A threat actor known as Mysterious Elephant has been observed targeting Pakistani entities in a new espionage campaign.
The group, also tracked as APT-K-47, has been active since 2022 and likely originates in South Asia, according to a new report from China-based cybersecurity firm Knownsec. The group’s goals and techniques are similar to those used by India-linked state-sponsored cyberespionage groups, including SideWinder, Confucius and Bitter, the researchers said.
The hackers delivered an improved version of the Asyncshell payload to infected devices as part of its new campaign. The payload was first identified in January when researchers found a malicious sample exploiting a vulnerability in a popular file archiver tool for Windows (WinRAR). To date, Knownsec has identified four different versions of Asyncshell.
“APT-K-47 has frequently used Asyncshell to launch attack activities since 2023 and has gradually upgraded the attack chain and payload code,” the researchers said.
The exact initial access vector employed by the group in the latest campaign is unknown, but it likely involves phishing emails.
The hackers delivered a malicious payload via a zip file that contained an encrypted archive and a text file with a password. The group likely used this technique to evade detection by antivirus programs, the researchers noted.
The decoy document was hosted on a Pakistani ministry website and primarily discussed matters related to the celebration of Hajj, the annual Islamic pilgrimage to Mecca.
Researchers have not disclosed the exact targets of the campaign or its success — Mysterious Elephant’s previous victims have been based in Pakistan, Bangladesh and Turkey.
For instance, in October 2023 the group used phishing attacks to deliver a backdoor called ORPCBackdoor to targets in Pakistan and other countries.
Although this attack has not been directly attributed to India, both nations have previously employed cyberespionage capabilities against each other.
Earlier this year, researchers discovered a campaign linked to hackers allegedly based in Pakistan who had used Android-based malware for six years to target India’s government and Indian companies in the defense and technology sectors.
In February, suspected Indian state-sponsored hackers used romance scams to lure victims in Pakistan into installing malicious apps, which infected their devices with spying malware.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
