June 9, 2023

An unknown APT actor has been engaging in long-term surveillance operations against academics, activists, journalists, human rights defenders, and law professionals known to be Modified Elephant which uses the tactics of executing phishing attacks using macro enabled documents

Over time, the adversary refined tactics, moving from executable attachments with fake double extensions to files containing publicly available exploits, and then to providing intended victims with links to files hosted on external servers.


Some of the malicious documents employed in attacks made use of exploits for vulnerabilities such as CVE-2012-0158, CVE-2014-1761, CVE-2013-3906 and CVE-2015-1641 for the download and execution of malicious code. The files were themed around topics relevant to the target.

The attacks were mainly carried out using Gmail and Yahoo, and the messages employed various social engineering tactics to appear legitimate, including fake body content with a forwarding history containing long lists of recipients.

The APT mainly relied on NetWire and DarkComet remote access trojans (RATs), known to have been employed by a broad range of adversaries.

It also observed attackers deploying the Incubator keylogger on the systems of some victims, and in some cases attempting to deliver both NetWire and Android malware payloads.

ModifiedElephant was performing nearly identical evidence creation and organization across multiple unrelated victim systems within roughly fifteen minutes of each other. It operates in crowded space and join hands with other threat actors.

Many of ModifiedElephant’s targets, have been either targeted or infected with mobile surveillance spyware. Some of them who are related to the Bhima Koregaon case are known to have been targeted with NSO Group’s Pegasus malware.


The researchers observed an overlap between the timing and targets of some of ModifiedElephant’s phishing attacks and those of SideWinder, a threat actor known for the targeting of businesses and government and military entities in Asia. It’s activity aligns with Indian state interests and also observed a link between some of the APT’s attacks and the arrests of individuals in controversial, politically charged cases.

Our profile of ModifiedElephant has taken a look at a small subset of the total list of potential targets, the attackers techniques, and a rare glimpse into their objectives. Many questions about this threat actor and their operations remain; however, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them, concludes the report

Leave a Reply

%d bloggers like this: