ModifiedElephant is a decade-long threat actor targeting India-based human rights activists, defenders, academics, and lawyers to plant incriminating digital evidence for arrests. The group relies on spearphishing with publicly available remote access trojans (RATs) like NetWire and DarkComet, sometimes pairing with Android malware, and maintains overlapping infrastructure that may connect to the commercial surveillance ecosystem. #ModifiedElephant #NetWire #DarkComet #BhimaKoregaon #Pegasus #SideWinder
Keypoints
- ModifiedElephant has operated for at least a decade, focusing on India‑based targets such as activists, journalists, academics, and lawyers.
- The actor’s objective is long‑term surveillance that sometimes culminates in delivering “evidence” to justify arrests.
- Infection is primarily via spearphishing with malicious Office document attachments; lure documents cover activism, climate, politics, and public service topics.
- Malware used includes NetWire and DarkComet RATs, with additional payloads like keyloggers and an Android Trojan; large archives and varied file types are used to evade detection.
- Evidence of incriminating files (e.g., Ltr_1804_to_cc.pdf) has been delivered via NetWire sessions and organized across multiple victim systems within minutes.
- There are notable overlaps with other threat clusters (e.g., SideWinder, Operation Hangover) and links to private sector offensive actors and commercial surveillance circles (e.g., Pegasus/NSO Group).
- The activity is tied to broader political contexts (Bhima Koregaon case) and is described as aligning with Indian state interests in some analyses.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – Used spearphishing emails with malicious file attachments to deliver malware; lure attachments were themed around activism and events. “…The spearphishing emails and lure attachments are titled and generally themed around topics relevant to the target…”
- [T1203] Exploitation for Client Execution – Dropped and executed malware via public exploits in Office documents; “Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice.”
- [T1056.001] Input Capture – Keylogging – Targeted with keylogger payloads dating back to 2012; “Known victims have also been targeted with keylogger payloads stretching as far back as 2012 (0a3d635eb11e78e6397a32c99dc0fd5a).”
- [T1105] Ingress Tool Transfer – Provided links to externally hosted files for manual download and execution; “In 2019 phishing campaigns, ModifiedElephant operators also took the approach of providing links to files hosted externally for manual download and execution by the target.”
- [T1071.001] Web Protocols – Web-based C2 infrastructure – Timeline references to ModifiedElephant and SideWinder C2 infrastructure, indicating use of web protocols for command and control. “…Timeline sample of ModifiedElephant and SideWinder C2 Infrastructure…”
Indicators of Compromise
- [Domain] Domain used in infrastructure – new-agency.us
- [File hash] Keylogger payloads – 0a3d635eb11e78e6397a32c99dc0fd5a, and c14e101c055c9cb549c75e90d0a99c0a
- [File hash] Phishing payloads – b822d8162dd540f29c0d8af28847246e, 0330921c85d582deb2b77a4dc53c78b3
- [File name] Notable incriminating document – Ltr_1804_to_cc.pdf
Read more: https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/