In early 2025, Kaspersky’s Global Research and Analysis Team (GReAT) identified a new campaign by the ‘Mysterious Elephant’ APT. The group primarily targets government entities and foreign affairs organizations across the Asia-Pacific region, with a focus on Pakistan, Bangladesh, Afghanistan, Nepal, Sri Lanka and other countries. The attackers aim to steal highly sensitive information, including documents, images, and archived files, with WhatsApp data targeted for exfiltration.
The group’s 2025 campaign marks a significant shift in its TTPs: the attackers have transitioned to a mix of custom-built and open-source tools to achieve their objectives. The threat actor now uses a combination of exploit kits, personalized spear-phishing emails, and malicious documents, tailoring each attack to specific victims to gain initial access. Once inside the network, the threat actor employs a variety of tools and techniques to escalate privileges, move laterally, and exfiltrate sensitive data.
PowerShell scripts form the backbone of Mysterious Elephant’s operations, enabling the group to execute commands, deploy additional malware, and maintain persistence on compromised systems. These scripts use legitimate tools and system utilities to perform malicious operations.
A central tool in the group’s arsenal is BabShell, a reverse shell that grants attackers direct access to infected machines. Once executed, it gathers critical system information including the username, computer name, and MAC address to uniquely identify the target. BabShell also serves as a launchpad for advanced modules like MemLoader HidenDesk, which executes malicious payloads in memory while leveraging encryption and compression to evade detection.
This campaign is particularly notable for its focus on WhatsApp data theft. The attackers have developed specialized modules capable of exfiltrating files shared through the app, including sensitive documents, photos, and archives.
“The threat actor’s infrastructure is built for stealth and resilience, using a network of domains and IP addresses, wildcard DNS records, VPSs, and cloud hosting. The wildcard DNS records allows the group to generate unique subdomains for each request, scale operations quickly, and make tracking by security teams difficult,” commented Noushin Shabab, lead security researcher at Kaspersky GReAT. “Understanding the group’s TTPs, sharing threat intelligence, and implementing effective countermeasures are essential to reduce the risk of successful attacks and protect sensitive information from falling into the wrong hands. Organizations should also implement robust security measures, including regular software updates, network monitoring, and employee training.”
Read the full report on Securelist.com
To mitigate or prevent similar attacks, organizations are advised to follow these best practices:
- Ensure that security agents are deployed on all workstations within the organization without exception, to enable timely incident detection and minimize potential damage.
- Review and control service and user account privileges, avoiding excessive rights assignments – especially for accounts used across multiple hosts within the infrastructure.
- To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and the response capabilities of EDR and XDR for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.
- Adopt managed security services by Kaspersky such as Compromise Assessment, Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers.
- Provide your InfoSec professionals with an in-depth visibility into cyberthreats targeting your organization. The latest Kaspersky Threat Intelligence will provide them with rich and meaningful context across the entire incident management cycle and helps them identify cyber risks in a timely manner.
About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats.
