Introduction
Security Arsenal is tracking an active campaign attributed to the Dropping Elephant threat actor, utilizing a sophisticated China-themed loader chain to deliver malicious payloads. This campaign demonstrates continued evolution of tradecraft, with multi-stage loaders designed to evade detection while establishing persistence on target systems.
The threat actor leverages politically themed lures targeting government, diplomatic, and critical infrastructure sectors. The loader chain employs obfuscation techniques, signed binary abuse, and Defense Evasion tactics consistent with nation-state operations. Defenders need to act now to detect early-stage indicators before payload delivery and exfiltration occurs.
Technical Analysis
Affected Platforms and Scope
- Primary Targets: Windows-based enterprise environments
- Sectors Observed: Government, diplomatic missions, think tanks, and critical infrastructure
- Geographic Focus: Organizations with interests in Southeast Asia and geopolitical affairs involving China
Attack Chain Breakdown
Stage 1: Initial Access via Spear Phishing
- Deliveries utilize China-themed documents (RTF, DOCX) with embedded malicious content
- Lures reference diplomatic meetings, trade agreements, or regional policy documents
- Documents exploit social engineering with legitimate-looking sender addresses
Stage 2: First-Stage Loader (Dropper)
- Executes via macro-enabled documents or template injection
- Deploys PowerShell or PowerShell Empire stagers for initial beaconing
- Often abuses legitimate signed binaries (LOLBins) to bypass security controls
- Employs process hollowing or DLL side-loading techniques
Stage 3: Second-Stage Loader (C2 Establishment)
- Retrieves additional payloads from attacker-controlled infrastructure
- Implements custom encryption for C2 communications
- Establishes persistence via scheduled tasks, registry run keys, or service creation
- Collects system reconnaissance data (hostname, domain, IP, installed software)
Stage 4: Final Payload Delivery
- Delivers custom backdoor or RAT capabilities
- Enables lateral movement and credential harvesting
- Establishes long-term access for espionage operations
Exploitation Status
- Active Exploitation: Confirmed in-the-wild campaigns as of Q1 2026
- CISA KEV: Not currently listed (APT campaign, not CVE-based)
- TTP Alignment: MITRE ATT&CK techniques T1566.001 (Spearphishing Attachment), T1059.001 (PowerShell), T1055.012 (Process Hollowing)
Detection & Response
Sigma Rules
YAML
---
title: Dropping Elephant China-Themed Document Macro Execution
id: 8f3d2a1c-5b4e-4f7a-9c1d-2e3f4a5b6c7d
status: experimental
description: Detects macro execution from documents with China-themed filenames and content patterns associated with Dropping Elephant campaigns
references:
- https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2026/02/15
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\\WINWORD.EXE'
- '\\EXCEL.EXE'
- '\\POWERPNT.EXE'
Image|endswith:
- '\\powershell.exe'
- '\\cmd.exe'
CommandLine|contains:
- 'EncodedCommand'
- 'FromBase64String'
- 'IEX'
filter_legit:
ParentCommandLine|contains:
- 'C:\\Program Files'
condition: selection and not filter_legit
falsepositives:
- Legitimate macro-based business processes
level: high
---
title: Dropping Elephant Loader Chain Suspicious DLL Side-Loading
id: 3a7b1c9d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects DLL side-loading patterns associated with Dropping Elephant second-stage loaders using legitimate signed binaries
references:
- https://attack.mitre.org/techniques/T1574.002/
author: Security Arsenal
date: 2026/02/15
tags:
- attack.defense_evasion
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\
undll32.exe'
- '\
egsvr32.exe'
- '\\mshta.exe'
ImageLoaded|contains:
- '\\AppData\\Local\\Temp'
- '\\AppData\\Roaming\'
- '\\Downloads\'
ImageLoaded|endswith:
- '.dll'
filter_signed:
Signed: true
ImageLoaded|contains:
- '\\Windows\\System32'
- '\\Windows\\SysWOW64'
condition: selection and not filter_signed
falsepositives:
- Legitimate software installations
- Signed legitimate applications
level: medium
---
title: Dropping Elephant C2 Beacon Pattern
id: 9c8d7e6a-5b4c-3d2e-1f0a-9b8c7d6e5f4a
status: experimental
description: Detects network beaconing patterns consistent with Dropping Elephant C2 infrastructure
references:
- https://attack.mitre.org/techniques/T1071.001/
author: Security Arsenal
date: 2026/02/15
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: true
DestinationPort:
- 443
- 8080
- 8443
timing:
interval|between: 300s-900s
filter_legit:
DestinationHostname|contains:
- '.microsoft.com'
- '.windowsupdate.com'
- '.office.com'
- '.amazonaws.com'
- '.google.com'
condition: selection and timing and not filter_legit
falsepositives:
- Legitimate application update checks
level: high
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for Dropping Elephant macro-based initial access
let SuspiciousMacroParents = dynamic(['WINWORD.EXE', 'EXCEL.EXE', 'POWERPNT.EXE']);
let SuspiciousCommands = dynamic(['EncodedCommand', 'FromBase64String', 'IEX(', 'Invoke-Expression', 'DownloadString']);
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in (SuspiciousMacroParents)
| where FileName in~ ('powershell.exe', 'cmd.exe', 'wscript.exe', 'cscript.exe')
| where ProcessCommandLine has_any (SuspiciousCommands)
| where ProcessCommandLine !contains \"Program Files\"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName,
FileName, ProcessCommandLine, SHA256, FolderPath
| order by Timestamp desc
;
// Detect suspicious DLL loading from non-standard paths
let SignedBinaries = dynamic(['rundll32.exe', 'regsvr32.exe', 'mshta.exe', 'certutil.exe']);
DeviceImageLoadEvents
| where Timestamp > ago(30d)
| where FileName in (SignedBinaries)
| where LoadedImagePath !contains \"Windows\\\System32\"
and LoadedImagePath !contains \"Windows\\\SysWOW64\"
| where LoadedImagePath contains \"AppData\" or LoadedImagePath contains \"Downloads\"
or LoadedImagePath contains \"Temp\"
| project Timestamp, DeviceName, AccountName, FileName, LoadedImagePath, SHA256, Signed
| order by Timestamp desc
;
// Network beaconing pattern analysis for C2 detection
let KnownC2Ports = dynamic([443, 8080, 8443, 9001, 4443]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType == \"ConnectionSuccess\"
| where RemotePort in (KnownC2Ports)
| where InitiatingProcessFileName !in~ ('chrome.exe', 'firefox.exe', 'msedge.exe', 'iexplore.exe')
| summarize ConnectionCount = count(),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp),
UniqueRemoteIPs = dcount(RemoteIP)
by DeviceName, InitiatingProcessFileName, RemotePort, RemoteUrl
| where ConnectionCount > 5 and UniqueRemoteIPs <= 3
| project DeviceName, InitiatingProcessFileName, RemotePort, RemoteUrl,
ConnectionCount, UniqueRemoteIPs, FirstSeen, LastSeen
| order by ConnectionCount desc
Velociraptor VQL
VQL — Velociraptor
-- Hunt for Dropping Elephant persistence mechanisms
-- Scheduled Task creation patterns
SELECT * FROM foreach(
SELECT TaskName, Actions, Triggers, Author
FROM glob(globs='/*/Windows/Tasks/*.job')
WHERE TaskName =~ '.*Update.*'
OR Actions =~ '.*powershell.*'
OR Actions =~ '.*rundll32.*'
)
{
SELECT TaskName, Actions, Triggers, Author, Mtime
FROM scope()
}
-- Detect suspicious unsigned DLLs in user directories
SELECT FullPath, Size, Mtime, Atime, Hash.DATA AS Hash
FROM glob(globs='C:/Users/*/AppData/**/*.{dll,exe}')
WHERE NOT Mtime < ago(30d)
AND NOT IsSigned
AND FullPath =~ '.*(Temp|Downloads|Roaming).*'
-- Network connection analysis for beaconing patterns
SELECT Pid, Name, CommandLine, RemoteAddress, RemotePort, State, CreatedTime
FROM netstat()
WHERE State =~ 'ESTABLISHED'
AND RemotePort IN (443, 8080, 8443, 9001)
AND Name =~ '.*(powershell|python|wscript|cscript|rundll32).*'
AND RemoteAddress !~ '^(127\\.|10\\.|172\\.(1[6-9]|2[0-9]|3[0-1])\\.|192\\.168\\.)'
Remediation Script (PowerShell)
PowerShell
# Dropping Elephant Loader Chain Remediation Script
# Run as Administrator
# Write-Host \"[+] Starting Dropping Elephant threat remediation...\"
# Step 1: Kill suspicious processes associated with loader chains
$MaliciousProcesses = @('powershell.exe', 'wscript.exe', 'cscript.exe', 'rundll32.exe', 'regsvr32.exe')
foreach ($proc in Get-Process | Where-Object { $MaliciousProcesses -contains $_.ProcessName }) {
$cmdLine = (Get-CimInstance Win32_Process -Filter \"ProcessId = $($proc.Id)\").CommandLine
if ($cmdLine -match 'EncodedCommand|FromBase64String|IEX\(|DownloadString' -and $cmdLine -notmatch 'Program Files') {
Write-Host \"[!] Terminating suspicious process: $($proc.ProcessName) (PID: $($proc.Id))\"
Stop-Process -Id $proc.Id -Force -ErrorAction SilentlyContinue
}
}
# Step 2: Scan and remove suspicious files from user directories
$SuspiciousPaths = @(
\"$env:USERPROFILE\\AppData\\Local\\Temp\",
\"$env:USERPROFILE\\Downloads\",
\"$env:USERPROFILE\\AppData\\Roaming\"
)
$suspiciousFiles = @()
foreach ($path in $SuspiciousPaths) {
if (Test-Path $path) {
$suspiciousFiles += Get-ChildItem -Path $path -Recurse -Include *.dll,*.exe,*.ps1,*.vbs,*.js `
| Where-Object {
$_.LastWriteTime -gt (Get-Date).AddDays(-30) -and
($_.Name -match '^[a-f0-9]{8,}' -or $_.Name -match 'update|patch|config' -and $_.Extension -in '.dll,.exe')
}
}
}
foreach ($file in $suspiciousFiles) {
$signature = Get-AuthenticodeSignature -FilePath $file.FullName
if ($signature.Status -ne 'Valid') {
Write-Host \"[!] Removing suspicious unsigned file: $($file.FullName)\"
Remove-Item -Path $file.FullName -Force -ErrorAction SilentlyContinue
}
}
# Step 3: Remove suspicious scheduled tasks
$SuspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Actions.Execute -match 'powershell|wscript|cscript|rundll32' -and
$_.Author -notmatch 'Microsoft|Windows'
}
foreach ($task in $SuspiciousTasks) {
Write-Host \"[!] Removing suspicious scheduled task: $($task.TaskName)\"
Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false -ErrorAction SilentlyContinue
}
# Step 4: Check and clean registry run keys
$RunKeys = @(
\"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",
\"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",
\"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\",
\"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"
)
foreach ($key in $RunKeys) {
if (Test-Path $key) {
Get-Item -Path $key | ForEach-Object {
foreach ($value in $_.Property) {
$data = (Get-ItemProperty -Path $key -Name $value).$value
if ($data -match 'AppData\\\(Temp|Roaming|Local)' -and $data -match '\\.(exe|dll|ps1|vbs)') {
Write-Host \"[!] Removing suspicious registry value: $key\\$value\"
Remove-ItemProperty -Path $key -Name $value -Force -ErrorAction SilentlyContinue
}
}
}
}
}
# Step 5: Block known malicious C2 domains in hosts file (update with current IOCs)
$KnownC2Domains = @(
# Add current Dropping Elephant C2 domains here from threat intelligence feeds
)
if ($KnownC2Domains.Count -gt 0) {
$HostsFile = \"$env:SystemRoot\\System32\\drivers\\etc\\hosts\"
$currentHosts = Get-Content $HostsFile -ErrorAction SilentlyContinue
foreach ($domain in $KnownC2Domains) {
if ($currentHosts -notmatch $domain) {
Add-Content -Path $HostsFile -Value \"127.0.0.1 $domain\"
Write-Host \"[+] Blocked C2 domain: $domain\"
}
}
}
Write-Host \"[+] Remediation complete. Please perform a full system scan and review for additional IOCs.\"
Write-Host \"[+] Consider resetting credentials for accounts that were active during the compromise period.\"
Remediation
Immediate Actions
-
Isolate Compromised Systems
- Disconnect affected endpoints from the network immediately
- Preserve memory and disk images for forensic analysis
- Do not power off systems if possible—collect volatile data first
-
Credential Reset
- Reset passwords for all accounts used on compromised systems
- Revoke and re-issue any potentially exposed API keys or certificates
- Enforce MFA for all accounts, especially privileged ones
-
IOC Scanning
- Deploy the latest threat intelligence feeds for Dropping Elephant IOCs
- Scan your environment for file hashes, domains, and IP addresses
- Use EDR telemetry to hunt for processes matching the TTPs above
Long-Term Hardening
-
Macro Security
- Disable macros for all users organization-wide via GPO
- Implement Microsoft Office macro signing requirements
- Use Attack Surface Reduction (ASR) rules to block Office apps from creating child processes
-
Application Whitelisting
- Deploy application control (AppLocker or Windows Defender Application Control)
- Block execution from user-writable directories (%AppData%, %Temp%, %Downloads%)
- Require signed binaries for all authorized applications
-
Network Segmentation
- Implement zero-trust network access principles
- Restrict outbound internet access for workstations
- Implement DNS filtering to block known C2 domains
-
Endpoint Detection
- Deploy EDR with behavioral detection capabilities
- Enable script block logging and PowerShell transcription
- Configure AMSI (Antimalware Scan Interface) for maximum coverage
Official Guidance
- Monitor CISA Alerts for updates on APT campaigns
- Review NIST SP 800-53 Rev. 5 security controls
- Implement CIS Controls v8, specifically controls 7 (Email and Web Browser Protections), 8 (Malware Defenses), and 10 (Data Protection)
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
managed-socmdrsecurity-monitoringthreat-detectionsiemaptdropping-elephantloader-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.