In early 2025, Kaspersky’s Global Research and Analysis Team (GReAT) identified a new campaign by the ‘Mysterious Elephant’ APT. The group primarily targets government entities and foreign affairs organizations across the Asia-Pacific region, with a focus on Pakistan, Bangladesh, Afghanistan, Nepal, Sri Lanka and other countries. The attackers aim to steal highly sensitive information, including documents, images, and archived files, with WhatsApp data targeted for exfiltration.
The group’s 2025 campaign marks a significant shift in its TTPs: the attackers have transitioned to a mix of custom-built and open-source tools to achieve their objectives. The threat actor now uses a combination of exploit kits, personalized spear-phishing emails, and malicious documents, tailoring each attack to specific victims to gain initial access. Once inside the network, the threat actor employs a variety of tools and techniques to escalate privileges, move laterally, and exfiltrate sensitive data.
PowerShell scripts form the backbone of Mysterious Elephant’s operations, enabling the group to execute commands, deploy additional malware, and maintain persistence on compromised systems. These scripts use legitimate tools and system utilities to perform malicious operations.
A central tool in the group’s arsenal is BabShell, a reverse shell that grants attackers direct access to infected machines. Once executed, it gathers critical system information including the username, computer name, and MAC address to uniquely identify the target. BabShell also serves as a launchpad for advanced modules like MemLoader HidenDesk, which executes malicious payloads in memory while leveraging encryption and compression to evade detection.
This campaign is particularly notable for its focus on WhatsApp data theft. The attackers have developed specialized modules capable of exfiltrating files shared through the app, including sensitive documents, photos, and archives.
“The threat actor’s infrastructure is built for stealth and resilience, using a network of domains and IP addresses, wildcard DNS records, VPSs, and cloud hosting. The wildcard DNS records allows the group to generate unique subdomains for each request, scale operations quickly, and make tracking by security teams difficult,” commented Noushin Shabab, lead security researcher at Kaspersky GReAT. “Understanding the group’s TTPs, sharing threat intelligence, and implementing effective countermeasures are essential to reduce the risk of successful attacks and protect sensitive information from falling into the wrong hands. Organizations should also implement robust security measures, including regular software updates, network monitoring, and employee training.”
