‘Mysterious Elephant’ Targets South Asian States in Sophisticated Cyberattacks
At the beginning of this year, cybersecurity firm Kaspersky’s Global Research and Analysis Team (GReAT) identified a new Advanced Persistent Threat (APT) group named “Mysterious Elephant.” The group has been launching cyberattacks on government offices and foreign affairs-related organizations across the Asia-Pacific region, including Bangladesh, Pakistan, Afghanistan, Nepal, Sri Lanka, and several neighboring countries.
According to Kaspersky, the hacker group has been stealing critical and sensitive information from its targets. The firm’s analysis revealed that the attackers have been attempting to exfiltrate office documents, images, archived files, and even WhatsApp data.
Kaspersky’s Bangladesh office disclosed that in Mysterious Elephant’s 2025 campaign, the group has adopted significantly new tactics. This time, alongside its custom-built tools, it has also employed open-source utilities to carry out targeted intrusions. The group primarily uses PowerShell scripts to execute commands, deploy malware, and maintain persistent access through legitimate software.
Investigations revealed that one of the main tools used by the hackers is BabShell, a reverse shell that allows direct system access to extract sensitive data. They also deploy MemLoader and HiddenDesk modules to conduct attacks that remain concealed in memory, allowing malware to operate covertly without detection by security software. Another focus of the campaign is data theft from WhatsApp, where specialized modules collect shared files, images, and documents.
Nausheen Shabab, Principal Security Researcher at Kaspersky’s GReAT team, said, “The infrastructure of this hacker group is designed to function covertly and resist takedowns. They use multiple domains and IP addresses, wildcard DNS records, VPS, and cloud hosting. Particularly, wildcard DNS records allow them to generate new subdomains for every request, enabling rapid expansion and making it extremely difficult for security teams to track their operations.”
She further emphasized, “It is critical to understand this group’s tactics, techniques, and procedures (TTPs), share threat intelligence, and implement effective countermeasures. Doing so will help reduce the risk of successful cyberattacks and protect sensitive data from theft. Organizations should strengthen their defenses by regularly updating software, monitoring networks, and raising employee awareness about cybersecurity.”
To reinforce cybersecurity resilience, Kaspersky has recommended using its services such as Kaspersky Next, Compromise Assessment, Managed Detection and Response (MDR), Incident Response, and Kaspersky Threat Intelligence.
