Security Affairs
FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|
Advertisement

Ad Placeholder

Full Width × 90

APT

LUCKY ELEPHANT campaign targets South Asian governments

The NETSCOUT Threat Intelligence team uncovered a credential harvesting campaign tracked as LUCKY ELEPHANT targeting mostly South Asian governments. Security experts at NETSCOUT Threat Intelligence team uncovered a credential harvesting campaign, tracked as LUCKY ELEPHANT, targeting mostly South Asian governments. The campaign was discovered in early March 2019, threat actors behind the LUCKY ELEPHANT campaign […]

lucky elephant campaign

The NETSCOUT Threat Intelligence team uncovered a credential harvesting campaign tracked as
LUCKY ELEPHANT targeting mostly South Asian governments.

Security experts at NETSCOUT Threat Intelligence team uncovered a credential harvesting campaign, tracked as LUCKY ELEPHANT, targeting mostly South Asian governments.

The campaign was discovered in early March 2019, threat actors behind the LUCKY ELEPHANT campaign use doppelganger webpages to mimic legitimate entities such as foreign governments, telecommunications, and military.

lucky elephant campaign

The attacks started at least since February 2019, the hackers attempted to trick victims into providing login credentials.  The attackers registered the doppelgangers with various top-level domains (TLD), especially those that protect registrant anonymity. 

According to the experts, threat actors carried out a phishing campaign to lure victims to the websites and provide their credentials, at the time of writing the researchers did not detect any malware associated with
LUCKY ELEPHANT campaign.

The list of the organizations mimicked by hackers includes entities in Pakistan, Bangladesh, Sri Lankan, Maldives, Myanmar, and Nepal.

According to the ASERT, the LUCKY ELEPHANT campaign was carried out by an Indian APT group.  

“The targets are typical of known Indian APT activity and the infrastructure was previously used by an Indian APT group.  Phishing and credential theft are commonly observed with Indian targeting in-region.” continues the analysis.

“One of the IP addresses, 128.127.105[.]13, was previously used by the DoNot Team (aka APT-C-35), a suspected Indian APT group.  DoNot Team has a history of heavily targeting Pakistan, in addition to other neighboring countries.”

Experts discovered two active IP addresses (128.127.105[.]13 and 179.43.169[.]20) involved in the attacks,  monitoring them the researchers uncovered new doppelganger domains used by the threat actors.

Below the key findings published by the experts:

  • ASERT uncovered a credential theft campaign we call LUCKY ELEPHANT where attackers masquerade as legitimate entities such as foreign government, telecommunications, and military.
  • The doppelganger webpages primary purpose is to gather login credentials; we have not observed malware payloads associated with the campaign.
  • One IP address used in the LUCKY ELEPHANT campaign was previously used by the suspected Indian APT DoNot Team; and at least one of the domains used for credential harvesting was previously attributed to a Chinese APT group.

“The actors behind LUCKY ELEPHANT recognize the effectiveness and use doppelganger webpages nearly identical to legitimate sites, enticing users to input their credentials. It is unclear exactly how effective and widespread this campaign is at gathering credentials, as well as how any compromised credentials are being used.” concludes ASERT.

“However, it is clear is that the actors are actively establishing infrastructure and are targeting governments in South Asia.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – LUCKY ELEPHANT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]