Mysterious Elephant: a growing threat

MITRE Techniques

• [T1566] Phishing – Tailored spear phishing emails used to deliver malicious documents as convincing lures (e.g., “Pakistan’s application for a non-permanent seat on the United Nations Security Council”).
• [T1204.002] User Execution: Malicious File – Malicious decoy documents used to trigger exploitation and deploy downloaders such as Vtyrei and next‑stage payloads.
• [T1203] Exploitation for Client Execution – Use of exploit chains including CVE-2017-11882 and exploit kits to achieve code execution from documents.
• [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell scripts loaded from C2 to download payloads, schedule tasks, and establish persistence (downloads ping.exe and schedules a network-profile-triggered task with a four-hour delay).
• [T1105] Ingress Tool Transfer – Download of additional payloads and modules (e.g., BabShell, MemLoader modules) from attacker-controlled C2 servers using curl/certutil).
• [T1055] Process Injection – MemLoader HidenDesk and MemLoader Edge perform reflective in‑memory loading of decrypted PE payloads (Remcos, VRat) to execute code without touching disk.
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – MemLoader HidenDesk creates a shortcut in the autostart folder to ensure persistence after reboot.
• [T1020] Automated Exfiltration – Exfiltration modules (Uplo, Stom, ChromeStealer) recursively collect targeted files and transfer them to C2 servers using obfuscated domain paths and encoding (XOR, Base64).
• [T1071.001] Application Layer Protocol: Web Protocols – Use of HTTP(S) C2 channels and custom domains/IPs to receive commands and exfiltrate data (multiple domains listed in infrastructure section).
• [T1496] Resource Hijacking / Data from Local System – Targeted collection of WhatsApp shared files from %AppData%Packagesxxxxx.WhatsAppDesktop_[WhatsApp ID]LocalStateSharedtransfers to steal documents and media.