Exploits

Mysterious Elephant Uses Advanced Asyncshell Malware in Targeted Attacks

Published  ·  2 min read

The Mysterious Elephant, a South Asian threat actor also known as APT-K-47, has been observed using an enhanced version of its signature malware, Asyncshell, in its latest attack campaign.

Attack Campaign Details

The group employed Hajj-themed phishing lures, tricking victims into opening a malicious payload masquerading as a Microsoft Compiled HTML Help (CHM) file. Once executed, this CHM file simultaneously displays a legitimate Hajj-related PDF from the Ministry of Religious Affairs and Interfaith Harmony of Pakistan while stealthily running malicious binaries in the background.

Delivery Mechanism

  1. ZIP Archive: Delivered via phishing emails containing a CHM file and a hidden executable.
  2. Decoy Document: A legitimate government PDF is used as a cover.
  3. Malware Execution: Establishes a remote cmd shell for further exploitation.

Asyncshell Malware Evolution

First documented in mid-2023, Asyncshell has undergone multiple upgrades:

  1. Command Execution: Executes cmd and PowerShell commands.
  2. C2 Communications: Transitioned from TCP to HTTPS for more secure command-and-control (C2).
  3. Variable C2 Servers: Replaced fixed C2 addresses with dynamic ones via disguised service requests.
  4. WinRAR Exploit: Exploits CVE-2023-38831 (CVSS score: 7.8) to initiate infections.
  5. Improved Delivery Chain: Incorporates Visual Basic Scripts to enhance stealth and automate payload execution through scheduled tasks.

Similarities with Other Threat Actors

Mysterious Elephant shares tactics and tools with South Asian groups like SideWinder, Confucius, and Bitter, suggesting collaboration or overlapping strategies in the region.

Key Targets

The group primarily focuses on Pakistani entities, though its spear-phishing campaign in October 2023 expanded to include other countries, delivering the ORPCBackdoor malware.

Implications of Asyncshell’s Advancements

The group's reliance on Asyncshell, coupled with its consistent upgrades, highlights its importance to their operations. The shift to dynamic C2 addresses demonstrates APT-K-47’s growing sophistication in maintaining stealth and adaptability in cyber campaigns.

Mysterious Elephant’s evolving toolkit and strategic targeting emphasize the need for robust cybersecurity measures. Governments and organizations in the region must remain vigilant against such highly adaptive and persistent threats.

 

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067