HOMETHREATSUnidentified 125 (RAT, Dropping Elephant)
APT / THREAT GROUP🕵️ ESPIONAGEADVANCED

Unidentified 125 (RAT, Dropping Elephant)

2
aliases
Last seen:Jun 27, 2026

Intelligence Profile

According to Rapid7, this RAT loaded by Donut is a native 32-bit C++ remote access implant that is mapped and executed entirely in memory by a shellcode-based loader. It features extensive obfuscation and stealth characteristics, including control-flow flattening, dynamic API resolution, static CRT linking, and multiple anti-analysis checks for debuggers, sandboxes, virtualized environments, and geolocation. The malware fingerprints the host by collecting system and user information plus a full process list, then communicates with its command-and-control over HTTPS with fields protected using Salsa20-based encryption and layered encoding. Its core capabilities include recursive directory listing, downloading and executing additional payloads, interactive shell command execution, on-demand screenshot capture, and exfiltration of arbitrary files.

Threat Analysis

Unidentified 125 (RAT, Dropping Elephant) is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Classified as an advanced threat actor, Unidentified 125 (RAT, Dropping Elephant) likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.

External References

Quick Facts

TypeAPT / Threat Group
Motivation🕵️ espionage
Sophisticationadvanced
Aliases2

Also Known As

win.unidentified_125Unidentified 125 (RAT, Dropping Elephant)

External Intelligence

Malpedia: win.unidentified_125

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.