Elephant APT Group Exploits VLC Player and Encrypted Shellcode in Attacks on Defense Sector

Arctic Wolf Labs has uncovered a sophisticated cyber-espionage operation attributed to the Dropping Elephant advanced persistent threat (APT) group, also known as Patchwork or Quilted Tiger, focusing on Turkish defense contractors specializing in precision-guided missile systems.

The campaign, which began active operations in July 2025, employs a five-stage execution chain initiated through spear-phishing emails containing malicious LNK files masquerading as invitations to the “Unmanned Vehicle Systems Conference 2025” in Istanbul.

These lures exploit legitimate binaries like VLC Media Player and Microsoft Task Scheduler for defense evasion via DLL side-loading techniques, marking a notable evolution from the group’s previous x64 DLL variants observed in November 2024 to more streamlined x86 PE executables with optimized command structures and reduced library dependencies.

Emerging Cyber-Espionage Campaign

The attack’s timing aligns with intensified Türkiye-Pakistan defense collaborations and escalating India-Pakistan military tensions, suggesting a geopolitically motivated effort to gather strategic intelligence on NATO-interoperable technologies and hypersonic missile capabilities.

In the attack chain, the malicious LNK file triggers a PowerShell script that downloads five components from the domain expouav[.]org, registered on June 25, 2025, which mimics the legitimate waset.org conference site.

These include a decoy PDF for distraction, a legitimate VLC executable renamed to vlc.exe, a malicious DLL (libvlc.dll) for shellcode loading, a renamed Microsoft Task Scheduler (Winver.exe), and encrypted shellcode stored as vlc.log.

The process establishes persistence via a scheduled task named “NewErrorReport,” which executes VLC to side-load the DLL, decrypting the shellcode using a hardcoded key (“76bhu93FGRjZX5hj876bhu93FGRjX5”).

The decrypted x86 PE payload, with SHA-256 8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2, performs reconnaissance by creating a mutex (ghjghkj), gathering system details like computer name and username, querying firmware and processor features for sandbox evasion, and capturing screenshots for exfiltration.

Network communications blend with legitimate traffic using Mozilla/5.0 user-agents, querying external services for IP geolocation before reporting to the command-and-control (C2) server roseserve[.]org, registered on June 23, 2025, which impersonates the Turkish Pardus Linux project hosted on U.S./GB infrastructure tied to Iranian VPS reseller Avanetco.

Technical Evolution

Compared to prior iterations, this variant demonstrates enhanced operational security through architecture shifts, raw code for C2 parsing via strtok() with ‘$’ delimiters, and commands like “3SC3” for screenshots, “3gjdfghj6” for cmd.exe execution, and “3APC3” for shellcode injection using QueueUserAPC.

Infrastructure analysis reveals a two-month preparation timeline, with roseserve[.]org briefly mimicking a Turkish news agency before adopting the Pardus facade, underscoring the group’s cultural awareness and use of living-off-the-land binaries (LOLBAS) like Pester.bat for evasion.

According to the Report, Arctic Wolf has integrated new detections into its Aurora Platform to counter these tactics, emphasizing proactive measures such as user education on spear-phishing, network segmentation adhering to least privilege principles, regular patching, endpoint detection and response (EDR), and contextual cyber threat intelligence (CTI) to anticipate geopolitically driven attacks.

To mitigate risks, organizations in defense sectors should prioritize secure email gateways, Windows Defender Application Control for LOLBAS blocking, and managed detection and response (MDR) services for 24/7 monitoring.

This campaign highlights Dropping Elephant’s shift toward optimized, espionage-focused tooling, targeting global entities in defense, energy, and government with social engineering precision.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!