A well-known threat actor called Dropping Elephant has returned with a refined and more dangerous campaign, using a China-themed lure document to drop a reworked remote access trojan (RAT) onto victim machines.
The attack is designed to stay hidden, avoid detection tools, and give the attacker full control over compromised systems. What makes this campaign stand out is how deeply the attackers updated their methods while keeping their recognizable core tradecraft intact.
The campaign starts with a malicious Windows shortcut file named GRES3001.lnk, disguised as a PDF related to an industrial energy contract.
When a victim opens the file, it quietly launches a PowerShell script that downloads additional malware from a staging server at chinagreenenergy[.]org. A decoy document about a GRES-3 seawater pump contract is shown to the victim while the attack continues in the background.
Researchers from Rapid7 identified this campaign during a proactive threat hunt and published a report shared with Cyber Security News (CSN).
Their analysis confirmed this activity as a direct evolution of Dropping Elephant’s tradecraft, noting overlaps in delivery patterns, screenshot logic, beaconing behavior, and command-handler structure.
Full delivery chain from LNK to in-memory RAT (Source – Rapid7)
The researchers were also able to download all attack artifacts since the staging server was still active at the time of analysis.
The downloaded files include a legitimate Microsoft binary called Fondue.exe, which is used to side-load a malicious loader disguised as APPWIZ.cpl.
That loader decrypts an encrypted file called editor.dat and passes the result to a Donut shellcode loader, which maps the final RAT directly into memory without writing it to disk. Loading the payload entirely in memory allows the attackers to sidestep most traditional file-based detection methods.
Once active, the RAT fingerprints the victim machine and connects to a command-and-control server at gcl-power[.]org over encrypted HTTPS traffic on port 443.
GRES3001.lnk structure showing conhost.exe proxy, Edge icon spoof, and embedded PowerShell downloader (Source – Rapid7)
It checks in every 10 seconds and is capable of running commands, listing files, capturing screenshots, uploading files, and downloading additional tools. This level of access gives the operator full visibility and control over the infected host.
Hackers Use GoogleErrorReport Scheduled Task for Persistence
After staging all necessary files in the C:\Users\Public\ folder, the PowerShell script creates a scheduled task named GoogleErrorReport.
This task is configured to run Fondue.exe every single minute, ensuring the malware restarts automatically and stays active even if interrupted.
The name GoogleErrorReport is deliberately chosen to blend in with normal system activity and avoid raising suspicion.
RAT beacon loop showing connectivity check, command poll, and idle sentinel handling (Source – Rapid7)
The script then deletes the original shortcut file, removing the most visible trace of the initial infection.
From that point, the scheduled task becomes the sole persistence mechanism, repeatedly triggering the DLL side-loading chain that loads the RAT into memory.
Rapid7 noted that defenders should watch for a scheduled task by this exact name running binaries from C:\Users\Public, as it is one of the clearest detection opportunities in this campaign.
Advanced Evasion and Anti-Analysis Capabilities
The final RAT is designed to frustrate security researchers and bypass detection tools.
It uses control-flow flattening to scramble code structure, checks for processes tied to debuggers and sandboxes, resolves its API functions at runtime, and patches Windows security features including AMSI, WLDP, and ETW before executing its payload.
These layers of evasion make both static and dynamic analysis significantly harder. Before connecting to its C2 server, the RAT quietly pings google.com, yahoo.com, and cloudflare.com to confirm internet access.
It checks the host’s public IP through api.ipify.org and uses ip2c.org to identify the victim’s country. All communication is encrypted with the Salsa20 cipher and wrapped in Base64 encoding, making intercepted traffic very difficult to analyze.
Rapid7 recommends defenders avoid relying solely on IOCs, since hashes, filenames, and infrastructure are likely to shift across campaigns.
Control-flow flattening dispatcher skeleton in decompiler output (Source – Rapid7)
Instead, teams should focus on behavioral signals such as shortcut files spawning PowerShell, files staged in C:\Users\Public, and any scheduled task named GoogleErrorReport running binaries outside a legitimate Windows directory.
Endpoint tools should also be reviewed for their ability to detect memory-resident payloads and in-process tampering with controls like AMSI and ETW.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionSHA-256a8ecbd9c049044ca4990a0e5960d19ce782a3b42d7763e9693d7c91ead24a0b7GRES3001.lnk — Initial-access shortcut; launches conhost.exe and PowerShell downloaderSHA-25656d656d684077e7b3231393f5464447cdc8eea81b6415c5f010bc52f0c8cb317GRES3001.pdf — Decoy lure documentSHA-256b58351ead08db413ca499cfeb1b1091ed8bfd68f4089605e452fa01ed46f42b1Fondue.exe — Legitimate Microsoft side-loading hostSHA-256914da75a4ad6d70db856a2bc318d8828f28894622f017ee78d470b4794faafa6APPWIZ.cpl — Malicious side-loaded loader; exports RunFODWSHA-256718812adb0d669eea9606432202371e358c7de6cdeafeddad222c36ae0d3f263msvcp140.dll — Bundled VC++ runtime; verify against known-goodSHA-25609d1e604e8cdd06176fcc3d3698861be20638a4391f9f2d9e23f868c1576ca94vcruntime140.dll — Bundled VC++ runtime; verify against known-goodSHA-256a5e448af73b0ff6b6fcfe6ef7808120e1fd7e5c4c9b4edd68e1c980e5ea3406beditor.dat — Base64-wrapped AES-256-CBC encrypted payload fileSHA-256ecab0e747bff16a1163bbd9bb494e68dd4d7ca655ac7279bd4dd73221f7df57ceditor.decrypted.bin — AES-decrypted Donut loader blobSHA-2567099c33933716c00c1f4bdb0281c230b981c76b23d7d1c83abc6f58968267d54editor.extracted.exe — Final RAT, carved from memoryDomainchinagreenenergy[.]orgStaging and delivery serverDomaingcl-power[.]orgOperational C2 server over HTTPS/443Domainapi.ipify.orgPublic-IP lookup used during host fingerprintingDomainip2c.orgGeolocation lookup used during host fingerprintingURL PDF download URLURL download URLURL download URLURL download URLURL download URLURL download URLURI Path/prjozifvkpkfhkr/C2 registration and check-in pathURI Path/prjozifvkpkfhkr/gedhagammgjvvva/C2 command polling endpointURI Path/prjozifvkpkfhkr/spxbjdhxtapivrk/Screenshot exfiltration endpointFile NameGRES3001.lnkMalicious shortcut disguised as PDFFile NameFondue.exeLegitimate binary abused for DLL side-loadingFile NameAPPWIZ.cplMalicious loader dropped in C:\Users\Public\File Nameeditor.datEncrypted payload stored in C:\Windows\Tasks\File NameGoogleErrorReportScheduled task name used for persistenceMutexkshdkfhskdfjkhsdkfhsjkdfhkjMutex created by RAT to prevent reinfectionC2 TokenRRn926EmIRfm9IlJyP1yVO223-character token used in C2 traffic to gcl-power[.]org
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign appeared first on Cyber Security News.
