惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
S
Securelist
P
Privacy & Cybersecurity Law Blog
Scott Helme
Scott Helme
T
Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
量子位
博客园 - Franky
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
T
Troy Hunt's Blog
N
News | PayPal Newsroom
Google Online Security Blog
Google Online Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
小众软件
小众软件
P
Palo Alto Networks Blog
Spread Privacy
Spread Privacy
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Check Point Blog
aimingoo的专栏
aimingoo的专栏
WordPress大学
WordPress大学
L
Lohrmann on Cybersecurity
L
LINUX DO - 最新话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Microsoft Security Blog
Microsoft Security Blog
T
Tailwind CSS Blog
博客园_首页
云风的 BLOG
云风的 BLOG
V
Vulnerabilities – Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
罗磊的独立博客
Engineering at Meta
Engineering at Meta
Forbes - Security
Forbes - Security
T
Tenable Blog

Rapid7 Cybersecurity Blog

Sunsetting the Public AttackerKB Platform | Rapid7 Rapid7 Rapid7 Labs: Investigating Persistence Mechanisms in AWS Rapid7 CVE-2026-55040: Microsoft SharePoint JWT Token Authentication Bypass (FIXED) Rapid7 and Mindware Partner Across the Middle East Rapid7 Security Teams Are Ready To Become More Preemptive. What’s Holding Them Back? A Day With Your Vector Command Red Team Pod Rapid7 Formalizing Red Teaming Offensive Methodology as a Multi-Agent AI Architecture 5 Myths About AI in the SOC Security Teams Need to Rethink Modernizing Global Vulnerability Standards For The Age Of AI Rapid7 Why AI and Compliance Are Forcing A New Security Operating Model, with Rapid7's Corey Thomas & Sabeen Malik Why SIEM is Moving Toward Unified Security Operations: Rapid7 Named a Major Player in IDC MarketScape Rapid7 Why Security Teams Need To Start Earlier: New eBook on the Need for Preemptive Security NIS2 is raising the bar. Here’s how to turn readiness into resilience. Does Your Security Programme Align With NIS2 Requirements? Beyond the Score: Using AI to Translate CVEs into Real-World Business Risk Weekly Metasploit Update: New Kerberos/Certificate tracing options, and multiple new modules Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273) Automated Threat Hunting: Turning Threat Intelligence into Executable Hunt Plans Criminal AI-as-a-Service in 2026: How the Underground Market Is Operationalizing Cybercrime CVE-2026-10520, CVE-2026-10523 - Multiple critical vulnerabilities affecting Ivanti Sentry Patch Tuesday - June 2026 Critical Check Point VPN Zero-Day Exploited in the Wild (CVE-2026-50751) Weekly Metasploit Update: Apache ActiveMQ RCE, Gogs Rebase RCE, and Windows Kernel Pointer Enum How the “Swiss Cheese” model can help you choose the right MDR provider A Day in the Life of an MDR Analyst: Inside the Modern SOC Rapid7 Gains Access To Anthropic’s Project Glasswing To Explore Frontier AI For Cybersecurity CVE-2026-0826: How an Old Bug Can Feed AI-Powered Impersonation CVE-2026-0826: Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones (FIXED) Rapid7 and Exclusive Networks Expand Partnership Across the Nordics Metasploit Wrap Up 05/29/2026 Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257) Experts on Experts: Why Compliance is becoming Continuous CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026) How Security Leaders Cut Through Complexity to Drive Better Outcomes Metasploit Wrap Up 05/22/2026 Q1 2026 Threat Landscape Report: Zero-clicks, geopolitical tensions, and some wins for law enforcement Operationalizing CTEM Faster: Build Surface Command Dashboards in Minutes Rapid7’s 2026 Global Cybersecurity Summit: Key Takeaways for Security Leaders Metasploit Wrap-Up 05/15/2026 CVE-2026-0265: Authentication Bypass in Palo Alto Networks PAN-OS CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED) When Network Controllers Become "God Mode" for Attackers Pluribus and the Path to Domain Compromise: A ModeloRAT Case Study Rapid7 Drives Partner Impact with Stevie Award-Winning Certifications Patch Tuesday - May 2026 Last Chance to Join the Rapid7 Global Cybersecurity Summit Metasploit Wrap-Up 05/08/2026 How Rapid7 is Bringing Cyber GRC Closer To Security Operations Scaling Detection Engineering at the Speed of Software, with Detection As Code Rapid7 and OpenAI: Advancing AI For Preemptive Security Why Security in 2026 Requires Continuous Threat and Exposure Management (CTEM) at Scale Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300) Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware A Walkthrough of the 2026 Global Cybersecurity Summit Agenda Metasploit Wrap-Up 05/01/2026 Five Things we Took Away from Gartner SRM Sydney 2026 CVE-2026-41940: cPanel & WHM Authentication Bypass Experts on Experts: The 2026 Threat Landscape is Moving Faster than Defenders Expect Get Motivated: What to Expect from Our Keynote at Rapid7's Global Cybersecurity Summit MDR Selection is a Partnership Decision Metasploit Wrap-Up 04/25/2026 3 Reasons to Attend our Global Cybersecurity Summit if you’re Focused on AI, Threats, and CTEM AI is Changing Vulnerability Discovery and your Software Supply Chain Strategy has to Change with it Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained From Bulk Export to AI-ready Security Workflows: Introducing Rapid7’s Open-Source MCP Server and Agent Skill Project Glasswing and the Next Challenge for Defenders: Turning Faster Discovery into Faster Action Metasploit Wrap-Up 04/17/2026 CVE-2026-33032: Nginx UI Missing MCP Authentication Rapid7 Analysis: ClickFix-style Phishing Campaign Uses Fake Claude Installer Rapid7 Exposure Command and Remediation Hub: A Clearer Path from Exposure to Patch Patch Tuesday - April 2026 Your Cloud Detection Strategy in 2026: What to Expect at the Global Cybersecurity Summit Turning Log Lines into Answers: Instant Clarity for SOC Teams Metasploit Wrap-Up 04/10/2026 Project Glasswing: What Security Leaders Should Know and Do Now What’s New in Rapid7 Products and Services: Q1 2026 in Review Investigating FortiGate CVE-2025-59718 Exploitation: IR Tales from The Field A First Look at Our Speaker Lineup and Agenda for the Rapid7 2026 Global Cybersecurity Summit Metasploit Wrap-Up 04/03/2026 You Don’t Have a Security Problem, You Have a Visibility Problem New Whitepaper: Stealthy BPFDoor Variants are a Needle That Looks Like Hay What CISOs Should Expect from AI Powered MDR in 2026, According to Rapid7 CEO Corey Thomas Initial Access Brokers have Shifted to High-Value Targets and Premium Pricing Red Teaming in 2026: What to Expect at our 2026 Global Cybersecurity Summit Metasploit Wrap-Up 03/27/2026 Why CVSS is No Longer Enough for Exposure Management From Vectors to Verdicts: Web App Testing with Vector Command Rapid7 Completes BSI C5 Type 2 Examination: Stronger Cloud Security for DACH Organizations New Whitepaper: Exploiting Cellular-based IoT Devices CVE-2026-3055: Citrix NetScaler ADC and NetScaler Gateway Out-of-Bounds Read Metasploit Wrap-Up 03/20/2026 Negotiating with the Board: Translating Active Risk into Financial Exposure
Malware à la Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain
Anna Širokova · 2026-06-17 · via Rapid7 Cybersecurity Blog

Executive summary

Rapid7 researchers have identified a sophisticated malware campaign attributed to the threat actor "Dropping Elephant," characterized by the use of a China-themed decoy document to deliver a heavily reworked, in-memory remote access trojan (RAT). This campaign demonstrates advanced evasion techniques, including DLL side-loading with a legitimate Microsoft binary (Fondue.exe) and the use of "Donut" shellcode to map the RAT directly into memory, effectively bypassing traditional disk-based security controls.

The revamped RAT significantly complicates detection by using control-flow flattening, runtime API reconstruction, and hardened C2 communications. Despite these modifications, Rapid7's deep analysis confirms this activity is a direct evolution of Dropping Elephant's tradecraft, based on shared beaconing patterns, screenshot logic, and command-handler structures. This discovery underscores the importance of proactive threat hunting and memory-level visibility in detecting modern, low-footprint implants.

Rapid7 is actively monitoring the infrastructure and tradecraft associated with this actor so we can provide comprehensive protection and intelligence to our customers.

Defenders should not rely on the IOCs alone. The most durable detection opportunities in this campaign are the behaviors: a shortcut file spawning PowerShell, files staged in C:\Users\Public\, a scheduled task named GoogleErrorReport executing every minute, and Fondue.exe loading APPWIZ.cpl from C:\Users\Public\ rather than a legitimate Windows directory.

Because the final RAT is loaded directly into memory through Donut, defenders should also review whether their endpoint tooling can detect memory-resident payloads and security-control patching within a process, including AMSI, WLDP, and ETW tampering.

Overview

During a proactive threat hunt, Rapid7 identified a malicious Windows shortcut that matched activity previously associated with Dropping Elephant. The shortcut used a China energy-sector contract lure and led to a payload chain that shared the family’s delivery patterns but ended in a substantially reworked RAT.

The decoy document was a contract completion and acceptance notice for the GRES-3 project and referenced delivery of industrial seawater circulation pump systems. Because the final payload differed significantly from known samples, Rapid7 analyzed the chain from the initial shortcut through the final in-memory RAT.

Luckily, during the analysis, the staging server was active which allowed us to download all attack artifacts. The recovered files use Fondue.exe, a legitimate Microsoft binary, to side-load a malicious loader. The loader decrypts an AES-wrapped payload stored on disk. The decrypted payload contains a Donut shellcode loader that embeds the final RAT and uses Chaskey block cipher as part of its payload protection scheme. Donut then decrypts the final 32-bit native RAT, maps it, and executes it in memory.

We found that the final RAT differs significantly from older Dropping Elephant RAT samples. The malware uses control-flow flattening, runtime API reconstruction, and static CRT linking to complicate analysis. It also hardens C2 communications through HTTPS transport, Salsa20-protected C2 fields, and additional environment checks. Despite these changes, code-level comparison still identifies shared lineage with a Dropping Elephant RAT reference sample through command-handler structure, screenshot capture logic, WININET request flow, beaconing patterns, and repeated buffer constants.

Technical analysis and observed attacker behavior

delivery-chain-LNK-to-in-memory-RAT.jpg

Figure 1: Full delivery chain from LNK to in-memory RAT

Stage 1: GRES3001.lnk

The attack starts when a user executes GRES3001.lnk, a malicious Windows shortcut disguised as a PDF. When opened, the shortcut spawns an obfuscated PowerShell downloader using conhost.exe. The PowerShell uses basic string-splitting obfuscation (e.g., iw''r, g''c''i, r''e''n, c''p''i, and &(g''cm sch*)) to evade keyword detection.

The downloader connects to the staging server chinagreenenergy[.]org and retrieves the decoy GRES3001.pdf along with additional malware files. It immediately opens the China energy-sector lure document to distract the victim while staging the remaining payloads in the background.

GRES3001.lnk-structure-conhost-exe-proxy-Edge-icon-spoof-embedded-PowerShell-downloader.png

Figure 2: GRES3001.lnk structure showing conhost.exe proxy, Edge icon spoof, and embedded PowerShell downloader

GRES-3-contract-completion-decoy-document.png

Figure 3: GRES-3 contract completion decoy document used as victim lure

Stage 2: Payload staging

Several payload files are downloaded with junk extensions such as .ezxzez, .cypyly, and .dzlzlz, then renamed by stripping filler characters to reconstruct Fondue.exe, APPWIZ.cpl, msvcp140.dll, and vcruntime140.dll in C:\Users\Public\. The encrypted payload editor.dat is written to the C:\Windows\Tasks\ folder.

File

Path

Description

SHA

GRES3001.pdf

C:\Users\Public\

Decoy document

56d656d684077e7b3231393f5464447cdc8eea81b6415c5f010bc52f0c8cb317

Fondue.exe

C:\Users\Public\

Legitimate Microsoft side-loading host

b58351ead08db413ca499cfeb1b1091ed8bfd68f4089605e452fa01ed46f42b1

APPWIZ.cpl

C:\Users\Public\

Malicious loader DLL

914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6

editor.dat

C:\Windows\Tasks\

Base64 text wrapping AES-256-CBC ciphertext

a5e448af73b0ff6b6fcfe6ef7808120e1fd7e5c4c9b4edd68e1c980e5ea3406b

Table 1: Files retrieved from the stager server 

After staging the files, the script creates a scheduled task named GoogleErrorReport, configured to run Fondue.exe every minute. It then deletes the original shortcut, leaving the scheduled task to trigger the next execution stage through the Fondue.exe side-loading chain.

&(gcm sch*) /create /Sc minute /tn GoogleErrorReport /tr "$b\Public\Fondue"

Figure 4: Scheduled task creation command using gcm sch* obfuscation

Stage 3: DLL side-loading

The Fondue.exe loads the malicious APPWIZ.cpl staged alongside it in the C:\Users\Public\ directory. The side-loaded APPWIZ.cpl exports RunFODW, the function expected by Fondue.exe. RunFODW serves as the loader entry point and continues the payload chain by reading and decrypting editor.dat.

Stage 4: Encrypted payload and Donut loader

APPWIZ.cpl sha256: 914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6, original name for the metadata is bluetooth_callback.dll.

APPWIZ-cpl-PE-metadata-original-filename-bluetooth_callback-dll.png

Figure 5: APPWIZ.cpl PE metadata showing original filename bluetooth_callback.dll

It reads editor.dat, Base64-decodes it, and decrypts the result with AES-256-CBC via Windows CNG (bcrypt.dll). The 32-byte key and 16-byte IV are assembled on the stack from immediate mov operands:

KEY (32B): 1f1e1d1c1b1a101108090a0b0c0d0e0f00020405040102031011121415181611

IV (16B): 000803030902060708090a0b0c0d0e0f

The loader maps the shellcode into an RWX memory region using VirtualAlloc followed by memcpy call. Then it transfers execution indirectly by passing the shellcode address as the callback argument to EnumUILanguagesW.

EnumUILanguagesW-callback-proxy-Donut-shellcode.png

Figure 6: EnumUILanguagesW callback proxy transferring execution to Donut shellcode

The decrypted output is a Donut shellcode blob, not the final RAT. Donut uses Chaskey-CTR to protect the embedded PE, maps it in memory, resolves imports, applies relocations, and transfers execution without writing the RAT to disk. Before running the payload, Donut patches AMSI, WLDP, and ETW inside the current process, reducing in-memory scanning, code-integrity checks, and event telemetry for the unpacked RAT.

The final payload is a native 32-bit C++ implant SHA 7099c33933716c00c1f4bdb0281c230b981c76b23d7d1c83abc6f58968267d54. It runs entirely in memory after the Donut stage maps it. At startup, the RAT first calls FreeConsole() to detach from any console so nothing shows up on screen. After that, it resolves its required APIs dynamically through a LoadLibrary / GetProcAddress loop. After API resolution, the RAT stages its crypto and builds C2 hostname, gcl-power[.]org. The cipher is Salsa20, and the key material is hardcoded. It is a 32-byte key tn9905083tfbsxqrxs7qe4ryw1nif8h1 with 8-byte nonce lPvymwIk. Next, it calls sub_40F4A0 subroutine which walks the running process list and checks each entry against a built-in list of debuggers, sandbox tools, and VM artifacts. During debugging, we observed the process scan, however, the implant continued normally, without killing security processes.

Both the process scan and public-IP geolocation check executed during dynamic testing without triggering self-termination. The RAT still reported the full process list in the mkeoldkf beacon field, exposing debuggers, sandbox tools, and other analysis artifacts to the operator.

After process scan, the malware creates a mutex “kshdkfhskdfjkhsdkfhsjkdfhkj” to prevent reinfection and reduce duplicate-process noise. 

Finally, the RAT fingerprints the host, derives its bot ID, and enters sub_415750(), where it begins polling for commands from the C2 server. Unfortunately, during the analysis the C2 was already down.

Host fingerprinting

Before beaconing, the RAT collects seven fields describing the victim host and packs them into the registration POST body:

Field

Meaning

umnome

Username

pmjodf

Computer name

idkdfjej

Bot ID / cid

vrjdmej

OS version

ndlpeip

Public IP and country

cokenme

Country

mkeoldkf

Full running-process list

Table 2: RAT registration beacon fields and their meaning

During fingerprinting, the RAT makes a one-time call to api.ipify.org to learn the host's own public IP, then passes that IP to ip2c.org to resolve the country. The user-agent used in the recon phase is Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 . The bot ID is not hardcoded. It is derived at runtime from the host and submitted in the idkdfjej field. Each field is independently wrapped as base64url(Salsa20(base64url(value))).

Command and control

The RAT periodically sends HTTPS POST requests to the C2 server on port 443 (INTERNET_FLAG_SECURE). It uses a 23-character token, RRn926EmIRfm9IlJyP1yVO2 for C2 traffic to gcl-power[.]org. Each beacon loop iteration follows the same pattern:

  • POSTs dine=<cid> to the command-poll endpoint /prjozifvkpkfhkr/gedhagammgjvvva/;

  • blocks on InternetReadFile while waiting for a task;

  • treats MMMMM==YYYYY as the idle sentinel, sleeps for approximately three seconds, and re-polls;

  • C2 tasks are wrapped in  < > ( ) * delimiters. The RAT strips these characters and decodes the payload back to the original command using base64url(Salsa20(base64url(value))) again.

RAT-beacon-loop.png

Figure 7: RAT beacon loop showing connectivity check, command poll, and idle sentinel handling

Each cycle, the RAT first confirms the host is actually online by quietly pinging google.com, yahoo.com, and cloudflare.com. Only if that succeeds does it beacon to its C2. When all's well it checks in every 10 seconds and if a check-in fails it retries every 2 seconds, until it recovers.

Operator capabilities

During our analysis we confirmed 5 command handlers.

Token

Capability

Behavior

fl

Directory listing

Recursively enumerates files

dw

Download and execute

Fetches a file, writes it to disk, and runs it

sc

Screenshot

Captures the virtual screen with BitBlt, encodes it with WIC, and exfiltrates it to a dedicated endpoint. This behavior is command-gated, not periodic.

cmx

Shell execution

Runs cmd.exe /c chcp 65001 | <cmd> and captures stdout

uf

File upload

Exfiltrates a specified file

Table 3: Confirmed RAT command handlers with dispatch tokens and behavior

The RAT identifies tasks by looking for command tokens in the C2 response. Each token is followed by the delimiter ==zz==oo==pp==. For example, fl==zz==oo==pp== tells the RAT to run the file-listing handler.

Anti-analysis 

The RAT uses several anti-analysis techniques, including control-flow flattening, opaque predicates, dynamic API resolution, stack-built strings, static CRT linking, process blacklist checks, CPUID hypervisor checks, VM artifact checks, and public-IP geolocation checks.

Control-flow-flattening-dispatcher-skeleton.png

Figure 8: Control-flow flattening dispatcher skeleton in decompiler output

During dynamic testing, the process scan and public-IP geolocation checks are executed without triggering self-termination. The RAT built its registration beacon with the full process list in the mkeoldkf field and attempted to send it to gcl-power[.]org. The connection returned HTTP 522, so the beacon did not reach the origin server during testing. Based on this run, we can confirm the environment checks and reporting behavior. Unfortunately, we cannot determine whether the operator would have killed the session, continued tasking, or taken another action after receiving the process list. The full list of processes and security tools cancould be found in the IOCs section below.

Attribution 

To test whether the RAT delivered by Donut was related to Dropping Elephant, we compared it with a known family sample documented by Arctic Wolf in July 2025: SHA-256 8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2. That report provides the family context for the reference sample.

BinDiff produced low signal, with 8.6% overall similarity. We do not treat this as evidence against shared lineage. The new sample uses control-flow flattening, which changes the control-flow graph structure that BinDiff depends on. Therefore we also compared the samples with Diaphora, using pseudocode and AST-level features less affected by control-flow flattening.

Diaphora identified four function-level overlaps that pointed to a shared code usage.

Functionality

Shared traits

Command execution

Similar allocation, encoding, formatting, and POST structure; repeated use of the 0x2710 buffer constant

Screenshot handling

Same GDI screenshot pattern, including GetSystemMetrics values 78 and 79 and BitBlt with 0xCC0020; the newer sample uses WIC instead of GDI+ for encoding

C2 connection

Same WININET request flow: open, connect, open request, send request, read response; the newer sample moves from HTTP to HTTPS with INTERNET_FLAG_SECURE

Shell execution

Shared hidden-window execution and cmd.exe /c chcp 65001 output-capture pattern

Table 4: Code-level overlaps between editor.extracted.exe and old_rat.exe identified by Diaphora

The LNK lure and delivery chain also resemble prior Dropping Elephant reporting, including PowerShell staging, legitimate binary abuse, scheduled task persistence, extension manipulation during downloads, and DLL side-loading. These overlaps supported the initial hypothesis, but the payload comparison provides the primary evidence for the lineage assessment.

Mitigation guidance

MITRE ATT&CK techniques

Tactic

Technique

Observable

Initial Access

Phishing: Spearphishing Attachment [T1566.001]

Malicious GRES3001.lnk used as the initial lure artifact; no email artifact recovered

Execution

User Execution: Malicious File [T1204.002]

User opens GRES3001.lnk

Execution

Command and Scripting Interpreter: PowerShell [T1059.001]

LNK launches conhost.exe, which starts the PowerShell downloader

Execution

Command and Scripting Interpreter: Windows Command Shell [T1059.003]

RAT cmx handler runs cmd.exe /c chcp 65001 | <cmd>

Persistence

Scheduled Task/Job: Scheduled Task [T1053.005]

GoogleErrorReport runs C:\Users\Public\Fondue.exe every minute

Defense Evasion

Hijack Execution Flow: DLL Side-Loading [T1574.002]

Fondue.exe loads the malicious APPWIZ.cpl staged alongside it

Defense Evasion

Masquerading: Match Legitimate Name or Location [T1036.005]

Edge icon spoofing, GoogleErrorReport task name, staging in C:\Users\Public\

Defense Evasion

Obfuscated Files or Information [T1027]

Junk file extensions, string splitting, encrypted payload container, encoded C2 fields

Defense Evasion

Reflective Code Loading [T1620]

Donut maps the final PE in memory without writing it to disk

Defense Evasion

Impair Defenses: Disable or Modify Tools [T1562.001]

Donut patches in-process AMSI and WLDP functions before payload execution

Defense Evasion

Virtualization/Sandbox Evasion: System Checks [T1497.001]

CPUID, VM artifact, process blacklist, and public-IP geolocation checks

Discovery

Process Discovery [T1057]

RAT enumerates running processes and sends the process list in mkeoldkf

Discovery

System Information Discovery [T1082]

RAT collects username, computer name, OS version, and host profile fields

Discovery

System Network Configuration Discovery [T1016]

RAT obtains public IP through api.ipify.org

Discovery

System Location Discovery [T1614]

RAT queries ip2c.org for country/geolocation

Discovery

File and Directory Discovery [T1083]

fl handler enumerates files

Collection

Screen Capture [T1113]

sc handler captures the virtual screen with BitBlt and encodes it with WIC

Collection

Data from Local System [T1005]

uf handler exfiltrates files; fl handler lists local files

Command and Control

Application Layer Protocol: Web Protocols [T1071.001]

HTTPS C2 traffic to gcl-power[.]org

Command and Control

Data Encoding: Standard Encoding [T1132.001]

C2 fields use Base64 wrapping

Command and Control

Encrypted Channel: Symmetric Cryptography [T1573.001]

C2 field content is protected with Salsa20

Command and Control

Ingress Tool Transfer [T1105]

Initial staging downloads and dw download-and-execute capability

Exfiltration

Exfiltration Over C2 Channel [T1041]

Host fingerprinting, screenshots, command output, and files leave over the C2 channel

Indicators of compromise (IOCs)

File hashes

SHA-256

File

Comment

a8ecbd9c049044ca4990a0e5960d19ce782a3b42d7763e9693d7c91ead24a0b7

GRES3001.lnk

Initial-access shortcut; launches conhost.exe → PowerShell downloader

56d656d684077e7b3231393f5464447cdc8eea81b6415c5f010bc52f0c8cb317

GRES3001.pdf

Decoy lure document

b58351ead08db413ca499cfeb1b1091ed8bfd68f4089605e452fa01ed46f42b1

Fondue.exe

Legitimate Microsoft side-loading host

914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6

APPWIZ.cpl

Malicious side-loaded loader; exports RunFODW

718812adb0d669eea9606432202371e358c7de6cdeafeddad222c36ae0d3f263

msvcp140.dll

Bundled VC++ runtime; verify against known-good

09d1e604e8cdd06176fcc3d3698861be20638a4391f9f2d9e23f868c1576ca94

vcruntime140.dll

Bundled VC++ runtime; verify against known-good

a5e448af73b0ff6b6fcfe6ef7808120e1fd7e5c4c9b4edd68e1c980e5ea3406b

editor.dat

Base64-wrapped AES-256-CBC encrypted payload file

ecab0e747bff16a1163bbd9bb494e68dd4d7ca655ac7279bd4dd73221f7df57c

editor.decrypted.bin

AES-decrypted Donut loader blob

7099c33933716c00c1f4bdb0281c230b981c76b23d7d1c83abc6f58968267d54

editor.extracted.exe

Final RAT, carved from memory

Network indicators

Indicator

Type

Notes

chinagreenenergy.org

Domain

Staging and delivery server

https://chinagreenenergy.org/doc/35566/SXxls

URL

Decoy PDF download

https://chinagreenenergy.org/doc/list/load-list/dfe87bbc-53e0-489f-a9e6-ab8f4be47cb9

URL

Fondue.exe download

https://chinagreenenergy.org/doc/list/load-list/8daaa3e4-c85e-40c1-a2a2-94679e94c417

URL

APPWIZ.cpl download

https://chinagreenenergy.org/doc/list/load-list/ecdc6b92-62b5-4acd-99f2-af09902938e1

URL

msvcp140.dll download

https://chinagreenenergy.org/doc/list/load-list/e7477b17-45f0-420b-b2b1-811d4c1556ea

URL

vcruntime140.dll download

https://chinagreenenergy.org/doc/list/load-list/000bd4a8-814d-414c-8be8-f0c77a9c7e1e

URL

editor.dat download

gcl-power.org

Domain

Operational C2 over HTTPS/443

/prjozifvkpkfhkr/

URI path

Registration / check-in

/prjozifvkpkfhkr/gedhagammgjvvva/

URI path

Command polling endpoint

/prjozifvkpkfhkr/spxbjdhxtapivrk/

URI path

Screenshot exfiltration endpoint

api.ipify.org

Domain

Public-IP lookup used during host fingerprinting

ip2c.org

Domain

Geolocation lookup used during host fingerprinting

More IOCs can be found on our GitHub.

Conclusion

The campaign analyzed in this blog demonstrates continued Dropping Elephant operational investment and tooling development. The actor reused recognizable delivery patterns, including a China-themed lure, PowerShell-based staging, scheduled task persistence, shortcut-based execution, and DLL side-loading through a trusted Microsoft binary. At the same time, it evolved the final payload into a more evasive, memory-resident implant.

The final RAT represents a notable evolution from previously documented Dropping Elephant tooling. It executes entirely in memory, patches AMSI, WLDP, and ETW before running, and incorporates additional obfuscation and anti-analysis techniques that make detection and analysis more difficult.

For defenders, the practical takeaway is that Dropping Elephant’s tooling may be changing faster than its operational approach. Hashes, filenames, and infrastructure are likely to change across campaigns, but the path into execution still creates opportunities to detect and disrupt the activity before the final implant runs.