Kaspersky detects 'Mysterious Elephant' hacker group targeting Bangladesh, other countries in Asia-Pacific

The Kaspersky's Global Research and Analysis Team (GReAT) has uncovered a new wave of cyber-espionage activity by the "Mysterious Elephant" advanced persistent threat (APT) group, targeting government and foreign affairs institutions across South and Southeast Asia, including Bangladesh, Pakistan, Afghanistan, Nepal, and Sri Lanka.

The campaign, detected in early 2025, represents a significant upgrade in the group's attack sophistication and operational scale, reads a press release.

According to Kaspersky, the attackers are focused on stealing highly sensitive information such as official documents, images, and archived files — with WhatsApp data now emerging as a new target for exfiltration.

The group reportedly uses a mix of custom-built and open-source tools, relying heavily on PowerShell scripts to execute commands, deploy malware, and maintain persistence through legitimate utilities.

A key component of the campaign, BabShell, enables remote access to compromised systems, while modules like MemLoader and HidenDesk run encrypted payloads directly in memory to evade detection.

One of the most alarming developments in this campaign is the inclusion of modules designed to extract WhatsApp data, including shared files, photos, and documents — signalling a growing trend in targeting popular communication platforms used for official correspondence.

"The threat actor's infrastructure is built for stealth and resilience, using a network of domains, IP addresses, wildcard DNS records, and cloud hosting to hide its activities," said Noushin Shabab, lead security researcher at Kaspersky GReAT.

She added, "By leveraging wildcard DNS, the attackers can rapidly generate new subdomains, scale operations, and make tracking extremely difficult for security teams."

Shabab emphasised that collaboration and intelligence sharing are crucial to counter such threats. "Understanding the group's tactics, techniques, and procedures (TTPs) and implementing robust countermeasures are essential to safeguard sensitive information," she said.

Kaspersky advises organisations, especially government and diplomatic bodies, to enhance cybersecurity measures — such as regular software updates, active network monitoring, and employee awareness training.

The firm also recommends using Kaspersky Next, Compromise Assessment, Managed Detection and Response (MDR) and/or Incident Response, and Kaspersky Threat Intelligence to strengthen cybersecurity defences.

The full technical report is available on Securelist.com, the release added.