Analysis Summary

MysteriousElephant, also tracked as APT-K-47, is a South Asia–linked advanced persistent threat group first publicly detailed by Kaspersky in 2023, though its activity dates back at least to early 2022. The group’s operations have been closely tied to regional geopolitics, with a primary focus on espionage against government and diplomatic entities in Pakistan and occasional targeting of Bangladesh and Turkey.

Researchers have noted overlaps with other Indian-aligned clusters such as SideWinder and Confucius, though attribution remains low confidence. Its toolset includes custom malware like ORPCBackdoor, which relies on an RPC-based C2 channel over ncacn_ip_tcp, DLL hijacking with version.dll, persistence through scheduled tasks, and capabilities for reconnaissance, command execution, and file exfiltration, as well as Asyncshell, a lightweight command-line C2 agent that has undergone several iterations since 2023.

The group typically gains initial access through spear-phishing, often using password-protected ZIP archives containing malicious RTF or CHM documents, and has been observed exploiting CVE-2023-38831 in WinRAR to aid execution. Campaigns often employ well-crafted social engineering themes, such as decoy files hosted on legitimate Pakistani government infrastructure or religiously themed lures. In November 2024, the group ran a Hajj-themed operation that delivered an updated Asyncshell payload via CHM files, with evidence of the WinRAR exploit being leveraged in parts of the campaign.

The impacts of MysteriousElephant’s activity are primarily long-term espionage, providing persistent access to victim environments, system data exfiltration, and intelligence collection that aligns with strategic state interests.

Impact

• Cyber Espionage
• Data Exfiltration
• Unauthorized Access

Indicators of Compromise

SHA1

• 624c557597a83cca175cc667cd248c8d
• c7268d9d4c44ad95f503e97477db6b70
• 9c9a417c4bec56185f5941a102e2d4da
• 54f16c9f33b915d26e5f506e830f380a
• 9a03abf203fa06c9519198d86fb12369
• 8f94312ba94b81bb9f83cdcfa551eb7d
• 3e2ca9b91cf07920a475ee2efc168221

Remediation

• Apply latest security patches to WinRAR and other frequently exploited software to close known vulnerabilities like CVE-2023-38831.
• Block execution of CHM and other risky file formats at the email gateway to reduce malicious document delivery.
• Enable attachment sandboxing and content disarm/reconstruction (CDR) to detect or neutralize malicious payloads before reaching end users.
• Implement endpoint detection and response (EDR) rules to spot DLL hijacking attempts and abnormal scheduled task creation.
• Monitor for unusual RPC traffic patterns to detect ORPCBackdoor and similar C2 channels.
• Train users to recognize phishing attempts, including password-protected ZIPs and themed lures.
• Enforce strict email filtering with multi-factor authentication for user accounts to prevent credential theft.
• Conduct proactive threat hunting for Asyncshell and other known tool artifacts in logs and memory.
• Limit user privileges and enforce application whitelisting to prevent arbitrary malware execution.
• Establish incident response playbooks for APT-style intrusions to ensure quick containment and recovery.