A highly active and sophisticated threat actor known as Mysterious Elephant is escalating its operations, primarily targeting government and foreign affairs entities in the Asia-Pacific region. First identified in 2023, this Advanced Persistent Threat (APT) group has demonstrated continuous evolution, recently shifting its focus to exfiltrating sensitive data, including documents and archives, directly through WhatsApp communications.

The group’s lineage shows a complex history of borrowing and enhancing abandoned code from other APTs like Confucius and Origami Elephant. This resourcefulness allows them to operate with a unique and constantly updated malware arsenal.

Tactics and Custom Malware

In its latest campaigns, Mysterious Elephant has pivoted to highly targeted spear-phishing emails containing malicious documents to gain initial access. For instance, one decoy document mimicked an official invitation concerning Pakistan’s application for a UN Security Council seat. Once inside a network, the group deploys a custom toolkit instead of relying on known malware. Key components include PowerShell scripts for persistence, a C++ reverse shell named BabShell for remote control, and advanced in-memory loaders like MemLoader HidenDesk and MemLoader Edge to execute payloads while evading detection.

Focus on Data Exfiltration

The primary objective of Mysterious Elephant is data theft. The group utilizes a suite of specialized exfiltration tools to achieve this. The Stom Exfiltrator is specifically designed to locate and steal files from WhatsApp desktop application folders. Another tool, the ChromeStealer Exfiltrator, targets Google Chrome browser data like cookies and tokens, with evidence suggesting it also hunts for WhatsApp-related chat logs and authentication data. Their operations show a clear focus on nations like Pakistan, Bangladesh, and Sri Lanka, highlighting the significant and targeted threat they pose to regional stability and national security.