🇮🇳

Mysterious Elephant

APT Group Information theft and espionage 1 zero-day CVE ETDA ✓

Also Known As

No alias recorded

Target Countries 8

Countries highlighted in red

Afghanistan Bangladesh Bhutan Sri Lanka Nepal Pakistan Turkey United States

Sectors Targeted

Data Processing, Hosting, and Related Services 51821

Details

Origin 🇮🇳 IN

Last Updated 02 Apr 2025

MITRE ATT&CK 30

T1005 - Data from Local System T1012 - Query Registry T1020 - Automated Exfiltration T1027 - Obfuscated Files or Information T1041 - Exfiltration T1053 - Scheduled Task/Job T1055 - Process Injection T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1071 - Application Layer Protocol T1074 - Data Staged T1082 - System Information Discovery T1083 - File and Directory Discovery T1087 - Account Discovery T1095 - Non-Application Layer Protocol T1102 - Web Service T1105 - Ingress Tool Transfer T1112 - Modify Registry T1132 - Data Encoding T1140 - Deobfuscate/Decode Files or Information T1195 - Supply Chain Compromise T1203 - Exploitation for Client Execution T1218 - Signed Binary Proxy Execution T1218.001 - Compiled HTML File T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1566 - Phishing T1566.001 - Spearphishing Attachment T1573 - Encrypted Channel

Related Zero-Days 1

CVE-2025-59230

Known Names 2 entries

Mysterious Elephant Kaspersk

APT-K-47 Knownsec 404

Observed Target Countries 1

Based on ETDA data — countries highlighted in red

Pakistan

Description

(Knownsec 404) Recently, in the course of daily APT tracking,the Knownsec 404 Advanced Threat Intelligence team discovered an attack campaign by the APT-K-47 organization using the topic of “Hajj”, and the attackers used a CHM file to execute a malicious payload in the same directory. The final payload is relatively simple, supporting only the cmd shell, and is implemented using asynchronous programming, which is very similar to the “Asynshell” that was used by the organization several times during Our team’s tracking cycle from 2023 to the first half of 2024. Based on our tracking observations, the previously captured Asynshell has been updated in several versions, and based on the logic and functionality of the code, we have reason to suspect that this sample is an upgraded version of Asynshell.

Tools Used 1

ORPCBackdoor

Reports & References 2

https://medium.com/@knownsec404team/unveiling-the-past-and-present-of-apt-k-47-weapon-asyncshell-5a98f75c2d68 https://medium.com/@knownsec404team/apt-k-47-mysterious-elephant-a-new-apt-organization-in-south-asia-5c66f954477

ETDA Profile

Mysterious Elephant

Origin

[Unknown]

First Seen 2023

Motivation

Information theft and espionage

View on ETDA APT Groups ↗