Keypoints
- Mysterious Elephant is a South Asian APT identified in Kaspersky’s Q2 2023 report and linked to attacks affecting Pakistan, Bangladesh and Myanmar.
- Some tooling and infrastructure overlap with the Bitter cluster (including ORPCBackdoor), creating attribution ambiguity between groups.
- Attackers weaponize CHM files disguised with “.pdf.chm” double extensions and image lures to trick targets into executing external C# backdoors.
- C# backdoors use Task-based async code, sometimes packed with ConfuserEx, and support remote command execution and file operations via C2 connections.
- C2 discovery methods vary: hardcoded addresses, AES-decrypted config files (SysConfig.enc/license), or parsing responses from attacker-controlled web services (easyiplookup.com / winfreecloud.net).
- Adversaries re-used or mimicked public red-team phishing samples to craft region-specific lures focused on government, defense and diplomatic topics.
- Qi An Xin recommends standard phishing defenses, sandboxing unknown files, timely backups and patching; detection signatures have been added across their product lines.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Used to execute commands on victim hosts via C# backdoors (‘Execution of commands via C# backdoors.’)
- [T1060] Registry Run Keys / Startup Folder – Potential persistence mechanism suggested for C# backdoors using startup-related settings (‘Potential persistence through startup mechanisms in C# backdoors.’)
- [T1071] Application Layer Protocol – Backdoors communicate with remote C2 servers over HTTP/S to receive commands and send data (‘Backdoors communicate with C2 servers using HTTP/S.’)
- [T1041] Exfiltration Over C2 Channel – Data and command results can be transmitted back to operators over established C2 connections (‘Data exfiltration via established C2 connections.’)
Indicators of Compromise
- [MD5 hashes] sample context – CHM lure example: 3df2d899d6d8d827adf2d92c91b3b32b; C# backdoor example: 27ac8eb519679530999e786281e9a578; and 20+ other hashes listed in the report.
- [C2 IPs] command-and-control servers – 91.132.92.231:5959 (derived from easyiplookup response), 158.255.215.115:443 (shared in archive configs), and several other C2s such as 46.183.187.42:443.
- [Domains/URLs] C2-distribution/lookup services – hxxp://easyiplookup.com:5080/main/get_ip_data and hxxp://winfreecloud.net:6396/athena/identification used to deliver or reveal C2 info.
- [File names] lure and payload filenames – lure example: “Upcoming high level visit from China.pdf.chm”; executable example: “FileViewer.exe” (C# backdoor).
- [Archive names] delivery containers – example: Islamabad_Security_Dialogue_Pub.rar used to deliver CHM and hidden C# payloads.
Mysterious Elephant is a South Asian threat cluster that surfaced in Kaspersky’s Q2 2023 APT trends and has since been associated with a series of targeted phishing campaigns against government, military and diplomatic organizations across Pakistan, Bangladesh and Myanmar. Some of the malicious code and hosting overlap with tooling previously attributed to the Bitter actor—most notably ORPCBackdoor—so researchers continue to debate whether the activity represents one group or closely collaborating teams; for this analysis the CHM-based campaigns and related C# backdoors are treated as operations linked to Mysterious Elephant based on malware similarity and shared infrastructure.
The adversaries relied on an uncommon but effective initial vector: CHM help files crafted to appear as PDFs by using “.pdf.chm” double extensions and image lures inside the file. The CHM bodies contained extremely small script fragments whose only job was to launch an external binary (examples include “UsoCoreService” and “FileViewer.exe”), a design that kept the CHM itself free of overt malicious logic and reduced detection rates on public scanning platforms. Delivery commonly used encrypted archives: the CHM and a C# executable were placed in the same compressed package while the C# file was marked hidden. When victims extracted the archive they typically saw only the harmless-looking CHM, scanned it with antivirus, found no obvious malicious script, and opened the file—thereby invoking the hidden C# backdoor.
The external payloads were C# backdoors that use Task-based asynchronous programming and, in some samples, were protected with ConfuserEx. Their core capability set is straightforward: establish contact with a command-and-control server, report the infected host (machine name and username), and execute remote commands—most commonly spawning a cmd.exe shell for interactive command execution. A subset of samples implements richer file and system management features such as directory listing, file read/write, upload/download, process enumeration, scheduled task listing, and systeminfo collection. Operators issued commands via the C2 channel; one sample family lists commands like dir, cat, copy, upload, tasklist, schtasks, download, systeminfo and generic command execution.
C2 discovery varied across samples, giving the operators flexibility. Some backdoors used hardcoded addresses, while others decrypted AES-protected configuration files such as SysConfig.enc or a file named “license” to obtain the server and port. A third technique masked C2 retrieval behind seemingly legitimate web services: certain backdoors requested a URL on an attacker-controlled site (for example, easyiplookup.com:5080/main/get_ip_data or winfreecloud.net:6396/athena/identification), parsed a RequestId field from the response, base64-decoded it, and used the result (for example 91.132.92.231:5959 or 91.132.92.231:6060) as the actual C2. Analysis of easyiplookup.com’s web pages shows it hosted an IP-lookup interface whose client-side script calls the same endpoint the backdoors used, indicating the site was under adversary control and doubling as a flexible C2 distribution mechanism. DNS records for easyiplookup.com and winfreecloud.net resolved to shared IPs (for example 151.236.9.75 and 84.32.84.32), consistent with centralized infrastructure used to rotate or hide real C2 endpoints.
Some of the CHM lures and delivery archives reused or imitated publicly available red-team phishing samples. By copying the appearance and file layout of benign red-team packages the attackers increased the plausibility of their lures; in at least two observed archives the lure content explicitly referenced Pakistan defense topics and appeared tailored to military and diplomatic audiences. Forensic timelines—comparing VirusTotal upload timestamps and archive file timestamps—suggest the adversary adapted known red-team artifacts to craft region-specific campaigns rather than building all artifacts from scratch.
The campaign’s infrastructure and malware library overlap with samples hosted in an “op” directory on libraofficeonline[.]com, a server flagged by other researchers and linked in some reporting to the Bitter cluster. That server contained various tools, including files associated with ORPCBackdoor, WalkerShell and DemoTrySpy, and multiple C# backdoors that display functional and code-level similarities to the CHM-delivered payloads described here. Because ORPCBackdoor initially surfaced in reporting tied to Bitter, and other firms subsequently tracked ORPCBackdoor-using actors under a new label (Mysterious Elephant), attribution remains unsettled. To avoid adding to that ambiguity, this write-up associates the CHM/C# campaign with Mysterious Elephant based on the observed sample and infrastructure commonalities.
For defenders, the campaign highlights several important detection and prevention points. CHM files with double extensions and unexpected image lures should be treated with suspicion, and compressed deliveries containing hidden executables are a known evasion technique—set decompression tools to reveal hidden files and scan archives comprehensively. Because some backdoors obtain C2 info from benign‑looking web pages, monitoring outbound HTTP(S) requests to uncommon domains and unusual endpoints (for example, services that return encoded values) can reveal staged C2 retrieval. The reporting reiterates standard advice: avoid opening unknown attachments or links from social media and email, do not run executables from unverified sources, keep systems patched, and maintain regular backups. Qi An Xin also recommends sandboxing unknown files for deep analysis (their sandbox: https://sandbox.ti.qianxin.com/sandbox/page) and notes that their threat intelligence and product suite (TIP, TianQing, TianYan, NGSOC and others) already include detections for these attack patterns.
The IoCs observed across the campaign include many CHM lures (for example 3df2d899d6d8d827adf2d92c91b3b32b and b38aca4f2d80484d5523f1eada9afe76), numerous C# backdoor binaries (for example 27ac8eb519679530999e786281e9a578 and 00f2df1829893caa85f3968961b6e736), and compressed delivery archives such as Islamabad_Security_Dialogue_Pub.rar. Known C2 servers and endpoints extracted from samples include addresses like 91.132.92.231:5959|6060, 158.255.215.115:443, 46.183.187.42:443 and 162.252.175.131:8246. The attacker-controlled web endpoints used for C2 retrieval include hxxp://easyiplookup.com:5080/main/get_ip_data and hxxp://winfreecloud.net:6396/athena/identification. Analysts should correlate these artifacts with local telemetry to hunt for related compromises.
In summary, the campaign demonstrates a purposeful use of low‑visibility CHM lures and hidden C# executables to infiltrate sensitive South Asian targets, with modular C2 retrieval methods and simple but effective remote-control capabilities. The actors have shown the ability to blend red-team techniques with tailored lures and to reuse shared hosting for multiple toolsets, complicating attribution while expanding the reach and flexibility of their operations.