Malware à la Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain

Executive summaryRapid7 researchers have identified a sophisticated malware campaign attributed to the threat actor "Dropping Elephant," characterized by the use of a China-themed decoy document to deliver a heavily reworked, in-memory remote access trojan (RAT). This campaign demonstrates advanced evasion techniques, including DLL side-loading with a legitimate Microsoft binary (Fondue.exe) and the use of "Donut" shellcode to map the RAT directly into memory, effectively bypassing traditional disk-based security controls.The revamped RAT significantly complicates detection by using control-flow flattening, runtime API reconstruction, and hardened C2 communications. Despite these modifications, Rapid7's deep analysis confirms this activity is a direct evolution of Dropping Elephant's tradecraft, based on shared beaconing patterns, screenshot logic, and command-handler structures. This discovery underscores the importance of proactive threat hunting and memory-level visibility in detecting modern, low-footprint implants.Rapid7 is actively monitoring the infrastructure and tradecraft associated with this actor so we can provide comprehensive protection and intelligence to our customers.Defenders should not rely on the IOCs alone. The most durable detection opportunities in this campaign are the behaviors: a shortcut file spawning PowerShell, files staged in C:\Users\Public\, a scheduled task named GoogleErrorReport executing every minute, and Fondue.exe loading APPWIZ.cpl from C:\Users\Public\ rather than a legitimate Windows directory.Because the final RAT is loaded directly into memory through Donut, defenders should also review whether their endpoint tooling can detect memory-resident payloads and security-control patching within a process, including AMSI, WLDP, and ETW tampering.OverviewDuring a proactive threat hunt, Rapid7 identified a malicious Windows shortcut that matched activity previously associated with Dropping Elephant. The shortcut used a China energy-sector contract lure and led to a payload chain that shared the family’s delivery patterns but ended in a substantially reworked RAT.The decoy document was a contract completion and acceptance notice for the GRES-3 project and referenced delivery of industrial seawater circulation pump systems. Because the final payload differed significantly from known samples, Rapid7 analyzed the chain from the initial shortcut through the final in-memory RAT.Luckily, during the analysis, the staging server was active which allowed us to download all attack artifacts. The recovered files use Fondue.exe, a legitimate Microsoft binary, to side-load a malicious loader. The loader decrypts an AES-wrapped payload stored on disk. The decrypted payload contains a Donut shellcode loader that embeds the final RAT and uses Chaskey block cipher as part of its payload protection scheme. Donut then decrypts the final 32-bit native RAT, maps it, and executes it in memory.We found that the final RAT differs significantly from older Dropping Elephant RAT samples. The malware uses control-flow flattening, runtime API reconstruction, and static CRT linking to complicate analysis. It also hardens C2 communications through HTTPS transport, Salsa20-protected C2 fields, and additional environment checks. Despite these changes, code-level comparison still identifies shared lineage with a Dropping Elephant RAT reference sample through command-handler structure, screenshot capture logic, WININET request flow, beaconing patterns, and repeated buffer constants.Technical analysis and observed attacker behavior Figure 1: Full delivery chain from LNK to in-memory RAT ⠀Stage 1: GRES3001.lnkThe attack starts when a user executes GRES3001.lnk, a malicious Windows shortcut disguised as a PDF. When opened, the shortcut spawns an obfuscated PowerShell downloader using conhost.exe. The PowerShell uses basic string-splitting obfuscation (e.g., iw''r, g''c''i, r''e''n, c''p''i, and &(g''cm sch*)) to evade keyword detection.The downloader connects to the staging server chinagreenenergy[.]org and retrieves the decoy GRES3001.pdf along with additional malware files. It immediately opens the China energy-sector lure document to distract the victim while staging the remaining payloads in the background. Figure 2: GRES3001.lnk structure showing conhost.exe proxy, Edge icon spoof, and embedded PowerShell downloader ⠀ Figure 3: GRES-3 contract completion decoy document used as victim lure ⠀Stage 2: Payload stagingSeveral payload files are downloaded with junk extensions such as .ezxzez, .cypyly, and .dzlzlz, then renamed by stripping filler characters to reconstruct Fondue.exe, APPWIZ.cpl, msvcp140.dll, and vcruntime140.dll in C:\Users\Public\. The encrypted payload editor.dat is written to the C:\Windows\Tasks\ folder.FilePathDescriptionSHAGRES3001.pdfC:\Users\Public\Decoy document56d656d684077e7b3231393f5464447cdc8eea81b6415c5f010bc52f0c8cb317Fondue.exeC:\Users\Public\Legitimate Microsoft side-loading hostb58351ead08db413ca499cfeb1b1091ed8bfd68f4089605e452fa01ed46f42b1APPWIZ.cplC:\Users\Public\Malicious loader DLL914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6editor.datC:\Windows\Tasks\Base64 text wrapping AES-256-CBC ciphertexta5e448af73b0ff6b6fcfe6ef7808120e1fd7e5c4c9b4edd68e1c980e5ea3406bTable 1: Files retrieved from the stager server After staging the files, the script creates a scheduled task named GoogleErrorReport, configured to run Fondue.exe every minute. It then deletes the original shortcut, leaving the scheduled task to trigger the next execution stage through the Fondue.exe side-loading chain.&(gcm sch*) /create /Sc minute /tn GoogleErrorReport /tr "$b\Public\Fondue"Figure 4: Scheduled task creation command using gcm sch* obfuscationStage 3: DLL side-loadingThe Fondue.exe loads the malicious APPWIZ.cpl staged alongside it in the C:\Users\Public\ directory. The side-loaded APPWIZ.cpl exports RunFODW, the function expected by Fondue.exe. RunFODW serves as the loader entry point and continues the payload chain by reading and decrypting editor.dat.Stage 4: Encrypted payload and Donut loaderAPPWIZ.cpl sha256: 914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6, original name for the metadata is bluetooth_callback.dll. Figure 5: APPWIZ.cpl PE metadata showing original filename bluetooth_callback.dll ⠀It reads editor.dat, Base64-decodes it, and decrypts the result with AES-256-CBC via Windows CNG (bcrypt.dll). The 32-byte key and 16-byte IV are assembled on the stack from immediate mov operands:KEY (32B): 1f1e1d1c1b1a101108090a0b0c0d0e0f00020405040102031011121415181611IV (16B): 000803030902060708090a0b0c0d0e0fThe loader maps the shellcode into an RWX memory region using VirtualAlloc followed by memcpy call. Then it transfers execution indirectly by passing the shellcode address as the callback argument to EnumUILanguagesW. Figure 6: EnumUILanguagesW callback proxy transferring execution to Donut shellcode ⠀The decrypted output is a Donut shellcode blob, not the final RAT. Donut uses Chaskey-CTR to protect the embedded PE, maps it in memory, resolves imports, applies relocations, and transfers execution without writing the RAT to disk. Before running the payload, Donut patches AMSI, WLDP, and ETW inside the current process, reducing in-memory scanning, code-integrity checks, and event telemetry for the unpacked RAT.The final payload is a native 32-bit C++ implant SHA 7099c33933716c00c1f4bdb0281c230b981c76b23d7d1c83abc6f58968267d54. It runs entirely in memory after the Donut stage maps it. At startup, the RAT first calls FreeConsole() to detach from any console so nothing shows up on screen. After that, it resolves its required APIs dynamically through a LoadLibrary / GetProcAddress loop. After API resolution, the RAT stages its crypto and builds C2 hostname, gcl-power[.]org. The cipher is Salsa20, and the key material is hardcoded. It is a 32-byte key tn9905083tfbsxqrxs7qe4ryw1nif8h1 with 8-byte nonce lPvymwIk. Next, it calls sub_40F4A0 subroutine which walks the running process list and checks each entry against a built-in list of debuggers, sandbox tools, and VM artifacts. During debugging, we observed the process scan, however, the implant continued normally, without killing security processes.Both the process scan and public-IP geolocation check executed during dynamic testing without triggering self-termination. The RAT still reported the full process list in the mkeoldkf beacon field, exposing debuggers, sandbox tools, and other analysis artifacts to the operator.After process scan, the malware creates a mutex “kshdkfhskdfjkhsdkfhsjkdfhkj” to prevent reinfection and reduce duplicate-process noise. Finally, the RAT fingerprints the host, derives its bot ID, and enters sub_415750(), where it begins polling for commands from the C2 server. Unfortunately, during the analysis the C2 was already down.Host fingerprintingBefore beaconing, the RAT collects seven fields describing the victim host and packs them into the registration POST body:FieldMeaningumnomeUsernamepmjodfComputer nameidkdfjejBot ID / cidvrjdmejOS versionndlpeipPublic IP and countrycokenmeCountrymkeoldkfFull running-process listTable 2: RAT registration beacon fields and their meaningDuring fingerprinting, the RAT makes a one-time call to api.ipify.org to learn the host's own public IP, then passes that IP to ip2c.org to resolve the country. The user-agent used in the recon phase is Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 . The bot ID is not hardcoded. It is derived at runtime from the host and submitted in the idkdfjej field. Each field is independently wrapped as base64url(Salsa20(base64url(value))).Command and controlThe RAT periodically sends HTTPS POST requests to the C2 server on port 443 (INTERNET_FLAG_SECURE). It uses a 23-character token, RRn926EmIRfm9IlJyP1yVO2 for C2 traffic to gcl-power[.]org. Each beacon loop iteration follows the same pattern:POSTs dine=<cid> to the command-poll endpoint /prjozifvkpkfhkr/gedhagammgjvvva/;blocks on InternetReadFile while waiting for a task;treats MMMMM==YYYYY as the idle sentinel, sleeps for approximately three seconds, and re-polls;C2 tasks are wrapped in  < > ( ) * delimiters. The RAT strips these characters and decodes the payload back to the original command using base64url(Salsa20(base64url(value))) again. Figure 7: RAT beacon loop showing connectivity check, command poll, and idle sentinel handling ⠀Each cycle, the RAT first confirms the host is actually online by quietly pinging google.com, yahoo.com, and cloudflare.com. Only if that succeeds does it beacon to its C2. When all's well it checks in every 10 seconds and if a check-in fails it retries every 2 seconds, until it recovers.Operator capabilitiesDuring our analysis we confirmed 5 command handlers.TokenCapabilityBehaviorflDirectory listingRecursively enumerates filesdwDownload and executeFetches a file, writes it to disk, and runs itscScreenshotCaptures the virtual screen with BitBlt, encodes it with WIC, and exfiltrates it to a dedicated endpoint. This behavior is command-gated, not periodic.cmxShell executionRuns cmd.exe /c chcp 65001 | <cmd> and captures stdoutufFile uploadExfiltrates a specified fileTable 3: Confirmed RAT command handlers with dispatch tokens and behaviorThe RAT identifies tasks by looking for command tokens in the C2 response. Each token is followed by the delimiter ==zz==oo==pp==. For example, fl==zz==oo==pp== tells the RAT to run the file-listing handler.Anti-analysis The RAT uses several anti-analysis techniques, including control-flow flattening, opaque predicates, dynamic API resolution, stack-built strings, static CRT linking, process blacklist checks, CPUID hypervisor checks, VM artifact checks, and public-IP geolocation checks. Figure 8: Control-flow flattening dispatcher skeleton in decompiler output ⠀During dynamic testing, the process scan and public-IP geolocation checks are executed without triggering self-termination. The RAT built its registration beacon with the full process list in the mkeoldkf field and attempted to send it to gcl-power[.]org. The connection returned HTTP 522, so the beacon did not reach the origin server during testing. Based on this run, we can confirm the environment checks and reporting behavior. Unfortunately, we cannot determine whether the operator would have killed the session, continued tasking, or taken another action after receiving the process list. The full list of processes and security tools cancould be found in the IOCs section below.Attribution To test whether the RAT delivered by Donut was related to Dropping Elephant, we compared it with a known family sample documented by Arctic Wolf in July 2025: SHA-256 8b6acc087e403b913254dd7d99f09136dc54fa45cf3029a8566151120d34d1c2. That report provides the family context for the reference sample.BinDiff produced low signal, with 8.6% overall similarity. We do not treat this as evidence against shared lineage. The new sample uses control-flow flattening, which changes the control-flow graph structure that BinDiff depends on. Therefore we also compared the samples with Diaphora, using pseudocode and AST-level features less affected by control-flow flattening.Diaphora identified four function-level overlaps that pointed to a shared code usage.FunctionalityShared traitsCommand executionSimilar allocation, encoding, formatting, and POST structure; repeated use of the 0x2710 buffer constantScreenshot handlingSame GDI screenshot pattern, including GetSystemMetrics values 78 and 79 and BitBlt with 0xCC0020; the newer sample uses WIC instead of GDI+ for encodingC2 connectionSame WININET request flow: open, connect, open request, send request, read response; the newer sample moves from HTTP to HTTPS with INTERNET_FLAG_SECUREShell executionShared hidden-window execution and cmd.exe /c chcp 65001 output-capture patternTable 4: Code-level overlaps between editor.extracted.exe and old_rat.exe identified by DiaphoraThe LNK lure and delivery chain also resemble prior Dropping Elephant reporting, including PowerShell staging, legitimate binary abuse, scheduled task persistence, extension manipulation during downloads, and DLL side-loading. These overlaps supported the initial hypothesis, but the payload comparison provides the primary evidence for the lineage assessment.Mitigation guidanceMITRE ATT&CK techniquesTacticTechniqueObservableInitial AccessPhishing: Spearphishing Attachment [T1566.001]Malicious GRES3001.lnk used as the initial lure artifact; no email artifact recoveredExecutionUser Execution: Malicious File [T1204.002]User opens GRES3001.lnkExecutionCommand and Scripting Interpreter: PowerShell [T1059.001]LNK launches conhost.exe, which starts the PowerShell downloaderExecutionCommand and Scripting Interpreter: Windows Command Shell [T1059.003]RAT cmx handler runs cmd.exe /c chcp 65001 | <cmd>PersistenceScheduled Task/Job: Scheduled Task [T1053.005]GoogleErrorReport runs C:\Users\Public\Fondue.exe every minuteDefense EvasionHijack Execution Flow: DLL Side-Loading [T1574.002]Fondue.exe loads the malicious APPWIZ.cpl staged alongside itDefense EvasionMasquerading: Match Legitimate Name or Location [T1036.005]Edge icon spoofing, GoogleErrorReport task name, staging in C:\Users\Public\Defense EvasionObfuscated Files or Information [T1027]Junk file extensions, string splitting, encrypted payload container, encoded C2 fieldsDefense EvasionReflective Code Loading [T1620]Donut maps the final PE in memory without writing it to diskDefense EvasionImpair Defenses: Disable or Modify Tools [T1562.001]Donut patches in-process AMSI and WLDP functions before payload executionDefense EvasionVirtualization/Sandbox Evasion: System Checks [T1497.001]CPUID, VM artifact, process blacklist, and public-IP geolocation checksDiscoveryProcess Discovery [T1057]RAT enumerates running processes and sends the process list in mkeoldkfDiscoverySystem Information Discovery [T1082]RAT collects username, computer name, OS version, and host profile fieldsDiscoverySystem Network Configuration Discovery [T1016]RAT obtains public IP through api.ipify.orgDiscoverySystem Location Discovery [T1614]RAT queries ip2c.org for country/geolocationDiscoveryFile and Directory Discovery [T1083]fl handler enumerates filesCollectionScreen Capture [T1113]sc handler captures the virtual screen with BitBlt and encodes it with WICCollectionData from Local System [T1005]uf handler exfiltrates files; fl handler lists local filesCommand and ControlApplication Layer Protocol: Web Protocols [T1071.001]HTTPS C2 traffic to gcl-power[.]orgCommand and ControlData Encoding: Standard Encoding [T1132.001]C2 fields use Base64 wrappingCommand and ControlEncrypted Channel: Symmetric Cryptography [T1573.001]C2 field content is protected with Salsa20Command and ControlIngress Tool Transfer [T1105]Initial staging downloads and dw download-and-execute capabilityExfiltrationExfiltration Over C2 Channel [T1041]Host fingerprinting, screenshots, command output, and files leave over the C2 channelIndicators of compromise (IOCs)File hashesSHA-256FileCommenta8ecbd9c049044ca4990a0e5960d19ce782a3b42d7763e9693d7c91ead24a0b7GRES3001.lnkInitial-access shortcut; launches conhost.exe → PowerShell downloader56d656d684077e7b3231393f5464447cdc8eea81b6415c5f010bc52f0c8cb317GRES3001.pdfDecoy lure documentb58351ead08db413ca499cfeb1b1091ed8bfd68f4089605e452fa01ed46f42b1Fondue.exeLegitimate Microsoft side-loading host914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6APPWIZ.cplMalicious side-loaded loader; exports RunFODW718812adb0d669eea9606432202371e358c7de6cdeafeddad222c36ae0d3f263msvcp140.dllBundled VC++ runtime; verify against known-good09d1e604e8cdd06176fcc3d3698861be20638a4391f9f2d9e23f868c1576ca94vcruntime140.dllBundled VC++ runtime; verify against known-gooda5e448af73b0ff6b6fcfe6ef7808120e1fd7e5c4c9b4edd68e1c980e5ea3406beditor.datBase64-wrapped AES-256-CBC encrypted payload fileecab0e747bff16a1163bbd9bb494e68dd4d7ca655ac7279bd4dd73221f7df57ceditor.decrypted.binAES-decrypted Donut loader blob7099c33933716c00c1f4bdb0281c230b981c76b23d7d1c83abc6f58968267d54editor.extracted.exeFinal RAT, carved from memoryNetwork indicatorsIndicatorTypeNoteschinagreenenergy.orgDomainStaging and delivery serverhttps://chinagreenenergy.org/doc/35566/SXxlsURLDecoy PDF downloadhttps://chinagreenenergy.org/doc/list/load-list/dfe87bbc-53e0-489f-a9e6-ab8f4be47cb9URLFondue.exe downloadhttps://chinagreenenergy.org/doc/list/load-list/8daaa3e4-c85e-40c1-a2a2-94679e94c417URLAPPWIZ.cpl downloadhttps://chinagreenenergy.org/doc/list/load-list/ecdc6b92-62b5-4acd-99f2-af09902938e1URLmsvcp140.dll downloadhttps://chinagreenenergy.org/doc/list/load-list/e7477b17-45f0-420b-b2b1-811d4c1556eaURLvcruntime140.dll downloadhttps://chinagreenenergy.org/doc/list/load-list/000bd4a8-814d-414c-8be8-f0c77a9c7e1eURLeditor.dat downloadgcl-power.orgDomainOperational C2 over HTTPS/443/prjozifvkpkfhkr/URI pathRegistration / check-in/prjozifvkpkfhkr/gedhagammgjvvva/URI pathCommand polling endpoint/prjozifvkpkfhkr/spxbjdhxtapivrk/URI pathScreenshot exfiltration endpointapi.ipify.orgDomainPublic-IP lookup used during host fingerprintingip2c.orgDomainGeolocation lookup used during host fingerprintingConclusionThe campaign analyzed in this blog demonstrates continued Dropping Elephant operational investment and tooling development. The actor reused recognizable delivery patterns, including a China-themed lure, PowerShell-based staging, scheduled task persistence, shortcut-based execution, and DLL side-loading through a trusted Microsoft binary. At the same time, it evolved the final payload into a more evasive, memory-resident implant.The final RAT represents a notable evolution from previously documented Dropping Elephant tooling. It executes entirely in memory, patches AMSI, WLDP, and ETW before running, and incorporates additional obfuscation and anti-analysis techniques that make detection and analysis more difficult.For defenders, the practical takeaway is that Dropping Elephant’s tooling may be changing faster than its operational approach. Hashes, filenames, and infrastructure are likely to change across campaigns, but the path into execution still creates opportunities to detect and disrupt the activity before the final implant runs.Article TagsMalwareLabsAnna ŠirokovaAuthor PostsRelated blog postsThreat ResearchWhen IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain CompromiseAnna ŠirokovaThreat ResearchKyber Ransomware Double Trouble: Windows and ESXi Attacks ExplainedAnna ŠirokovaThreat ResearchThe Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkitIvan FeiglThreat ResearchInside Russian Market: Uncovering the Botnet EmpireAlexandra Blia, Maor WeinbergerSee all posts