Unidentified 125 (RAT, Dropping Elephant)
Intelligence Profile
According to Rapid7, this RAT loaded by Donut is a native 32-bit C++ remote access implant that is mapped and executed entirely in memory by a shellcode-based loader. It features extensive obfuscation and stealth characteristics, including control-flow flattening, dynamic API resolution, static CRT linking, and multiple anti-analysis checks for debuggers, sandboxes, virtualized environments, and geolocation. The malware fingerprints the host by collecting system and user information plus a full process list, then communicates with its command-and-control over HTTPS with fields protected using Salsa20-based encryption and layered encoding. Its core capabilities include recursive directory listing, downloading and executing additional payloads, interactive shell command execution, on-demand screenshot capture, and exfiltration of arbitrary files.
Threat Analysis
Unidentified 125 (RAT, Dropping Elephant) is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, Unidentified 125 (RAT, Dropping Elephant) likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.