The notorious threat actor Mysterious Elephant (also known as APT-K-47) has been detected orchestrating a sophisticated cyber attack campaign utilizing an advanced version of the Asyncshell malware. Security researchers at Knownsec 404 have uncovered evidence of the group exploiting Hajj-themed lures to deceive victims into executing malicious payloads disguised as Microsoft Compiled HTML Help (CHM) files.
Background and Targeting
Mysterious Elephant, which emerged in 2022, has primarily focused its operations on Pakistani entities. The group’s tactical approach and toolset share notable similarities with other regional threat actors, including SideWinder, Confucius, and Bitter. Their activities gained significant attention in October 2023 when they conducted a spear-phishing campaign delivering the ORPCBackdoor malware across Pakistan and neighboring countries.
Latest Attack Methodology
While the initial access vector remains unconfirmed, researchers believe the group relies on phishing emails to distribute a ZIP archive containing two components:
- A CHM file purportedly related to the 2024 Hajj policy
- A concealed executable file
The attack sequence begins when victims open the CHM file, which displays a legitimate PDF document hosted on Pakistan’s Ministry of Religious Affairs and Interfaith Harmony website. Simultaneously, the hidden malicious executable activates in the background.
Asyncshell Evolution
The malware’s primary function is establishing a command shell connection with a remote server. Researchers have identified four distinct versions of Asyncshell since its initial deployment in late 2023. Key developments include:
- Enhanced capabilities for executing cmd and PowerShell commands
- Exploitation of the WinRAR vulnerability (CVE-2023-38831)
- The transition from TCP to HTTPS for command-and-control communications
- Implementation of an updated attack sequence utilizing Visual Basic Script
- Introduction of scheduled tasks for payload execution
Strategic Improvements
According to Knownsec 404’s analysis, APT-K-47 has demonstrated significant advancement in its operational sophistication. The group has implemented disguised service requests to control shell server addresses, moving away from fixed command-and-control infrastructure to variable C2 servers. This strategic shift highlights the group’s growing investment in Asyncshell as a primary attack tool.
