, which Dropping Elephant most likely seeks to undermine via\r\ntheir cyber-espionage campaign against a major Turkish defense contractor and weapons manufacturer headquartered in the\r\ncountry. The company specializes in space systems, air defense systems, land systems, Naval systems, missile systems,\r\nballistic systems, and subsystems.\r\nHow Arctic Wolf Protects Its Customers\r\nArctic Wolf is committed to ending cyber risk, and when active campaigns are identified, we move quickly to protect our\r\ncustomers.\r\nArctic Wolf Labs has leveraged threat intelligence around Dropping Elephants’ activity to implement new detections in the\r\nArctic Wolf® Aurora™ Platform to protect customers. As we discover new information, we will enhance our detections to\r\naccount for additional IOCs and techniques leveraged by this threat group.\r\nConclusion\r\nThe campaign analyzed in this blog exhibits highly strategic victim selection focused on Türkiye’s defense industrial base,\r\nspecifically precision-guided weapons manufacturing capabilities. The timing of this targeted campaign aligns with Turkish\r\nmilitary cooperation agreements with Pakistan, indicating the threat actor’s awareness of geopolitical developments and the\r\nopportunity to strategically exploit them through social engineering techniques.\r\nDropping Elephant demonstrates continued operational investment and development through architectural diversification\r\nfrom x64 DLL to x86 PE formats, and enhanced C2 protocol implementation through impersonation of legitimate websites.\r\nThe reduction in library dependencies and adoption of strtok-based command parsing indicates deliberate operational\r\nsecurity improvements and codebase optimization by the group. The five-stage execution chain employs established living-off-the-land binaries and scripts (LOLBAS) techniques, with VLC DLL side-loading representing the primary evasion\r\nmechanism.\r\nThe two-month preparation timeline from domain registration (June 2025) to active operations (July 2025) suggests careful\r\ncampaign execution planned well in advance of the July 28 – 29 Unmanned Aerial Vehicle conference in Istanbul, Türkiye,\r\nrather than ad-hoc or indiscriminate targeting.\r\nRecommendations\r\nAs with many historical Dropping Elephant campaigns, the group leverages social engineering and spear phishing emails to\r\nobtain initial access into victim environments. The group relies heavily on user interaction in their campaigns. Significant\r\neffort is put into creating convincing lures and enticing emails that victims are more likely to interact with; in this case,\r\ncentered around the upcoming conference about UAVs in Istanbul, Türkiye.\r\nSocial engineering and phishing emails are not completely remediated with security controls. However, educating users\r\nabout the risks of interacting with unsolicited emails, particularly if the emails originate from outside their organization or\r\ncall for urgent action, is a good start. Adding a “report phishing” button to your organization’s email solution can empower\r\nusers to report suspected phishing emails to your Security Operations Center (SOC) or IT security team.\r\nUser education, such as general security awareness training, is one of the important elements in preventing Dropping\r\nElephant and other groups from obtaining access to your organization. Ensure all employees are aware of good security\r\nhygiene practices. Fostering a culture where employees feel safe reporting suspected phishing attempts or potential security\r\nbreaches can greatly increase your organization’s chances of preventing a successful compromise.\r\nFor those without the time to devote to creating security training resources from scratch, the Arctic Wolf Managed Security\r\nAwareness® training solution delivers easily digestible security lessons for employees, including regular phishing\r\nsimulations and a “Report Phish” button, along with many other features.\r\nDropping Elephant’s primary motivation is espionage, focusing on obtaining long-term access to sensitive business and\r\nmilitary information. Recognizing this, network segmentation, or isolating sensitive information, can help reduce your attack\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 14 of 18\n\nsurface. Network segmentation limits where a threat actor can move through your environment and confines them to patient\r\nzero.\r\nAlso ensure your organization enforces the Principle of Least Privilege, both at the user level as well as the network level, to\r\nprevent threat groups from obtaining additional access if compromised.\r\nSome additional methods you might consider include:\r\nPatch Often, Update Always: The entire attack surface of an organization is fair game for a sophisticated threat\r\nactor, from the gateways and endpoints to the networks and servers. Organizations should make sure to keep\r\napplications and operating systems regularly updated, and consider employing virtual patching for legacy systems.\r\nPut Proactive Defenses in Place: Intrusion prevention and detection systems have their place among firewalls and\r\nsandboxes to prevent attackers from exploiting security gaps. Endpoint Detection and Response (EDR) platforms can\r\nuncover hidden red flags before it’s too late, so consider implementing enterprise solutions such as Arctic Wolf®\r\nAurora™ Endpoint Defense.\r\nEnforce “Least Privilege” Principles: Lock down tools or block the use of tools normally reserved for system\r\nadministrators. Behavior monitoring and application control can block unusual or suspicious routines executed by\r\nsuspicious files.\r\nConsider the use of Secure Email Gateway solutions, to help proactively filter out malicious emails.\r\nBy leveraging the Windows Defender Application Control in Microsoft Windows, organizations can assess which\r\ntools, software and applications are used within their digital environments. Locking down or continually reassessing\r\nsuch lists may reduce the likelihood of threat actors leveraging Living-off-the-Land (LOTL) binaries within their\r\nenvironment.\r\nStaffing a Security Operations Center to protect your company is a costly endeavor, and may not be feasible for many\r\norganizations. Arctic Wolf® Managed Detection and Response (MDR) provides 24×7 monitoring of your networks,\r\nendpoints, and cloud environments to detect, respond to, and remediate modern cyberattacks.\r\nFinally, consider leveraging contextual cyber threat intelligence (CTI) to build an organizational risk profile and\r\nmaintain updated threat models based on the geolocation, business profile and vertical your organization operates in.\r\nSuch an intelligence program can help organizations to anticipate attacks and prioritize defenses based on the\r\nknowledge of the adversary and their tradecraft.\r\nAppendix\r\nYARA Hunting and Detection Rule\r\nrule Dropping_Elephant_RAT {\r\n meta:\r\n description = \"Rule for detecting Dropping Elephant RAT\"\r\n last_modified = \"2025-07-16\"\r\n author = \"The Arctic Wolf Labs team\"\r\n version = \"1.0\"\r\n sha256 = \"8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2\"\r\n strings:\r\n $a1 = \"%s=33up$!!$%s$!!$%s\" ascii wide\r\n $a2 = \"%s=uep$@$%s$@$%s\" ascii wide\r\n $a3 = \"%s=%s$!!$%s\" ascii wide\r\n $a4 = \"%s=%s$!!$%s$!!$%s\" ascii wide\r\n $a5 = \"%s=%s!$$$!%s\" ascii wide\r\n $a6 = \"%s=%s!@!%s!@!%lu\" ascii wide\r\n $a7 = \"%s=%s!$$$!%s!$$$!%s\" ascii wide\r\n $a8 = \"%s=error@$$@%s@$$@%s\" ascii wide\r\n $a9 = \"%s=%s$!!$%s$!!$%s$!!$%s$!!$%s$!!$%s$!!$\" ascii wide\r\n condition:\r\n (uint16(0) == 0x5A4D) and (filesize \u003c 1MB) and (all of ($a*))\r\n}\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 15 of 18\n\nIndicators of Compromise (IOCs)\r\nFile Indicators\r\nName SHA-256\r\nUnmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk 341f27419becc456b52d6fbe2d223e8598065ac596fa8dec23cc722726\r\nUnmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf 588021b5553838fae5498de40172d045b5168c8e608b8929a7309fd08\r\nlake (libvlc.dll) 2cd2a4f1fc7e4b621b29d41e42789c1365e5689b4e3e8686b80f80268\r\nvlc.log 89ec9f19958a442e9e3dd5c96562c61229132f3acb539a6b919c15830\r\nDecrypted Shellcode 8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120\r\nScheduled Task\r\nsaps \"C:\\Windows\\Tasks\\Winver\" -a \"/Create\", '/sc', 'minute', '/tn', 'NewErrorReport', '/tr', \"C:\\Windows\\Task\r\nNetwork Indicators\r\nexpouav[.]org – Dropping website\r\nroseserve[.]org – C2 server\r\nMutant Object\r\nSessions\\1\\BaseNamedObjects\\ghjghkj\r\nDetailed MITRE ATT\u0026CK® Mapping\r\nMITRE\r\nID\r\nTechnique\r\nConfirmed\r\nProcedure\r\nEvidence\r\nT1566.001\r\nSpear-phishing\r\nAttachment\r\nLNK file\r\ndistributed as\r\nconference\r\ninvitation\r\nFile:\r\nUnmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk\r\n(SHA-256: 341f27419becc…etc.)\r\nT1059.001 PowerShell\r\nLNK file\r\nexecutes\r\nPowerShell\r\nwith bypass and\r\nstealth\r\nparameters\r\nCommand: -ep 1;$ProgressPreference = ‘SilentlyContinue’\r\nT1105 Ingress Tool Transfer\r\nPowerShell\r\ndownloads five\r\nfiles from\r\ndelivery\r\ninfrastructure\r\nSource: expouav[.]org via Wget\r\nT1036.005\r\nMatch Legitimate\r\nName or Location\r\nFiles renamed\r\nto legitimate\r\nWindows binary\r\nnames\r\nlama → vlc.exe, dalai → Winver.exe, lake → libvlc.dll\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 16 of 18\n\nT1027\r\nObfuscated Files or\r\nInformation\r\nShellcode\r\nencrypted and\r\nstored as log\r\nfile\r\nFile: vlc.log with decryption key:\r\n76bhu93FGRjZX5hj876bhu93FGRjX5\r\nT1574.002 DLL Side-Loading\r\nVLC Media\r\nPlayer loads\r\nmalicious\r\nlibvlc.dll\r\nHost: vlc.exe, Malicious: libvlc.dll\r\n(SHA-256: 2cd2a4f1fc…etc.)\r\nT1055 Process Injection\r\nShellcode\r\ninjected into\r\nVLC player\r\nmemory space\r\nTarget: VLC process, Payload: Decrypted x86 PE (SHA-256:\r\n8b6acc087e…etc.)\r\nT1053.005 Scheduled Task\r\nPowerShell\r\ncreates\r\npersistent\r\nscheduled task\r\nCommand: saps “C:\\Windows\\\\Tasks\\Winver” -a “/Create”,\r\n‘/sc’, ‘minute’, ‘/tn’, ‘NewErrorReport’\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nRuntime\r\nshellcode\r\ndecryption\r\nwithin libvlc.dll\r\nInput: vlc.log, Output: x86 PE (139.37 KB)\r\nT1070.006 Timestomp\r\nCompilation\r\ntimestamp\r\nmanipulation\r\nfor anti-forensics\r\nBackdated to: Fri Jul 26 09:12:19 2024 vs. actual campaign\r\ntimeline (2025)\r\nT1562.001\r\nDisable or Modify\r\nTools\r\nPowerShell\r\nexecution\r\npolicy bypass\r\nParameter: -ep 1 (Execution policy bypass)\r\nT1082\r\nSystem Information\r\nDiscovery\r\nSystem\r\nprofiling via\r\nWindows APIs\r\nAPIs: GetComputerNameW, GetUserNameW, Firmware\r\ninformation collection\r\nT1124\r\nSystem Time\r\nDiscovery\r\nSystem time\r\nand\r\nperformance\r\ncounter queries\r\nPurpose: Sandboxing evasion and timing analysis\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nProcessor\r\nfeature\r\ndetection for\r\nenvironment\r\nanalysis\r\nChecks: CPU capabilities, virtualization features\r\nT1113 Screen Capture\r\nScreenshot\r\ncollection and\r\nprocessing\r\nAPIs: CreateStreamOnHGlobal,\r\nGetSystemMetrics(SM_CYSCREEN/SM_CXSCREEN)\r\nT1071.001 Web Protocols\r\nHTTPS\r\ncommunication\r\nwith C2 server\r\nC2: roseserve[.]org, Method: HTTP POST to /post endpoint\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 17 of 18\n\nT1573.001\r\nSymmetric\r\nCryptography\r\nEncrypted C2\r\ncommunications\r\nUser-Agent: Mozilla/5.0 for traffic blending\r\nT1132.001 Standard Encoding\r\nStructured\r\ncommand\r\nparsing with\r\ndelimiters\r\nParser: strtok function with $ delimiter\r\nT1102.002\r\nBidirectional\r\nCommunication\r\nCommand\r\nexecution and\r\ndata exfiltration\r\nCommands: 3Up3, 3gnfm9, 3gjdfghj6, 3ngjfng5, 3CRT3,\r\n3APC3, 3SC3\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nSystem data and\r\nscreenshots\r\ntransmitted to\r\nC2\r\nChannel: HTTPS to roseserve[.]org\r\nT1583.001 Acquire Infrastructure\r\nCustom\r\ndomains with\r\nlegitimate site\r\nimpersonation\r\nDomains: expouav[.]org (mimics waset.org), roseserve[.]org\r\n(mimics pardus.org.tr)\r\nAbout Arctic Wolf Labs\r\nArctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore\r\nsecurity topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat\r\ndetection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale,\r\nand detection efficacy of Arctic Wolf’s solution offerings.\r\nArctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security\r\ncommunity at large.\r\nSource: https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nhttps://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/" ], "report_names": [ "dropping-elephant-apt-group-targets-turkish-defense-industry" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434485, "ts_updated_at": 1775792034, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e09dab2f5f93efe72777a3158469e5c0b11d3350.pdf", "text": "https://archive.orkl.eu/e09dab2f5f93efe72777a3158469e5c0b11d3350.txt", "img": "https://archive.orkl.eu/e09dab2f5f93efe72777a3158469e5c0b11d3350.jpg" } }