{
  "name": "Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode",
  "slug": "dropping-elephant-apt-group-targets-turkish-defense-industry-with-new-campaign-and-capabilities-lolbas-vlc-player-and-encrypted-shellcode",
  "description": "The Arctic Wolf Labs team has uncovered a new cyber-espionage campaign by the Dropping Elephant APT group targeting Turkish defense contractors. The attack leverages a five-stage execution chain delivered via malicious LNK files disguised as conference invitations. It uses legitimate binaries like VLC Media Player for defense evasion through DLL side-loading. The campaign demonstrates an evolution in the group's capabilities, transitioning from x64 DLL variants to x86 PE executables with enhanced command structures. The timing coincides with increased Turkey-Pakistan defense cooperation amid India-Pakistan tensions, suggesting geopolitical motives. The attack chain includes social engineering, PowerShell scripting, file obfuscation, and a custom remote access trojan for intelligence gathering.",
  "published": "2025-07-23T21:31:17+00:00",
  "created_at": "2025-07-23T21:31:17+00:00",
  "modified_at": "2025-07-24T07:06:27+00:00",
  "created_at_opencti": "2025-07-23T21:31:17+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-07-23",
    "apt",
    "cyber espionage",
    "defense industry",
    "dll side-loading",
    "dropping elephant rat",
    "powershell",
    "shellcode",
    "turkey",
    "vlc player"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "roseserve.org"
      },
      {
        "id": "",
        "name": "expouav.org"
      },
      {
        "id": "",
        "name": "rosereserve.org"
      },
      {
        "id": "",
        "name": "8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2"
      },
      {
        "id": "",
        "name": "89ec9f19958a442e9e3dd5c96562c61229132f3acb539a6b919c15830f403553"
      },
      {
        "id": "",
        "name": "588021b5553838fae5498de40172d045b5168c8e608b8929a7309fd08abfaa93"
      },
      {
        "id": "",
        "name": "4cc729b554326ccc62205d46b95353dcb34cadf095b904e941814e902e0925b2"
      },
      {
        "id": "",
        "name": "341f27419becc456b52d6fbe2d223e8598065ac596fa8dec23cc722726a28f62"
      },
      {
        "id": "",
        "name": "2cd2a4f1fc7e4b621b29d41e42789c1365e5689b4e3e8686b80f80268e2c0d8d"
      },
      {
        "id": "",
        "name": "01a635a11a140aef906efe9db22fb66b0d6510e1e702870c4c728099fd5ab455"
      }
    ],
    "malware": [
      {
        "id": "96822df0-b7fd-472e-b31c-d8f9de333139",
        "name": "Dropping Elephant RAT",
        "slug": "dropping-elephant-rat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "09280460-b14e-4097-86a1-c698b07b2055",
        "name": "Patchwork",
        "slug": "patchwork"
      }
    ],
    "attack_patterns": [
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-53770"
      },
      {
        "id": "",
        "name": "CVE-2025-20337"
      },
      {
        "id": "",
        "name": "CVE-2025-5777"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Defense"
      }
    ]
  },
  "external_refs": [
    "https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry",
    "https://otx.alienvault.com/pulse/688170c50514b68970173b49"
  ]
}