Dropping Elephant Delivers In-Memory RAT via China-Themed Lure and Fondue.exe DLL Side-Loading
Rapid7 researchers identified a sophisticated campaign by the Dropping Elephant threat actor using a China energy-sector decoy and DLL side-loading via a legitimate Microsoft binary to deliver a heavily reworked in-memory RAT.
Rapid7 researchers have uncovered a sophisticated malware campaign attributed to the threat actor "Dropping Elephant," which leverages a China-themed decoy document to deliver a heavily reworked, fileless remote access trojan (RAT). The attack chain demonstrates advanced evasion techniques, including DLL side-loading through the legitimate Microsoft binary Fondue.exe and the use of Donut shellcode to map the RAT directly into memory, effectively bypassing traditional disk-based security controls.
The campaign begins when a victim opens a malicious Windows shortcut disguised as a PDF, labeled GRES3001.lnk. The shortcut spawns an obfuscated PowerShell downloader via conhost.exe, which connects to a staging server at chinagreenenergy[.]org. The downloader retrieves a decoy document — a contract completion notice for the GRES-3 project involving industrial seawater circulation pump systems — along with several payload files. The decoy PDF is immediately opened to distract the user while the remaining files are staged in the C:\Users\Public\ folder with junk extensions before being renamed to their proper forms: Fondue.exe, APPWIZ.cpl, msvcp140.dll, and vcruntime140.dll.
The staging process also creates a scheduled task named GoogleErrorReport, configured to execute Fondue.exe every minute. Fondue.exe, a legitimate Microsoft component, then side-loads the malicious APPWIZ.cpl from the C:\Users\Public\ directory rather than a legitimate Windows system path. The side-loaded DLL exports the RunFODW function expected by Fondue.exe, serving as a loader that decrypts an AES-256-CBC-wrapped payload stored as editor.dat in C:\Windows\Tasks\. The decrypted payload contains a Donut shellcode loader, which itself embeds the final 32-bit native RAT and uses the Chaskey block cipher for payload protection. Donut then decrypts, maps, and executes the RAT entirely in memory.
The final RAT represents a significant evolution from earlier Dropping Elephant samples. It employs control-flow flattening, runtime API reconstruction, and static CRT linking to complicate static analysis. C2 communications are hardened through HTTPS transport with Salsa20-protected fields and additional environment checks. Despite these modifications, Rapid7's code-level comparison confirmed shared lineage with a reference Dropping Elephant RAT through command-handler structure, screenshot capture logic, WININET request flow, beaconing patterns, and repeated buffer constants.
Rapid7 emphasized that defenders should focus on behavioral detection rather than relying solely on IOCs. Key observable behaviors include a shortcut file spawning PowerShell, files staged in C:\Users\Public\, a scheduled task named GoogleErrorReport running every minute, and Fondue.exe loading APPWIZ.cpl from a non-standard directory. Because the final payload is loaded directly into memory via Donut, organizations should verify that their endpoint detection tools can identify memory-resident payloads and detect attempts to tamper with security controls such as AMSI, WLDP, and ETW within a process.
This campaign underscores the continued refinement of tradecraft by established threat actors. Dropping Elephant's adoption of fileless execution, DLL side-loading via a trusted Microsoft binary, and heavily obfuscated C2 communications highlights the need for memory-level visibility and proactive threat hunting. Rapid7 continues to monitor the infrastructure and techniques associated with this actor to provide updated intelligence and protection to customers.