{ "id": "decd8b85-70cf-4694-86ed-cecb8e10454d", "created_at": "2026-04-06T00:18:03.908472Z", "updated_at": "2026-04-10T03:37:20.353132Z", "deleted_at": null, "sha1_hash": "e97dcc6f64b2a5799c3e349e42e8fc6b6dcf28ea", "title": "Mysterious Elephant: a growing threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 229986, "plain_text": "Mysterious Elephant: a growing threat\r\nBy Noushin Shabab\r\nPublished: 2025-10-15 · Archived: 2026-04-05 22:08:46 UTC\r\nIntroduction\r\nMysterious Elephant is a highly active advanced persistent threat (APT) group that we at Kaspersky GReAT\r\ndiscovered in 2023. It has been consistently evolving and adapting its tactics, techniques, and procedures (TTPs)\r\nto stay under the radar. With a primary focus on targeting government entities and foreign affairs sectors in the\r\nAsia-Pacific region, the group has been using a range of sophisticated tools and techniques to infiltrate and\r\nexfiltrate sensitive information. Notably, Mysterious Elephant has been exploiting WhatsApp communications to\r\nsteal sensitive data, including documents, pictures, and archive files.\r\nThe group’s latest campaign, which began in early 2025, reveals a significant shift in their TTPs, with an\r\nincreased emphasis on using new custom-made tools as well as customized open-source tools, such as BabShell\r\nand MemLoader modules, to achieve their objectives. In this report, we will delve into the history of Mysterious\r\nElephant’s attacks, their latest tactics and techniques, and provide a comprehensive understanding of this threat.\r\nAdditional information about this threat is available to customers of the Kaspersky Intelligence Reporting Service.\r\nContact: intelreports@kaspersky.com.\r\nThe emergence of Mysterious Elephant\r\nMysterious Elephant is a threat actor we’ve been tracking since 2023. Initially, its intrusions resembled those of\r\nthe Confucius threat actor. However, further analysis revealed a more complex picture. We found that Mysterious\r\nElephant’s malware contained code from multiple APT groups, including Origami Elephant, Confucius, and\r\nSideWinder, which suggested deep collaboration and resource sharing between teams. Notably, our research\r\nindicates that the tools and code borrowed from the aforementioned APT groups were previously used by their\r\noriginal developers, but have since been abandoned or replaced by newer versions. However, Mysterious Elephant\r\nhas not only adopted these tools, but also continued to maintain, develop, and improve them, incorporating the\r\ncode into their own operations and creating new, advanced versions. The actor’s early attack chains featured\r\ndistinctive elements, such as remote template injections and exploitation of CVE-2017-11882, followed by the use\r\nof a downloader called “Vtyrei”, which was previously connected to Origami Elephant and later abandoned by\r\nthis group. Over time, Mysterious Elephant has continued to upgrade its tools and expanded its operations,\r\neventually earning its designation as a previously unidentified threat actor.\r\nLatest campaign\r\nThe group’s latest campaign, which was discovered in early 2025, reveals a significant shift in their TTPs. They\r\nare now using a combination of exploit kits, phishing emails, and malicious documents to gain initial access to\r\ntheir targets. Once inside, they deploy a range of custom-made and open-source tools to achieve their objectives.\r\nhttps://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/\r\nPage 1 of 8\n\nIn the following sections, we’ll delve into the latest tactics and techniques used by Mysterious Elephant, including\r\ntheir new tools, infrastructure, and victimology.\r\nSpear phishing\r\nMysterious Elephant has started using spear phishing techniques to gain initial access. Phishing emails are tailored\r\nto each victim and are convincingly designed to mimic legitimate correspondence. The primary targets of this APT\r\ngroup are countries in the South Asia (SA) region, particularly Pakistan. Notably, this APT organization shows a\r\nstrong interest and inclination towards diplomatic institutions, which is reflected in the themes covered by the\r\nthreat actor’s spear phishing emails, as seen in bait attachments.\r\nSpear phishing email used by Mysterious Elephant\r\nFor example, the decoy document above concerns Pakistan’s application for a non-permanent seat on the United\r\nNations Security Council for the 2025–2026 term.\r\nMalicious tools\r\nhttps://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/\r\nPage 2 of 8\n\nMysterious Elephant’s toolkit is a noteworthy aspect of their operations. The group has switched to using a variety\r\nof custom-made and open-source tools instead of employing known malware to achieve their objectives.\r\nPowerShell scripts\r\nThe threat actor uses PowerShell scripts to execute commands, deploy additional payloads, and establish\r\npersistence. These scripts are loaded from C2 servers and often use legitimate system administration tools, such as\r\ncurl and certutil, to download and execute malicious files.\r\nMalicious PowerShell script seen in Mysterious Elephant’s 2025 attacks\r\nFor example, the script above is used to download the next-stage payload and save it as ping.exe . It then\r\nschedules a task to execute the payload and send the results back to the C2 server. The task is set to run\r\nautomatically in response to changes in the network profile, ensuring persistence on the compromised system.\r\nSpecifically, it is triggered by network profile-related events (Microsoft-Windows-NetworkProfile/Operational),\r\nwhich can indicate a new network connection. A four-hour delay is configured after the event, likely to help evade\r\ndetection.\r\nBabShell\r\nOne of the most recent tools used by Mysterious Elephant is BabShell. This is a reverse shell tool written in C++\r\nthat enables attackers to connect to a compromised system. Upon execution, it gathers system information,\r\nincluding username, computer name, and MAC address, to identify the machine. The malware then enters an\r\ninfinite loop of performing the following steps:\r\n1. 1 It listens for and receives commands from the attacker-controlled C2 server.\r\n2. 2 For each received command, BabShell creates a separate thread to execute it, allowing for concurrent\r\nexecution of multiple commands.\r\n3. 3 The output of each command is captured and saved to a file named output_[timestamp].txt , where\r\n[timestamp] is the current time. This allows the attacker to review the results of the commands.\r\n4. 4 The contents of the output_[timestamp].txt file are then transmitted back to the C2 server, providing\r\nthe attacker with the outcome of the executed commands and enabling them to take further actions, for\r\ninstance, deploy a next-stage payload or execute additional malicious instructions.\r\nBabShell uses the following commands to execute command-line instructions and additional payloads it receives\r\nfrom the server:\r\nhttps://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/\r\nPage 3 of 8\n\nCustomized open-source tools\r\nOne of the latest modules used by Mysterious Elephant and loaded by BabShell is MemLoader HidenDesk.\r\nMemLoader HidenDesk is a reflective PE loader that loads and executes malicious payloads in memory. It uses\r\nencryption and compression to evade detection.\r\nMemLoader HidenDesk operates in the following manner:\r\n1. 1 The malware checks the number of active processes and terminates itself if there are fewer than 40\r\nprocesses running — a technique used to evade sandbox analysis.\r\n2. 2 It creates a shortcut to its executable and saves it in the autostart folder, ensuring it can restart itself after\r\na system reboot.\r\n3. 3 The malware then creates a hidden desktop named “MalwareTech_Hidden” and switches to it, providing\r\na covert environment for its activities. This technique is borrowed from an open-source project on GitHub.\r\n4. 4 Using an RC4-like algorithm with the key D12Q4GXl1SmaZv3hKEzdAhvdBkpWpwcmSpcD , the malware\r\ndecrypts a block of data from its own binary and executes it in memory as a shellcode. The shellcode’s sole\r\npurpose is to load and execute a PE file, specifically a sample of the commercial RAT called “Remcos”\r\n(MD5: 037b2f6233ccc82f0c75bf56c47742bb).\r\nAnother recent loader malware used in the latest campaign is MemLoader Edge.\r\nMemLoader Edge is a malicious loader that embeds a sample of the VRat backdoor, utilizing encryption and\r\nevasion techniques.\r\nIt operates in the following manner:\r\n1. 1 The malware performs a network connectivity test by attempting to connect to the legitimate website\r\nbing.com:445 , which is likely to fail since the 445 port is not open on the server side. If the test were to\r\nsucceed, suggesting that the loader is possibly in an emulation or sandbox environment, the malware would\r\ndrop an embedded picture on the machine and display a popup window with three unresponsive mocked-up\r\nbuttons, then enter an infinite loop. This is done to complicate detection and analysis.\r\n2. 2 If the connection attempt fails, the malware iterates through a 1016-byte array to find the correct XOR\r\nkeys for decrypting the embedded PE file in two rounds. The process continues until the decrypted data\r\nmatches the byte sequence of MZ\\x90 , indicating that the real XOR keys are found within the array.\r\n3. 3 If the malware is unable to find the correct XOR keys, it will display the same picture and popup window\r\nas before, followed by a message box containing an error message after the window is closed.\r\n4. 4 Once the PE file is successfully decrypted, it is loaded into memory using reflective loading techniques.\r\nThe decrypted PE file is based on the open-source RAT vxRat, which is referred to as VRat due to the PDB\r\nstring found in the sample:\r\nhttps://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/\r\nPage 4 of 8\n\n1 C:\\Users\\admin\\source\\repos\\vRat_Client\\Release\\vRat_Client.pdb\r\nWhatsApp-specific exfiltration tools\r\nSpying on WhatsApp communications is a key aspect of the exfiltration modules employed by Mysterious\r\nElephant. They are designed to steal sensitive data from compromised systems. The attackers have implemented\r\nWhatsApp-specific features into their exfiltration tools, allowing them to target files shared through the WhatsApp\r\napplication and exfiltrate valuable information, including documents, pictures, archive files, and more. These\r\nmodules employ various techniques, such as recursive directory traversal, XOR decryption, and Base64 encoding,\r\nto evade detection and upload the stolen data to the attackers’ C2 servers.\r\nUplo Exfiltrator\r\nThe Uplo Exfiltrator is a data exfiltration tool that targets specific file types and uploads them to the attackers’ C2\r\nservers. It uses a simple XOR decryption to deobfuscate C2 domain paths and employs a recursive depth-first\r\ndirectory traversal algorithm to identify valuable files. The malware specifically targets file types that are likely to\r\ncontain potentially sensitive data, including documents, spreadsheets, presentations, archives, certificates,\r\ncontacts, and images. The targeted file extensions include .TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .CSV, .PPT,\r\n.PPTX, .ZIP, .RAR, .7Z, .PFX, .VCF, .JPG, .JPEG, and .AXX.\r\nStom Exfiltrator\r\nThe Stom Exfiltrator is a commonly used exfiltration tool that recursively searches specific directories, including\r\nthe “Desktop” and “Downloads” folders, as well as all drives except the C drive, to collect files with predefined\r\nextensions. Its latest variant is specifically designed to target files shared through the WhatsApp application. This\r\nversion uses a hardcoded folder path to locate and exfiltrate such files:\r\n1 %AppData%\\\\Packages\\\\xxxxx.WhatsAppDesktop_[WhatsApp ID]\\\\LocalState\\\\Shared\\\\transfers\\\\\r\nThe targeted file extensions include .PDF, .DOCX, .TXT, .JPG, .PNG, .ZIP, .RAR, .PPTX, .DOC, .XLS, .XLSX,\r\n.PST, and .OST.\r\nChromeStealer Exfiltrator\r\nThe ChromeStealer Exfiltrator is another exfiltration tool used by Mysterious Elephant that targets Google\r\nChrome browser data, including cookies, tokens, and other sensitive information. It searches specific directories\r\nwithin the Chrome user data of the most recently used Google Chrome profile, including the IndexedDB directory\r\nand the “Local Storage” directory. The malware uploads all files found in these directories to the attacker-controlled C2 server, potentially exposing sensitive data like chat logs, contacts, and authentication tokens. The\r\nresponse from the C2 server suggests that this tool was also after stealing files related to WhatsApp. The\r\nChromeStealer Exfiltrator employs string obfuscation to evade detection.\r\nhttps://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/\r\nPage 5 of 8\n\nInfrastructure\r\nMysterious Elephant’s infrastructure is a network of domains and IP addresses. The group has been using a range\r\nof techniques, including wildcard DNS records, to generate unique domain names for each request. This makes it\r\nchallenging for security researchers to track and monitor their activities. The attackers have also been using virtual\r\nprivate servers (VPS) and cloud services to host their infrastructure. This allows them to easily scale and adapt\r\ntheir operations to evade detection. According to our data, this APT group has utilized the services of numerous\r\nVPS providers in their operations. Nevertheless, our analysis of the statistics has revealed that Mysterious\r\nElephant appears to have a preference for certain VPS providers.\r\nVPS providers most commonly used by Mysterious Elephant (download)\r\nVictimology\r\nMysterious Elephant’s primary targets are government entities and foreign affairs sectors in the Asia-Pacific\r\nregion. The group has been focusing on Pakistan, Bangladesh, and Sri Lanka, with a lower number of victims in\r\nother countries. The attackers have been using highly customized payloads tailored to specific individuals,\r\nhighlighting their sophistication and focus on targeted attacks.\r\nThe group’s victimology is characterized by a high degree of specificity. Attackers often use personalized phishing\r\nemails and malicious documents to gain initial access. Once inside, they employ a range of tools and techniques to\r\nescalate privileges, move laterally, and exfiltrate sensitive information.\r\nMost targeted countries: Pakistan, Bangladesh, Afghanistan, Nepal and Sri Lanka\r\nCountries targeted most often by Mysterious Elephant (download)\r\nPrimary targets: government entities and foreign affairs sectors\r\nIndustries most targeted by Mysterious Elephant (download)\r\nConclusion\r\nIn conclusion, Mysterious Elephant is a highly sophisticated and active Advanced Persistent Threat group that\r\nposes a significant threat to government entities and foreign affairs sectors in the Asia-Pacific region. Through\r\ntheir continuous evolution and adaptation of tactics, techniques, and procedures, the group has demonstrated the\r\nability to evade detection and infiltrate sensitive systems. The use of custom-made and open-source tools, such as\r\nBabShell and MemLoader, highlights their technical expertise and willingness to invest in developing advanced\r\nmalware.\r\nThe group’s focus on targeting specific organizations, combined with their ability to tailor their attacks to specific\r\nvictims, underscores the severity of the threat they pose. The exfiltration of sensitive information, including\r\ndocuments, pictures, and archive files, can have significant consequences for national security and global stability.\r\nTo counter the Mysterious Elephant threat, it is essential for organizations to implement robust security measures,\r\nincluding regular software updates, network monitoring, and employee training. Additionally, international\r\nhttps://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/\r\nPage 6 of 8\n\ncooperation and information sharing among cybersecurity professionals, governments, and industries are crucial\r\nin tracking and disrupting the group’s activities.\r\nUltimately, staying ahead of Mysterious Elephant and other APT groups requires a proactive and collaborative\r\napproach to cybersecurity. By understanding their TTPs, sharing threat intelligence, and implementing effective\r\ncountermeasures, we can reduce the risk of successful attacks and protect sensitive information from falling into\r\nthe wrong hands.\r\nIndicators of compromise\r\nMore IoCs are available to customers of the Kaspersky Intelligence Reporting Service. Contact:\r\nintelreports@kaspersky.com.\r\nFile hashes\r\nMalicious documents\r\nc12ea05baf94ef6f0ea73470d70db3b2 M6XA.rar\r\n8650fff81d597e1a3406baf3bb87297f 2025-013-PAK-MoD-Invitation_the_UN_Peacekeeping.rar\r\nMemLoader HidenDesk\r\n658eed7fcb6794634bbdd7f272fcf9c6 STI.dll\r\n4c32e12e73be9979ede3f8fce4f41a3a STI.dll\r\nMemLoader Edge\r\n3caaf05b2e173663f359f27802f10139 Edge.exe, debugger.exe, runtime.exe\r\nbc0fc851268afdf0f63c97473825ff75\r\nBabShell\r\n85c7f209a8fa47285f08b09b3868c2a1\r\nf947ff7fb94fa35a532f8a7d99181cf1\r\nUplo Exfiltrator\r\ncf1d14e59c38695d87d85af76db9a861 SXSHARED.dll\r\nStom Exfiltrator\r\nff1417e8e208cadd55bf066f28821d94\r\n7ee45b465dcc1ac281378c973ae4c6a0 ping.exe\r\nb63316223e952a3a51389a623eb283b6 ping.exe\r\ne525da087466ef77385a06d969f06c81\r\n78b59ea529a7bddb3d63fcbe0fe7af94\r\nChromeStealer Exfiltrator\r\n9e50adb6107067ff0bab73307f5499b6 WhatsAppOB.exe\r\nDomains/IPs\r\nhttps://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/\r\nPage 7 of 8\n\nhxxps://storycentral[.]net\r\nhxxp://listofexoticplaces[.]com\r\nhxxps://monsoonconference[.]com\r\nhxxp://mediumblog[.]online:4443\r\nhxxp://cloud.givensolutions[.]online:4443\r\nhxxp://cloud.qunetcentre[.]org:443\r\nsolutions.fuzzy-network[.]tech\r\npdfplugins[.]com\r\nfile-share.officeweb[.]live\r\nfileshare-avp.ddns[.]net\r\n91.132.95[.]148\r\n62.106.66[.]80\r\n158.255.215[.]45\r\nSource: https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/\r\nhttps://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/mysterious-elephant-apt-ttps-and-tools/117596/" ], "report_names": [ "117596" ], "threat_actors": [ { "id": "2ac63ef4-a7b8-4a30-96ad-b30ccb2073fc", "created_at": "2022-10-25T16:07:23.546262Z", "updated_at": "2026-04-10T02:00:04.651083Z", "deleted_at": null, "main_name": "Donot Team", "aliases": [ "APT-C-35", "Mint Tempest", "Origami Elephant", "SectorE02" ], "source_name": "ETDA:Donot Team", "tools": [ "BackConfig", "EHDevel", "Jaca", "yty" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5339d7c-473e-4b49-b44c-189b4f72b585", "created_at": "2024-12-28T02:01:54.8259Z", "updated_at": "2026-04-10T02:00:04.778045Z", "deleted_at": null, "main_name": "Mysterious Elephant", "aliases": [ "APT-K-47" ], "source_name": "ETDA:Mysterious Elephant", "tools": [ "ORPCBackdoor" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434683, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e97dcc6f64b2a5799c3e349e42e8fc6b6dcf28ea.pdf", "text": "https://archive.orkl.eu/e97dcc6f64b2a5799c3e349e42e8fc6b6dcf28ea.txt", "img": "https://archive.orkl.eu/e97dcc6f64b2a5799c3e349e42e8fc6b6dcf28ea.jpg" } }