An India-aligned advanced persistent threat group known as Dropping Elephant has launched sophisticated cyberattacks against Pakistan’s defense sector using a newly developed Python-based backdoor delivered through an MSBuild dropper.
The campaign demonstrates significant evolution in the threat actor’s tactics, techniques, and procedures, combining living-off-the-land binaries with custom malware to evade detection and establish persistent access to high-value targets.
Dropping Elephant, also tracked as Patchwork APT, Hangover Group, and APT-C-09, has deployed a complex multi-stage infection chain specifically designed to compromise organizations in Pakistan’s defense sector.
The attack begins with spear-phishing emails containing Pakistan defense-themed lures that deliver malicious ZIP archives to unsuspecting victims.
Once opened, the archive includes an MSBuild project file functioning as a dropper and a decoy PDF document designed to maintain operational security and reduce victim suspicion.
The attackers leverage MSBuild.exe, a legitimate Microsoft build tool, as a living-off-the-land binary to execute malicious code without triggering traditional security solutions.
This technique allows the threat actors to abuse trusted system processes for malicious purposes, significantly reducing the likelihood of detection by endpoint security products.
The MSBuild dropper employs dynamic API resolution and UTF-reverse encryption decoding to obscure its malicious functionality during static analysis.
Embedded Python Runtime
The dropper downloads and deploys an embedded Python runtime environment to the victim’s system, including pythonw.exe and associated DLL files such as python310.dll and python313.dll.
This self-contained Python environment enables the attackers to execute their backdoor without requiring the victim system to have Python already installed.
The malware creates multiple scheduled tasks named KeyboardDrivers, MsEdgeDrivers, and Microsoft Edge Update2Network to establish persistence and ensure the backdoor remains active even after system reboots.
At the core of the infection chain lies a marshalled Python bytecode backdoor disguised as python2_pycache. dll, a fake DLL file that contains the actual remote access trojan functionality.
This stealth approach allows the attackers to hide executable code within what appears to be a legitimate system library file.
The embedded Python runtime executes this marshalled bytecode directly, establishing command-and-control communication with attacker infrastructure hosted at domains including nexnxky.info and upxvion.info.
Security researchers assess with high confidence that this campaign aligns with Dropping Elephant’s established operational patterns and strategic objectives.
The threat group has historically focused on long-term espionage operations targeting Pakistan’s military, defense, and government sectors, particularly organizations involved in research and development, procurement units, and entities related to the National Radio and Telecommunication Corporation.
The sophisticated nature of the attack chain, combined with the specific targeting of Pakistan defense sector personnel, indicates a well-resourced state-aligned operation focused on intelligence collection.
The use of geofencing and region-restricted targeting suggests the attackers have implemented operational security measures to limit exposure of their infrastructure and techniques.
Detection Recommendations
Organizations in the defense sector should implement robust email security controls to detect and block spear-phishing attempts containing malicious attachments.
This calculated approach demonstrates the group’s intent to maintain persistent access to compromised networks while minimizing the risk of detection by security researchers and incident response teams outside the intended target region.
Security teams should monitor for unusual MSBuild.exe process execution, particularly instances spawned by unexpected parent processes or executing code from suspicious locations.
Network defenders should baseline normal scheduled task creation patterns and investigate new tasks with names mimicking legitimate Microsoft services.
Additionally, organizations should implement application allowlisting to prevent unauthorized Python interpreters from executing on endpoints and monitor for outbound connections to newly registered or suspicious domains associated with command-and-control infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.