Home
+
Published : 20 Oct 2025, 04:48 PM
A new hacker group named “Mysterious Elephant” has been detected operating across the Asia-Pacific region, according to Kaspersky’s Global Research and Analysis Team (GReAT).
The group has primarily been targeting government departments and foreign affairs-related organisations across the region. Countries identified as targets include Bangladesh, Pakistan, Afghanistan, Nepal, Sri Lanka, and several neighbouring nations.
The aim of these cyberattacks is to steal important and sensitive data such as office documents, images, and archived files. Kaspersky also reports that the hackers have attempted to steal WhatsApp data from their targets.
In its 2025 campaign, Mysterious Elephant has significantly altered its tactics. The group is now using a combination of custom-built tools and open-source software to conduct its targeted cyber operations.
The hackers mainly rely on PowerShell scripts to execute commands, deliver malware, and maintain persistent access to systems using legitimate software.
One of the group’s main tools, called “BabShell”, functions as a reverse shell, enabling direct access to infected systems and the extraction of confidential information.
Using its “MemLoader” and “HiddenDesk” modules, the group executes attacks in a way that allows its malware to run stealthily in memory, making it difficult for security software to detect.
Another aspect of the campaign involves the theft of WhatsApp data, where specialised modules are used to collect shared files, photos, and documents from the app.
“The threat actor’s infrastructure is built for stealth and resilience, using a network of domains and IP addresses, wildcard DNS records, VPSs, and cloud hosting. The wildcard DNS records allow the group to generate unique subdomains for each request, scale operations quickly, and make tracking by security teams difficult," said Noushin Shabab, lead security researcher at Kaspersky GReAT.
"Understanding the group’s TTPs, sharing threat intelligence, and implementing effective countermeasures are essential to reduce the risk of successful attacks and protect sensitive information from falling into the wrong hands. Organisations should also implement robust security measures, including regular software updates, network monitoring, and employee training.”
To strengthen cybersecurity, Kaspersky has advised users and organisations to adopt its services, including Kaspersky Next, Compromise Assessment, Managed Detection and Response, Incident Response, and Kaspersky Threat Intelligence.
