Mysterious Elephant APT Campaign Targets South Asian Diplomacy, Steals WhatsApp Data with New MemLoader Backdoor

Researchers at Kaspersky’s Global Research and Analysis Team (GReAT) have published a detailed report on a newly evolved Advanced Persistent Threat (APT) group known as Mysterious Elephant, which has been conducting highly targeted cyber espionage campaigns against government and diplomatic entities across South Asia and the Asia-Pacific region.

The report highlights that Mysterious Elephant has “been consistently evolving and adapting its tactics, techniques, and procedures (TTPs) to stay under the radar,” with its latest operations revealing a shift toward custom-built malware, WhatsApp data theft, and open-source tool modification.

Kaspersky analysts first identified Mysterious Elephant in 2023, noting that the group’s early operations resembled those of Confucius, Origami Elephant, and SideWinder — known Indian subcontinent-linked APT groups.

“Further analysis revealed that Mysterious Elephant’s malware contained code from multiple APT groups… suggesting deep collaboration and resource sharing between teams,” the report stated.

What sets Mysterious Elephant apart, however, is its long-term development strategy. The group continues to maintain, improve, and integrate legacy malware from other APTs into its own campaigns, creating a hybrid toolkit capable of advanced stealth and persistence.

Kaspersky’s GReAT observed that in early 2025, Mysterious Elephant launched a major new campaign leveraging phishing emails and malicious documents to gain initial access. The phishing lures often impersonated diplomatic correspondence, with decoy themes tied to UN activities and political events.

“The primary targets of this APT group are countries in the South Asia region, particularly Pakistan… [and] the decoy document concerns Pakistan’s application for a non-permanent seat on the United Nations Security Council for the 2025–2026 term,” the researchers noted.

Once inside a network, attackers deployed PowerShell-based scripts loaded from command-and-control (C2) servers, using legitimate utilities like curl and certutil to download additional payloads.
These scripts ensured persistence by linking execution triggers to network profile changes, delaying activation for several hours to evade detection.

Mysterious Elephant’s operations rely on a modular toolkit that combines custom-made malware with modified open-source projects.

One of the key tools is BabShell, a reverse shell that enables attackers to connect to infected machines, collect host information, and execute concurrent commands remotely.

“Upon execution, it gathers system information… and enters an infinite loop of performing steps to receive commands from a C2 server and send results back,” Kaspersky explained.

This tool provides attackers with interactive control, allowing them to deploy payloads, move laterally, or gather intelligence in real time.

Another striking component is MemLoader HidenDesk, a reflective PE loader designed to load and execute encrypted payloads directly in memory, avoiding disk detection.

The loader’s behavior includes sandbox evasion, auto-start persistence, and even creating a hidden desktop environment named “MalwareTech_Hidden”.

“Using an RC4-like algorithm with the key D12Q4GXl1SmaZv3hKEzdAhvdBkpWpwcmSpcD, the malware decrypts and executes a block of data as shellcode, which loads a Remcos RAT sample in memory,” the report said.

A second variant, MemLoader Edge, incorporates additional anti-analysis techniques, embedding VRat, a customized version of the open-source vxRat backdoor.

Kaspersky revealed that Mysterious Elephant’s exfiltration modules specifically target WhatsApp communications on compromised desktops.

“They are designed to steal sensitive data from compromised systems… allowing them to target files shared through the WhatsApp application and exfiltrate valuable information,” the report stated.

The Uplo Exfiltrator and Stom Exfiltrator modules use recursive file searches and XOR-based obfuscation to identify and upload sensitive files to C2 servers. Stom’s latest version specifically scans WhatsApp’s local transfer directory for shared documents and images:

“The targeted path includes %AppData%\\Packages\\xxxxx.WhatsAppDesktop_[WhatsApp ID]\\LocalState\\Shared\\transfers\\… collecting files such as .PDF, .DOCX, .TXT, .JPG, .ZIP, and .PPTX,” the researchers detailed.

Meanwhile, the ChromeStealer module extracts browser cookies, tokens, and authentication data — potentially compromising victims’ chat logs and stored WhatsApp sessions.

Kaspersky notes that the threat actor uses wildcard DNS records, VPS-based infrastructure, and cloud hosting to generate unique domain names for each request, making tracking difficult.

“The attackers have been using virtual private servers (VPS) and cloud services to host their infrastructure… allowing them to easily scale and adapt their operations to evade detection,” GReAT reported.

Mysterious Elephant primarily targets government institutions and diplomatic organizations in Pakistan, Bangladesh, Sri Lanka, Nepal, and Afghanistan, using personalized phishing and tailored payloads.

In its conclusion, Kaspersky describes Mysterious Elephant as “a highly sophisticated and active Advanced Persistent Threat group” that remains one of the most adaptive espionage actors in Asia.

Related Posts:

• Operation Sea Elephant Cyber-Espionage Campaign Targeting South Asia
• iOS Text String Bug: A Few Characters Can Crash iPhone
• Dropping Elephant Targets Türkiye’s Missile Industry with Stealthy Conference Lures & VLC DLL Sideloading
• National Health Service (NHS) system encounters mysterious failure, local health care facilities plunged into chaos