The South Asian cyber espionage group APT-K-47, also known as Mysterious Elephant, has been observed leveraging Hajj-themed phishing lures to distribute an upgraded version of its Asyncshell malware. Active since 2022, the group has primarily targeted Pakistani entities using culturally relevant themes to enhance the effectiveness of its social engineering campaigns. In its latest attack, the group disguised malicious payloads as Microsoft Compiled HTML Help (CHM) files claiming to provide official Hajj policy details for 2024.
The campaign involves phishing emails delivering a ZIP archive containing a CHM file and a hidden executable. When the CHM file is executed, it presents a legitimate-looking PDF document sourced from Pakistan’s Ministry of Religious Affairs and Interfaith Harmony website while simultaneously executing the hidden malware payload. This dual approach helps the threat actor avoid suspicion, allowing the Asyncshell malware to infiltrate systems undetected. This attack marks a continued pattern of culturally tailored lures aimed at achieving stealthy and targeted infection.
Asyncshell, the malware used in these attacks, has undergone significant evolution since its first appearance in 2023. The latest iteration includes enhanced functionality, such as support for HTTPS-based command-and-control (C2) communications, replacing the TCP protocol used in earlier versions. The malware also exploits vulnerabilities like the WinRAR flaw (CVE-2023-38831) to facilitate infection. Additionally, APT-K-47 has refined its attack chain by incorporating Visual Basic Scripts to display decoy documents and execute tasks via scheduled processes. These upgrades highlight the group’s focus on improving the malware’s persistence and operational stealth.
Researchers from Knownsec 404 have noted that Asyncshell’s C2 infrastructure has shifted from static to variable addresses, controlled through disguised service requests. This change demonstrates APT-K-47’s intent to enhance its malware’s adaptability and resilience against detection. By frequently upgrading its tools and tactics, APT-K-47 continues to pose a significant threat to its targets, reflecting a broader trend among advanced persistent threat actors toward dynamic and highly targeted cyber-espionage campaigns.
