In-Memory Evasion: Deconstructing the “Dropping Elephant” China-Themed Loader Chain

A sophisticated threat actor, tracked as “Dropping Elephant,” has deployed a highly evolved campaign characterized by the use of China-themed decoy documents and a heavily restructured, in-memory Remote Access Trojan (RAT). This campaign represents a significant shift toward stealth-centric execution, moving away from traditional disk-based persistence in favor of sophisticated memory-resident maneuvers.

The intrusion chain is a masterclass in hybrid exploitation, blending “Living-off-the-Land” (LotL) techniques with modern in-memory execution. The attack vector begins with an LNK shortcut that spawns an obfuscated PowerShell downloader. This downloader stages its artifacts in C:\Users\Public before initiating a DLL side-loading sequence. Specifically, the actor leverages a legitimate Microsoft binary, Fondue.exe, to bootstrap a custom loader. This loader decrypts and executes a Donut shellcode blob, which maps the final RAT directly into memory. By bypassing the traditional file-write process for the final implant, the actor achieves a low-footprint execution profile designed to evade disk-oriented EDR detection and complicate static analysis.

The initial lure is meticulously crafted: a GRES-3 contract completion document. This serves as a believable decoy targeting the energy sector, while a background process retrieves secondary payloads from the domain chinagreenenergy[.]org. To further obfuscate the presence of malicious tools, attackers use junk file extensions and renaming tactics to reconstruct Fondue.exe, APPWIZ.cpl, and various runtime libraries within the public user profile.

Persistence is maintained via a scheduled task named GoogleErrorReport. Configured to execute every minute, the task triggers Fondue.exe, which is then coerced into loading a malicious version of APPWIZ.cpl from the non-standard C:\Users\Public directory—a critical behavioral indicator for defenders.

The APPWIZ.cpl file acts as the primary on-disk loader. It performs a Base64 decoding of an AES-256-CBC ciphertext stored as editor.dat in C:\Windows\Tasks. By assembling the key and IV directly on the stack, it decrypts the Donut shellcode payload.

Figure 1: APPWIZ.cpl PE metadata revealing the deceptive original filename: bluetooth_callback.dll (Source: Rapid7).

Once the Donut shellcode is active, it maps the 32-bit native RAT into RWX (Read-Write-Execute) memory. It handles import resolution and applies relocations autonomously, transferring execution to the RAT without ever dropping the implant to the disk. Crucially, before handing over control, the Donut framework actively patches AMSI (Antimalware Scan Interface), WLDP (Windows Lockdown Policy), and ETW (Event Tracing for Windows) hooks in-process, effectively blinding common telemetry mechanisms.

The China-Themed Loader Chain: Advanced Hardening

The final RAT payload demonstrates professional-grade anti-analysis measures. To frustrate reverse engineers, the code employs control-flow flattening, runtime API reconstruction via LoadLibrary/GetProcAddress loops, and opaque predicates. It also utilizes static CRT linking and performs rigorous environmental checks, including process/VM artifact detection, CPUID hypervisor probes, and public-IP geolocation gating to ensure the malware is running on a legitimate target rather than a sandbox.

Figure 2: The complete delivery chain, from the initial LNK execution to the final in-memory RAT (Source: Rapid7).

Network communications are equally hardened. Command-and-control (C2) beaconing occurs over HTTPS to gcl-power[.]org, utilizing a Salsa20-encrypted payload envelope and a unique 23-character token. During the reconnaissance phase, the implant assembles a detailed host fingerprint—including username, OS version, public IP, and a complete process list—wrapped in a complex base64url(Salsa20(base64url(value))) encoding scheme. Observed operator capabilities include directory enumeration, remote execution, WIC-encoded screenshots, and file exfiltration.

Despite significant code rework intended to bypass signature-based detection, Rapid7’s analysis successfully linked this sample to the “Dropping Elephant” lineage. This attribution was made via AST-level (Abstract Syntax Tree) comparisons of command-handler structures, repeated buffer constants, and shared WININET request flows.

Figure 3: The RAT beaconing loop, detailing the connectivity check, command polling, and idle sentinel logic (Source: Rapid7).

Defensive Recommendations

Defenders should pivot from static IOCs toward behavioral detection. Priority should be given to monitoring for:

• LNK files spawning obfuscated PowerShell processes.
• Unexpected file staging in C:\Users\Public.
• High-frequency scheduled tasks (e.g., GoogleErrorReport).
• Legitimate binaries (like Fondue.exe) loading unexpected DLLs or .cpl files from non-standard paths.
• Telemetry gaps indicating the tampering of AMSI or ETW.

Indicators of Compromise (IOCs)