Mysterious Elephant

Mysterious Elephant, also known as APT-K-47, is a highly active APT group tracked since 2023. Reporting in the provided content consistently describes it as targeting government, foreign affairs, diplomatic, military, and defense entities in the Asia-Pacific region, with a strong focus on South Asia. The most frequently cited target countries are Pakistan and Bangladesh, with additional targeting reported against Afghanistan, Nepal, Sri Lanka, and, in one report, Turkey. Multiple sources in the content describe the actor as India-linked or as overlapping with suspected Indian threat actors; however, one separate report cited in the content says Knownsec suspected links to Chinese nation-state actors. Because attribution is inconsistent across the provided material, no single nation-state attribution can be stated with high confidence. The group has used spear-phishing, phishing emails, exploit kits, and malicious documents for initial access. Earlier activity is described as resembling Confucius tradecraft and included remote template injection and exploitation of CVE-2017-11882. A later campaign observed in early 2025 used diplomatic-themed lures, PowerShell-based staging and persistence, and legitimate utilities such as curl and certutil. One described persistence mechanism created a scheduled task triggered by Microsoft-Windows-NetworkProfile/Operational events. Tooling and malware directly associated with Mysterious Elephant in the content include BabShell, MemLoader HidenDesk, MemLoader Edge, VRat, Asyncshell, ORPCBackdoor, walkershell, MSMQSPY, LastopenSpy, Vtyrei, Uplo Exfiltrator, Stom Exfiltrator, and ChromeStealer Exfiltrator. BabShell is described as a C++ reverse shell used for command execution and host profiling. MemLoader HidenDesk is a reflective PE loader that performs in-memory execution, anti-sandbox checks, hidden-desktop execution, persistence, and was reported loading Remcos RAT. MemLoader Edge is another loader that decrypts and reflectively loads a vxRat-derived backdoor referred to as VRat and includes sandbox-evasion behavior. Asyncshell was reported in Hajj-themed phishing campaigns delivered via ZIP archives containing CHM files and hidden executables; some infection chains reportedly exploited CVE-2023-38831. ORPCBackdoor has been attributed to Mysterious Elephant by Knownsec, and the content notes overlap or tool-sharing involving Confucius, SideWinder, Patchwork, and Bitter. A notable operational objective described in the content is theft of WhatsApp-related data. Mysterious Elephant was reported to use exfiltration modules with WhatsApp-specific functionality to steal documents, pictures, and archive files shared via WhatsApp Desktop, and ChromeStealer Exfiltrator to harvest Chrome data that could expose WhatsApp-related artifacts. The content also states that the actor uses both custom and customized open-source malware and has incorporated code or tooling overlaps with Origami Elephant, Confucius, and SideWinder.