A new wave of cyber espionage has emerged from the Asia-Pacific region, as Kaspersky Lab’s Global Research and Analysis Team (GReAT) confirmed that the Mysterious Elephant advanced persistent threat (APT) group is actively targeting government and foreign policy agencies.
First discovered in 2023, the group is known for its adaptable tactics and constant evolution, particularly in campaigns that exploit messaging platforms such as WhatsApp to steal documents, images, and archives.
Sophisticated Tools and Techniques
The latest campaign, active since early 2025, reveals a significant overhaul in the group’s operational methods. Mysterious Elephant now relies on a blend of custom-developed malware and modified open-source utilities, including BabShell and MemLoader.
These enhancements enable stealthier infiltration and data theft from highly secured systems.
The group typically initiates attacks through spear-phishing emails crafted to impersonate official government correspondence.
Many of these lures are linked to diplomatic themes, such as Pakistan’s bid for a non-permanent seat on the UN Security Council, and contain weaponized attachments exploiting vulnerabilities like CVE-2017-11882, a flaw in Microsoft Office’s Equation Editor.
Once the victim system is compromised, BabShell establishes a reverse shell connection, gathering machine identifiers such as usernames, MAC addresses, and computer details.
It then maintains control through persistent command-and-control (C2) communication, allowing attackers to execute commands and deploy additional payloads concurrently. The results of these activities are stored temporarily before being relayed back to the remote C2 infrastructure.
The MemLoader module, including its latest variants HidenDesk and Edge, represents another component of Mysterious Elephant’s advanced toolkit. These loaders perform reflective PE loading, executing payloads directly in memory to avoid leaving traces on disk.
HidenDesk uses a custom RC4-like decryption key to unpack embedded RAT components such as Remcos. At the same time, Edge integrates a modified VRat backdoor and employs sandbox-evasion techniques, including network port tests and fake desktop generation.
Targeted Exfiltration via WhatsApp
In 2025, researchers observed highly specific data exfiltration modules designed to intercept WhatsApp communications and extract transferred files. Tools like Uplo Exfiltrator, Stom Exfiltrator, and ChromeStealer were crafted for recursive file searches and credential theft.
ChromeStealer, for instance, collects browser cookies, tokens, and chat data from Chrome directories before encoding and transmitting them through obfuscated C2 channels.
Analysis indicates that Mysterious Elephant’s operations are concentrated in Pakistan, Bangladesh, and Sri Lanka, with smaller clusters identified across South Asia.
By combining phishing, memory-resident loaders, and communication hijacking, this APT group remains one of the most sophisticated espionage threats to regional government networks capable of exfiltrating confidential information undetected for months.
Indicators of compromise
File hash sums
Malicious documents
c12ea05baf94ef6f0ea73470d70db3b2 M6XA.rar
8650fff81d597e1a3406baf3bb87297f 2025-013-PAK-MoD-Invitation_the_UN_Peacekeeping.rar
MemLoader HidenDesk
658eed7fcb6794634bbdd7f272fcf9c6 STI.dll
4c32e12e73be9979ede3f8fce4f41a3a STI.dll
MemLoader Edge
3caaf05b2e173663f359f27802f10139 Edge.exe, debugger.exe, runtime.exe
bc0fc851268afdf0f63c97473825ff75
BabShell
85c7f209a8fa47285f08b09b3868c2a1
f947ff7fb94fa35a532f8a7d99181cf1
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
