India-aligned threat group Dropping Elephant has launched a sophisticated cyberattack targeting Pakistan’s defense sector, utilizing a custom Python backdoor delivered via an MSBuild dropper. Security researcher Idan Tarab identified the advanced campaign, which employs deceptive phishing lures to compromise military research and development units and procurement facilities associated with Pakistan’s National Radio and Telecommunication Corporation.
The attack chain begins with a phishing email containing a malicious ZIP archive. Upon extraction, the archive reveals an MSBuild project file, acting as the initial dropper, alongside a decoy PDF document designed to appear legitimate. This multi-stage approach aims to bypass initial security detections.
Dropping Elephant’s Advanced Attack Method
Once executed, the MSBuild dropper commences downloading multiple components to specified Windows Tasks directories. Persistence is established through the creation of scheduled tasks that are given seemingly legitimate names, such as “KeyboardDrivers” and “MsEdgeDrivers,” to blend in with normal system operations.
Security researcher Idan Tarab highlighted Dropping Elephant’s use of advanced obfuscation techniques throughout the infection process. These include UTF-reverse encryption for reconstructing obfuscated strings and dynamic API resolution, methods commonly used to evade detection by security software and antivirus solutions. The group’s strategy demonstrates a significant level of technical maturity in weaponizing integral Windows utilities as part of their attack infrastructure.
The Stealth Python Persistence Mechanism
A key element of this operation involves the deployment of a complete embedded Python runtime directly into the user’s AppData directory. Here, a file disguised as a legitimate DLL, named “python2_pycache_.dll,” actually houses marshalled Python bytecode. This payload is engineered to execute using “pythonw.exe,” a Windows executable that runs without a visible console window, thereby enhancing its stealth capabilities against potential defenders. This stealth Python backdoor allows for deep system access.
The Python backdoor comprises several modules, including “client,” “commands,” “remote_module,” and “base.py.” These components collectively enable comprehensive system control and facilitate the gathering of sensitive information from compromised machines. The malware’s command-and-control (C2) communication is maintained through a network of domains, including “nexnxky.info,” “upxvion.info,” and “soptr.info.”
The identified malicious code features heavily obfuscated variable names and base64-encoded command structures, making manual analysis a challenging and time-consuming endeavor for cybersecurity analysts. The threat actors have meticulously employed specific file paths and task scheduler entries that closely mimic legitimate Windows operations. This mimicry allows the backdoor to operate discreetly within normal system activity, remaining dormant until it receives instructions from attacker-controlled infrastructure. This latest campaign from Dropping Elephant underscores the persistent and evolving threat posed by advanced persistent threat (APT) groups targeting defense-critical infrastructure in the South Asian region.
Organizations operating within or connected to the defense sector in the region should consider implementing enhanced monitoring for suspicious MSBuild executions and for any unusual Python runtime deployments within system directories. Maintaining strict, up-to-date controls over phishing defense mechanisms and employee security awareness training remains paramount in mitigating such sophisticated attacks. The continued focus on exploiting legitimate system tools and languages like Python signifies a trend towards more evasive and deeply integrated cyber threats.