109.txt

DarkElephant Group A DecadeLong Covert Cyber Assault
The DarkElephant Group is a suspected India-originated APT entity primarily targeting social activists, civil organizations, and opposition parties within India, while also stealing military-political intelligence from neighboring countries including China and Pakistan. Employing spear-phishing emails via Gmail/Yahoo accounts or compromised mailboxes, the group delivers multievasion payloads containing mature commercial RATs. Active since at least 2012, this decade-long campaign exhibits dark operational characteristics as evidenced by the Bhima Koregaon case where activists were framed. Antiy CERT attributes the group's infrastructure to UTC+5.5 timezone (Indian Standard Time). Technical analysis reveals persistent use of commercial RATs like NetWire, DarkComet, and ParallaxRAT across Windows/Android platforms, exploiting vulnerabilities including CVE-2012-0158, CVE-2013-3906, CVE-2014-1761, and CVE-2015-1641. The group employs memory decryption, certificate spoofing, timestamp manipulation, and file padding techniques. Recent campaigns against Chinese targets involved multi-stage attacks using self-extracting archives containing Upatre downloaders and ParallaxRAT payloads injected into legitimate processes (rundll32.exe, svchost.exe). Forensic evidence from the Bhima Koregaon case demonstrates document forgery operations through hidden directories and timestamp-altered evidentiary materials. UTC+5:30 timestamps in decoy PDFs geolocate operations to India. Antiy's decade-long tracking reveals India's shifting cyber focus from Pakistan to China, with DarkElephant's domestic surveillance and cross-border espionage activities warranting heightened vigilance.