A well-known threat actor called Dropping Elephant has returned with a refined and more dangerous campaign, using a China-themed lure document to drop a reworked remote access trojan (RAT) onto victim machines.
The attack is designed to stay hidden, avoid detection tools, and give the attacker full control over compromised systems. What makes this campaign stand out is how deeply the attackers updated their methods while keeping their recognizable core tradecraft intact.
The campaign starts with a malicious Windows shortcut file named GRES3001.lnk, disguised as a PDF related to an industrial energy contract.
When a victim opens the file, it quietly launches a PowerShell script that downloads additional malware from a staging server at chinagreenenergy[.]org. A decoy document about a GRES-3 seawater pump contract is shown to the victim while the attack continues in the background.
Researchers from Rapid7 identified this campaign during a proactive threat hunt and published a report shared with Cyber Security News (CSN).
Their analysis confirmed this activity as a direct evolution of Dropping Elephant’s tradecraft, noting overlaps in delivery patterns, screenshot logic, beaconing behavior, and command-handler structure.
The researchers were also able to download all attack artifacts since the staging server was still active at the time of analysis.
The downloaded files include a legitimate Microsoft binary called Fondue.exe, which is used to side-load a malicious loader disguised as APPWIZ.cpl.
That loader decrypts an encrypted file called editor.dat and passes the result to a Donut shellcode loader, which maps the final RAT directly into memory without writing it to disk. Loading the payload entirely in memory allows the attackers to sidestep most traditional file-based detection methods.
Once active, the RAT fingerprints the victim machine and connects to a command-and-control server at gcl-power[.]org over encrypted HTTPS traffic on port 443.
.webp)
It checks in every 10 seconds and is capable of running commands, listing files, capturing screenshots, uploading files, and downloading additional tools. This level of access gives the operator full visibility and control over the infected host.
Hackers Use GoogleErrorReport Scheduled Task for Persistence
After staging all necessary files in the C:UsersPublic folder, the PowerShell script creates a scheduled task named GoogleErrorReport.
This task is configured to run Fondue.exe every single minute, ensuring the malware restarts automatically and stays active even if interrupted.
The name GoogleErrorReport is deliberately chosen to blend in with normal system activity and avoid raising suspicion.
.webp){kind=tracking}
The script then deletes the original shortcut file, removing the most visible trace of the initial infection.
From that point, the scheduled task becomes the sole persistence mechanism, repeatedly triggering the DLL side-loading chain that loads the RAT into memory.
Rapid7 noted that defenders should watch for a scheduled task by this exact name running binaries from C:UsersPublic, as it is one of the clearest detection opportunities in this campaign.
Advanced Evasion and Anti-Analysis Capabilities
The final RAT is designed to frustrate security researchers and bypass detection tools.
It uses control-flow flattening to scramble code structure, checks for processes tied to debuggers and sandboxes, resolves its API functions at runtime, and patches Windows security features including AMSI, WLDP, and ETW before executing its payload.
These layers of evasion make both static and dynamic analysis significantly harder. Before connecting to its C2 server, the RAT quietly pings google.com, yahoo.com, and cloudflare.com to confirm internet access.
It checks the host’s public IP through api.ipify.org and uses ip2c.org to identify the victim’s country. All communication is encrypted with the Salsa20 cipher and wrapped in Base64 encoding, making intercepted traffic very difficult to analyze.
Rapid7 recommends defenders avoid relying solely on IOCs, since hashes, filenames, and infrastructure are likely to shift across campaigns.
.webp)
Instead, teams should focus on behavioral signals such as shortcut files spawning PowerShell, files staged in C:UsersPublic, and any scheduled task named GoogleErrorReport running binaries outside a legitimate Windows directory.
Endpoint tools should also be reviewed for their ability to detect memory-resident payloads and in-process tampering with controls like AMSI and ETW.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | a8ecbd9c049044ca4990a0e5960d19ce782a3b42d7763e9693d7c91ead24a0b7 | GRES3001.lnk — Initial-access shortcut; launches conhost.exe and PowerShell downloader |
| SHA-256 | 56d656d684077e7b3231393f5464447cdc8eea81b6415c5f010bc52f0c8cb317 | GRES3001.pdf — Decoy lure document |
| SHA-256 | b58351ead08db413ca499cfeb1b1091ed8bfd68f4089605e452fa01ed46f42b1 | Fondue.exe — Legitimate Microsoft side-loading host |
| SHA-256 | 914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6 | APPWIZ.cpl — Malicious side-loaded loader; exports RunFODW |
| SHA-256 | 718812adb0d669eea9606432202371e358c7de6cdeafeddad222c36ae0d3f263 | msvcp140.dll — Bundled VC++ runtime; verify against known-good |
| SHA-256 | 09d1e604e8cdd06176fcc3d3698861be20638a4391f9f2d9e23f868c1576ca94 | vcruntime140.dll — Bundled VC++ runtime; verify against known-good |
| SHA-256 | a5e448af73b0ff6b6fcfe6ef7808120e1fd7e5c4c9b4edd68e1c980e5ea3406b | editor.dat — Base64-wrapped AES-256-CBC encrypted payload file |
| SHA-256 | ecab0e747bff16a1163bbd9bb494e68dd4d7ca655ac7279bd4dd73221f7df57c | editor.decrypted.bin — AES-decrypted Donut loader blob |
| SHA-256 | 7099c33933716c00c1f4bdb0281c230b981c76b23d7d1c83abc6f58968267d54 | editor.extracted.exe — Final RAT, carved from memory |
| Domain | chinagreenenergy[.]org | Staging and delivery server |
| Domain | gcl-power[.]org | Operational C2 server over HTTPS/443 |
| Domain | api.ipify.org | Public-IP lookup used during host fingerprinting |
| Domain | ip2c.org | Geolocation lookup used during host fingerprinting |
| URL | https://chinagreenenergy.org/doc/35566/SXxls | Decoy PDF download URL |
| URL | https://chinagreenenergy.org/doc/list/load-list/dfe87bbc-53e0-489f-a9e6-ab8f4be47cb9 | Fondue.exe download URL |
| URL | https://chinagreenenergy.org/doc/list/load-list/8daaa3e4-c85e-40c1-a2a2-94679e94c417 | APPWIZ.cpl download URL |
| URL | https://chinagreenenergy.org/doc/list/load-list/ecdc6b92-62b5-4acd-99f2-af09902938e1 | msvcp140.dll download URL |
| URL | https://chinagreenenergy.org/doc/list/load-list/e7477b17-45f0-420b-b2b1-811d4c1556ea | vcruntime140.dll download URL |
| URL | https://chinagreenenergy.org/doc/list/load-list/000bd4a8-814d-414c-8be8-f0c77a9c7e1e | editor.dat download URL |
| URI Path | /prjozifvkpkfhkr/ | C2 registration and check-in path |
| URI Path | /prjozifvkpkfhkr/gedhagammgjvvva/ | C2 command polling endpoint |
| URI Path | /prjozifvkpkfhkr/spxbjdhxtapivrk/ | Screenshot exfiltration endpoint |
| File Name | GRES3001.lnk | Malicious shortcut disguised as PDF |
| File Name | Fondue.exe | Legitimate binary abused for DLL side-loading |
| File Name | APPWIZ.cpl | Malicious loader dropped in C:UsersPublic |
| File Name | editor.dat | Encrypted payload stored in C:WindowsTasks |
| File Name | GoogleErrorReport | Scheduled task name used for persistence |
| Mutex | kshdkfhskdfjkhsdkfhsjkdfhkj | Mutex created by RAT to prevent reinfection |
| C2 Token | RRn926EmIRfm9IlJyP1yVO2 | 23-character token used in C2 traffic to gcl-power[.]org |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
