Elephant APT Group Attacking Defense Industry Leveraging VLC Player, and Encrypted Shellcode

The Dropping Elephant advanced persistent threat group has launched a sophisticated cyber-espionage campaign targeting Turkish defense contractors, particularly companies manufacturing precision-guided missile systems.

This malicious operation represents a significant evolution in the group’s capabilities, employing a complex five-stage execution chain that cleverly disguises malicious payloads as legitimate conference invitations related to unmanned vehicle systems.

The attack begins with a weaponized LNK file named “Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk” that masquerades as an invitation to a UAV conference scheduled for July 2025 in Istanbul.

Upon execution, the file initiates a PowerShell-based download sequence that retrieves multiple components from the malicious domain expouav[.]org, which impersonates the legitimate conference website waset.org.

Arctic Wolf researchers identified this campaign as part of Dropping Elephant’s expanded targeting scope, noting the group’s strategic shift from traditional South Asian targets to NATO-allied defense industries.

The timing coincides with heightened Turkey-Pakistan defense cooperation and regional military tensions, suggesting geopolitically motivated intelligence gathering objectives.

The malware demonstrates sophisticated evasion techniques by abusing legitimate software components, specifically VLC Media Player and Microsoft Task Scheduler, through DLL side-loading mechanisms.

This approach allows the threat actors to blend malicious activities with trusted processes, significantly reducing detection probabilities by security solutions.

Advanced Persistence and Command Execution Framework

The campaign’s most notable innovation lies downloads five distinct files with deliberately obfuscated extensions.

The PowerShell execution employs stealth parameters including -ep 1 for execution policy bypass and $ProgressPreference="SilentlyContinue" to suppress visual indicators during the download process.

The attack chain begins by downloading a legitimate VLC Media Player executable (originally named “lama”) alongside a malicious libvlc.dll library (originally “lake”).

This DLL serves as a shellcode loader responsible for decrypting and executing the final payload stored in vlc.log. The decryption process utilizes a hardcoded key “76bhu93FGRjZX5hj876bhu93FGRjX5” to transform the encrypted shellcode into a functional x86 PE executable.

Persistence is established through a scheduled task created via the command:-

saps "C:WindowsTasksWinver" -a "/Create", '/sc', 'minute', '/tn', 'NewErrorReport', '/tr', "C:WindowsTasksvlc", '/f';

This task executes the compromised VLC player every minute, ensuring continuous system access while maintaining the appearance of legitimate media player activity.

The final payload communicates with the command-and-control server roseserve[.]org, which impersonates Turkey’s Pardus Linux distribution website.

The malware creates a mutex named “ghjghkj” to prevent multiple instances and implements seven distinct command handlers, including screenshot capture (3SC3), file upload (3ngjfng5), and remote code execution (3gjdfghj6) capabilities, providing comprehensive system control to the attackers.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now