October 19, 2025. In early 2025, Kaspersky’s Global Research and Analysis Team (GReAT) identified a
new campaign by the ‘Mysterious Elephant’ APT. The group primarily targets government entities and foreign affairs organizations across the Asia-Pacific region, with a focus on Pakistan, Bangladesh, Afghanistan, Nepal, Sri Lanka, and other countries. The attackers aim to steal highly sensitive information, including documents, images, and archived files, with WhatsApp data targeted for exfiltration.
Mysterious Elephant’s 2025 campaign marks a major evolution in its tactics, using both
custom-built and open-source tools for targeted attacks. The group relies heavily on
PowerShell scripts to execute commands, deploy malware, and maintain persistence using
legitimate utilities. Its key tool, BabShell, provides a reverse shell for direct system access,
gathering unique system identifiers and launching advanced modules like MemLoader
HidenDesk to execute encrypted payloads in memory and evade detection. A notable feature
of this campaign is WhatsApp data theft, with modules designed to exfiltrate shared files,
photos, and documents.
“The threat actor’s infrastructure is built for stealth and resilience, using a network of domains
and IP addresses, wildcard DNS records, VPSs, and cloud hosting. The wildcard DNS records
allow the group to generate unique subdomains for each request, scale operations quickly,
and make tracking by security teams difficult,” commented Noushin Shabab, lead security
researcher at Kaspersky GReAT. “Understanding the group’s TTPs, sharing threat
intelligence, and implementing effective countermeasures are essential to reduce the risk of
successful attacks and protect sensitive information from falling into the wrong hands.
Organizations should also implement robust security measures, including regular software
updates, network monitoring, and employee training. ”Read the full report on Securelist.com Kaspersky recommends using Kaspersky Next, Compromise Assessment, Managed Detection and Response (MDR) and/or Incident Response, and Kaspersky Threat Intelligence to strengthen cybersecurity defenses.
About the Global Research & Analysis Team
Established in 2008, the Global Research & Analysis Team (GReAT) operates at the very heart of
Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware, and
underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working
globally—in Europe, Russia, Latin America, Asia, and the Middle East. Talented security professionals
provide company leadership in anti-malware research and innovation, bringing unrivaled expertise,
passion, and curiosity to the discovery and analysis of cyberthreats.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion
devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat
intelligence and security expertise is constantly transforming into innovative solutions and services to
protect individuals, businesses, critical infrastructure and governments around the globe.
The company’s comprehensive security portfolio includes leading digital life protection for personal devices,
specialized security products and services for companies, as well as Cyber Immune solutions to fight
sophisticated and evolving digital threats. We help millions of individuals and nearly 200,000 corporate
clients protect what matters most to them.
 identified anew campaign by the ‘Mysterious Elephant’ APT. The group primarily targets government entities and foreign affairs organizations across the Asia-Pacific region, with a focus on Pakistan, Bangladesh, Afghanistan, Nepal, Sri Lanka, and other countries.){kind=link}