CyberSecurityBoard
Sponsor Register Login

Elephant APT Group Attacking Defense Industry Leveraging VLC Player, and Encrypted Shellcode

The malware creates a mutex named “ghjghkj” to prevent multiple instances and implements seven distinct command handlers, including screenshot capture (3SC3), file upload (3ngjfng5), and remote code execution (3gjdfghj6) capabilities, providing comprehensive system control to the attackers. The attack chain begins by downloading a legitimate VLC Media Player executable (originally named “lama”) alongside a malicious libvlc.dll library (originally “lake”). This malicious operation represents a significant evolution in the group’s capabilities, employing a complex five-stage execution chain that cleverly disguises malicious payloads as legitimate conference invitations related to unmanned vehicle systems. Arctic Wolf researchers identified this campaign as part of Dropping Elephant’s expanded targeting scope, noting the group’s strategic shift from traditional South Asian targets to NATO-allied defense industries. This DLL serves as a shellcode loader responsible for decrypting and executing the final payload stored in vlc.log. The decryption process utilizes a hardcoded key “76bhu93FGRjZX5hj876bhu93FGRjX5” to transform the encrypted shellcode into a functional x86 PE executable. The Dropping Elephant advanced persistent threat group has launched a sophisticated cyber-espionage campaign targeting Turkish defense contractors, particularly companies manufacturing precision-guided missile systems. The malware demonstrates sophisticated evasion techniques by abusing legitimate software components, specifically VLC Media Player and Microsoft Task Scheduler, through DLL side-loading mechanisms. The attack begins with a weaponized LNK file named “Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk” that masquerades as an invitation to a UAV conference scheduled for July 2025 in Istanbul. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This task executes the compromised VLC player every minute, ensuring continuous system access while maintaining the appearance of legitimate media player activity. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Jul 2025 02:45:16 +0000


Cyber News related to Elephant APT Group Attacking Defense Industry Leveraging VLC Player, and Encrypted Shellcode

Elephant APT Group Attacking Defense Industry Leveraging VLC Player, and Encrypted Shellcode - The malware creates a mutex named “ghjghkj” to prevent multiple instances and implements seven distinct command handlers, including screenshot capture (3SC3), file upload (3ngjfng5), and remote code execution (3gjdfghj6) capabilities, ...
22 hours ago Cybersecuritynews.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
What is an advanced persistent threat? - An advanced persistent threat is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period. APT attacks are initiated to steal highly sensitive data rather than cause damage to ...
1 year ago Techtarget.com Cozy Bear APT29
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
9 months ago Securelist.com
How One Industry Exemplifies the Importance Of Cybersecurity In Critical Infrastructure Assurance - Based on the author's more than 25 years of experience of management in the aluminum industry, this article sets out replicable ways of dealing with and harmonizing competing priorities. Currently within the purview of the Department of Homeland ...
1 year ago Cyberdefensemagazine.com
86% of cyberattacks are delivered over encrypted channels - Threats over HTTPS grew by 24% from 2022, underscoring the sophisticated nature of cybercriminal tactics that target encrypted channels, according to Zscaler. For the second year in a row, manufacturing was the industry most commonly targeted, with ...
1 year ago Helpnetsecurity.com Medusa
APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware - Unlike earlier versions that relied on cloud services for payload delivery, the latest attacks embed encrypted shellcode within malicious LNK files, reducing reliance on external servers likely flagged by security systems. PowerShell Script ...
5 months ago Cybersecuritynews.com APT3 APT37
North Korea-linked APT Kimsuky targeted German defense firm Diehl Defence - North Korea-linked APT group Kimsuky has been linked to a cyberattack on Diehl Defence, a defense firm specializing in the production of advanced military systems. “Researchers from Mandiant, a Google subsidiary, uncovered and analyzed a ...
9 months ago Securityaffairs.com Kimsuky
State-Sponsored APT Groups Use Ransomware Tactics for Intelligence Gathering and Sabotage - State-sponsored threat groups are increasingly using ransomware-like tactics to hide more insidious activities. Russian APT group Sandworm has used ransomware programs to destroy data multiple times in the past six months, while North Korea's Lazarus ...
2 years ago Csoonline.com Andariel APT3 APT37 APT38 Kimsuky Lazarus Group BianLian
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
4 weeks ago Cybersecuritynews.com
Imperva Detects Undocumented 8220 Gang Activities - Imperva Threat Research has detected previously undocumented activity from the 8220 gang, which is known for the mass deployment of malware using a variety of continuously evolving TTPs. This threat actor has been known to target both Windows and ...
1 year ago Imperva.com CVE-2017-3506 CVE-2021-44228 CVE-2020-14883 CVE-2020-14882
Investigating Common Patterns in Vietnam from the Perspective of Earth Zhulong - In 2020, a hacking group known as Earth Zhulong began targeting telecom, technology, and media sectors in Vietnam. After a long-term investigation, we believe that this group is likely related to the Chinese-linked hacking group 1937CN due to similar ...
2 years ago Trendmicro.com
CVE-2022-48895 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago
Operation Sea Elephant Attacking Organizations to Steal Research Details - A sophisticated cyber espionage campaign dubbed “Operation Sea Elephant” has been discovered targeting scientific research organizations, with a particular focus on ocean-related studies. The operation, attributed to a threat actor group ...
4 months ago Cybersecuritynews.com
Chinese Hackers Attacking Windows Systems in Targeted Campaign to Deploy Ghost RAT and PhantomNet Malwares - Threat researchers are warning of twin Chinese-nexus espionage operations—“Operation Chat” and “Operation PhantomPrayers”—that erupted in the weeks preceding the Dalai Lama’s 90th birthday, exploiting heightened traffic to ...
1 day ago Cybersecuritynews.com
security and privacy in Facebook groups - Having found myself roped into assisting as co-administrator a couple of Facebook groups with security/privacy issues, I thought I should, perhaps, share what little I know about defending your group against scam and spam posts and comments by ...
1 year ago Securityboulevard.com
Microsoft: Hackers target defense firms with new FalseFont malware - Microsoft says the APT33 Iranian cyber-espionage group is using recently discovered FalseFont backdoor malware to attack defense contractors worldwide. The DIB sector targeted in these attacks comprises over 100,000 defense companies and ...
1 year ago Bleepingcomputer.com APT3 APT33
Integration of Cisco Secure Threat Defense Virtual with Megaport - Business critical data can originate from diverse sources ranging from multiple public clouds, private clouds, and internal servers to a remote employee's device. Securing each data entity individually is time consuming and challenging due to lack of ...
1 year ago Feedpress.me
Food and agriculture sector hit with more than 160 ransomware attacks last year - The U.S. food and agriculture sector dealt with at least 167 ransomware attacks last year, according to the leading industry group. In its first annual report, the Food and Agriculture-Information Sharing and Analysis Center said the industry was the ...
1 year ago Therecord.media 8base LockBit Akira Snatch
Cybersecurity in the Healthcare Industry: Protecting Patient Data - In the rapidly advancing era of technology, the healthcare industry faces a critical challenge: protecting patient data from cyber threats. This article will emphasize the significance of cybersecurity in the healthcare industry and explore the ...
1 year ago Securityzap.com
CVE-2020-5202 - apt-cacher-ng through 3.3 allows local users to obtain sensitive information by hijacking the hardcoded TCP port. The /usr/lib/apt-cacher-ng/acngtool program attempts to connect to apt-cacher-ng via TCP on localhost port 3142, even if the explicit ...
3 years ago
Cybercrime experts reveal how to infiltrate ransomware gangs The Register - Though it happens rarely, it's always a good day when a ransomware group is taken down by law enforcement. Singapore-based Group-IB celebrated its 20th anniversary in the cybersecurity industry this year, and during this time its researchers have ...
1 year ago Go.theregister.com Qilin
Cybercrime experts reveal how to infiltrate ransomware gangs The Register - Though it happens rarely, it's always a good day when a ransomware group is taken down by law enforcement. Singapore-based Group-IB celebrated its 20th anniversary in the cybersecurity industry this year, and during this time its researchers have ...
1 year ago Theregister.com Qilin
CVE-2023-28842 - Moby) is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (`dockerd`), which is developed as moby/moby is ...
1 year ago
BladedFeline Using Whisper and PrimeCache to Compromise IIS & Microsoft Exchange servers - Whisper’s operational workflow involves seven distinct steps: gaining access to compromised email accounts, establishing inbox rules for command processing, sending periodic check-in messages, fetching encrypted operator commands from email ...
2 weeks ago Cybersecuritynews.com OilRig APT3

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)