Threat Research

来自南亚的金刚象组织VajraEleph ——针对巴基斯坦军方人员的网络间谍活动披露

Securonix

VajraEleph is described as a South Asia-based threat actor linked to state-backed activity, carrying out a nine-month campaign targeting Pakistan and other regional interests. The article outlines the group’s organization, tactics, and multi-stage operations, including social engineering, phishing-style delivery, and data exfiltration across a hybrid infrastructure. #VajraEleph #SouthAsia #Pakistan #APT

Keypoints

  • Identifies VajraEleph as a South Asia-origin threat actor described as operating with state-backed support and targeting Pakistan and nearby regions.
  • Notes a multi-phase campaign spanning months, with emphasis on sustained activity rather than a single incident.
  • Describes attack vectors including social engineering and the use of short URLs to deliver malicious content.
  • Outlines a broader command-and-control and data-exfiltration approach, with discussions of infrastructure and operational scale (multiple servers/platforms).
  • Highlights the involvement of various regional actors and geopolitical context shaping targets and timing.
  • Mentions public-facing visuals and diagrams in the article to illustrate group structure and attack flow.
  • Provides indicators and references to publicly shared sources, including WeChat/Weixin content as part of the reporting ecosystem.

MITRE Techniques

  • [T1566.002] Spearphishing Link – The group delivered malicious content via short links to lure targets. “通过短链接投递…攻击”
  • [T1071.001] Web Protocols – C2 communications over web protocols, leveraging HTTP(S) channels observed in the campaign. “通过 WWW/ Internet 的攻 击”
  • [T1041] Exfiltration Over C2 Channel – Data such as photos, videos, and documents exfiltrated over attacker-controlled channels. “窃取照片、视频、资料”
  • [T1059.001] PowerShell (execution context) – Descriptions of script-based or tool-driven execution in the operation, as indicated by mentions of script-like tooling. “使用…的执行”
  • [T1027] Obfuscated/Compressed Files and Information – The group’s tooling and payloads imply potential data encoding/packing to evade detection. “对抗性编码/混淆”
  • [T1566.001] Spearphishing Attachment – The campaign’s delivery chains and lure content imply attachment-based delivery in certain waves. “诱饵、投递”

Indicators of Compromise

  • [Domain] mp.weixin.qq.com – Article references and source hosting; used in reporting artifacts. – Example: mp.weixin.qq.com
  • [Domain] mmbiz.qpic.cn – Image hosting domains for the article’s figures and diagrams. – Example: mmbiz.qpic.cn
  • [URL] https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww – Source URL cited in the article. – Example: the report origin
  • [URL] https://mmbiz.qpic.cn/sz_mmbiz_png/icIVJNqXD6sRvMHP3as3TfIBkpOYpicpyicejG3iaOJVDRoy4DrkjDfXnnIqULKsNtF26znIrSCOXDvVR2CNquicXQ/640?wx_fmt=png – Image resource used in figures. – Example: image asset
  • [URL] https://mmbiz.qpic.cn/sz_mmbiz_png/icIVJN2qXD6sRvMHP3as3TfIBkpOYpicpytyDbEg3mExic9o6QZVeqyuGiaibqt8KLKSl0ZQ6k7q9mTiaCHLZ2CyaE7Q/640?wx_fmt=png – Another figure asset URL. – Example: image asset
  • [URL] http://ti.qqi… (various short-link delivery references in article) – example of link-based content delivery noted in the narrative.

Read more: https://mp.weixin.qq.com/s/B0ElRhbqLzs-wGQh79fTww