Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode
Essential information
- Published
- 23/07/2025 23:31
- Modified
- 24/07/2025 09:06
- Tags
- 2025-07-23 apt cyber espionage defense industry dll side-loading dropping elephant rat powershell shellcode turkey vlc player
- Related entities
- 3 vulnerabilities (cve), 10 observables, 1 intrusion sets (apt), 16 techniques (mitre), 1 malware, 1 others
Description
The Arctic Wolf Labs team has uncovered a new cyber-espionage campaign by the Dropping Elephant APT group targeting Turkish defense contractors. The attack leverages a five-stage execution chain delivered via malicious LNK files disguised as conference invitations. It uses legitimate binaries like VLC Media Player for defense evasion through DLL side-loading. The campaign demonstrates an evolution in the group's capabilities, transitioning from x64 DLL variants to x86 PE executables with enhanced command structures. The timing coincides with increased Turkey-Pakistan defense cooperation amid India-Pakistan tensions, suggesting geopolitical motives. The attack chain includes social engineering, PowerShell scripting, file obfuscation, and a custom remote access trojan for intelligence gathering.