India-aligned threat group Dropping Elephant has launched a sophisticated multi-stage cyberattack targeting Pakistan’s defense sector using a Python-based remote access trojan disguised within an MSBuild dropper.
Security researchers have identified this advanced campaign that leverages fake defense-related phishing lures to compromise military research and development units and procurement facilities linked to Pakistan’s National Radio and Telecommunication Corporation.
The attack begins innocuously with a phishing email containing a malicious ZIP archive. Once downloaded, the archive includes an MSBuild project file that serves as the initial dropper, along with a decoy PDF designed to appear legitimate.
When executed, the dropper begins downloading multiple components to the Windows Tasks directory, establishing persistence via scheduled tasks with seemingly legitimate names such as KeyboardDrivers and MsEdgeDrivers.
Security analysts and researchers noted that Dropping Elephant employed sophisticated obfuscation techniques throughout the infection chain, using UTF-reverse encryption to reconstruct strings and dynamic API resolution to avoid detection by security tools.
The group’s approach demonstrates significant technical maturity in weaponizing legitimate Windows utilities as part of their attack infrastructure.
The Stealth Python Persistence Mechanism
The operation’s centerpiece involves deploying a complete embedded Python runtime to the AppData directory, where a fake DLL file named python2_pycache_.dll actually contains marshalled Python bytecode rather than legitimate library code.
This payload executes via pythonw.exe, which runs without displaying a window, providing deep stealth against potential defenders.
The Python backdoor includes multiple modules, such as client, commands, remote_module, and base.py, enabling comprehensive system control and information gathering from compromised machines.
The malware maintains command-and-control communication through domains including nexnxky.info, upxvion.info, and soptr.info.
The identified code contains heavily obfuscated variable names and base64-encoded command structures, making manual analysis particularly challenging.
The group employed specific file paths and task scheduler entries that mimic legitimate Windows operations, allowing the backdoor to blend seamlessly into regular system activity while remaining dormant until receiving commands from attacker-controlled infrastructure.
This campaign underscores the persistent threat from advanced persistent threat groups targeting defense-critical infrastructure in South Asia.
Organizations should implement enhanced monitoring for suspicious MSBuild executions and for unusual Python runtime deployments in system directories, and maintain strict controls over phishing defense mechanisms.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
