In early 2025, Kaspersky’s Global Research and Analysis Team (GReAT) identified a new campaign by the ‘Mysterious Elephant’ APT. The group primarily targets government entities and foreign affairs organizations across the Asia-Pacific region, with a focus on Pakistan, Bangladesh, Afghanistan, Nepal, Sri Lanka and other countries. The attackers aim to steal highly sensitive information, including documents, images, and archived files, with WhatsApp data targeted for exfiltration, a press release said.
Mysterious Elephant’s 2025 campaign marks a major evolution in its tactics, using both custom-built and open-source tools for targeted attacks. The group relies heavily on PowerShell scripts to execute commands, deploy malware, and maintain persistence using legitimate utilities. Its key tool, BabShell, provides a reverse shell for direct system access, gathering unique system identifiers and launching advanced modules like MemLoader HidenDesk to execute encrypted payloads in memory and evade detection. A notable feature of this campaign is WhatsApp data theft, with modules designed to exfiltrate shared files, photos, and documents.
“The threat actor’s infrastructure is built for stealth and resilience, using a network of domains and IP addresses, wildcard DNS records, VPSs, and cloud hosting. The wildcard DNS records allows the group to generate unique subdomains for each request, scale operations quickly, and make tracking by security teams difficult,” commented Noushin Shabab, lead security researcher at Kaspersky GReAT. “Understanding the group’s TTPs, sharing threat intelligence, and implementing effective countermeasures are essential to reduce the risk of successful attacks and protect sensitive information from falling into the wrong hands. Organizations should also implement robust security measures, including regular software updates, network monitoring, and employee training.”
Read the full report on Securelist.com
Kaspersky recommends using Kaspersky Next, Compromise Assessment, Managed Detection and Response (MDR) and / or Incident Response, and Kaspersky Threat Intelligence to strengthen cybersecurity defenses.
About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.
