Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities LOLBAS, VLC Player, and Encrypted Shellcode

Source: Arctic Wolf

Executive Summary
The Arctic Wolf® Labs team has identified a new campaign by cyber-espionage group Dropping Elephant targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems. The campaign employs a five-stage execution chain delivered via malicious LNK files disguised as conference invitations sent to targets interested in learning more about unmanned vehicle systems.

The attack leverages legitimate binaries (VLC Media Player and Microsoft Task Scheduler) for defense evasion through DLL side-loading techniques. This represents a significant evolution of this threat actor’s capabilities, transitioning from the x64 DLL variants observed in November 2024 to the current x86 PE executables with enhanced command structures.

The campaign’s timing appears to coincide with heightened Türkiye-Pakistan defense cooperation and recent India-Pakistan military tensions, suggesting the targeting may be geopolitically motivated. Infrastructure analysis reveals deliberate operational security measures, including the impersonation of legitimate websites for command-and-control (C2) infrastructure.

The campaign demonstrates how threat actors combine social engineering with precisely crafted lures to gather strategic intelligence from their targets. In this blog, we’ll break down the attack step-by-step to show how this is achieved, as well as discuss proactive steps organizations can take to defend themselves against this type of attack.

To read the complete article see: Read More