India-aligned advanced persistent threat group Dropping Elephant, also tracked as Patchwork APT, Hangover Group, and APT-C-09, has launched a sophisticated multi-stage cyberattack targeting Pakistan's defense sector using a custom Python-based backdoor delivered through Microsoft's MSBuild development tool. The campaign demonstrates significant tactical evolution, combining living-off-the-land binaries with embedded Python runtime environments and marshalled bytecode payloads to evade traditional security controls while establishing persistent access to military research and development networks.
The operation begins with spear-phishing emails tailored specifically to Pakistan's defense and military ecosystem, targeting entities connected to the National Radio and Telecommunication Corporation (NRTC) and military procurement facilities. These emails deliver malicious ZIP archives containing an MSBuild project file functioning as the initial dropper alongside a decoy PDF document named "decmeMett.pdf" designed to appear as legitimate defense-related content.
Security researcher Idan Tarab identified this campaign through detailed analysis of the threat group's evolving infrastructure and techniques. The sophisticated approach demonstrates Dropping Elephant's continued investment in developing stealthy, tailored tooling for regional cyber-espionage operations.
Rather than deploying traditional executable malware, the attackers abuse MSBuild.exe, a legitimate Microsoft development utility, as a living-off-the-land binary (LOLBIN). When victims open the malicious project file, MSBuild executes embedded scripts functioning as the Stage-1 dropper, bypassing application whitelisting and endpoint protection solutions that trust Microsoft-signed system utilities.
The dropper employs sophisticated obfuscation throughout the infection chain, using dynamic API resolution and UTF-reverse encryption to reconstruct strings and evade static analysis. This technique allows threat actors to abuse trusted system processes for malicious purposes while significantly reducing detection likelihood by security products scanning for known malware signatures.
The Stage-1 component downloads multiple files to the Windows Tasks directory, including a renamed Python interpreter (pythonw.exe) and supporting runtime DLLs. After establishing persistence, the dropper opens the decoy PDF to reduce victim suspicion and deletes the original ZIP archive to eliminate forensic evidence.
The malware establishes persistence through Windows scheduled tasks configured with benign-sounding names designed to blend with legitimate system operations. The identified task names include KeyboardDrivers, MsEdgeDrivers, and MicrosoftEdgeUpdate2Network—all mimicking authentic Microsoft services that system administrators would typically ignore during routine security reviews.
These scheduled tasks execute pythonw.exe, the windowless Python interpreter, ensuring the backdoor operates silently in the background without displaying console windows that might alert security-conscious users to suspicious activity.
The operation's centerpiece involves deploying a complete embedded Python runtime to the victim's AppData directory, typically at C:\Users\
The actual backdoor payload hides within a fake DLL file named python2_pycache_.dll. Despite its extension suggesting a standard Windows library, this file contains marshalled Python bytecode rather than legitimate compiled code. Marshalled bytecode represents serialized Python objects that can be directly loaded and executed by the Python interpreter, making traditional script-based detection and reverse engineering significantly more difficult.
The scheduled tasks execute commands similar to pythonw.exe python2_pycache_.dll, where a modified PyInstaller-style loader interprets the file and runs the hidden remote access trojan. This technique transforms what appears to be a legitimate library file into a fully functional espionage platform.
Once active, the Python backdoor establishes communication with attacker-controlled infrastructure hosted at domains including nexnxky[.]info, upxvion[.]info, and soptr[.]info. The backdoor's modular architecture includes client, commands, remote_module, and base.py components, enabling comprehensive system control, data exfiltration, and lateral movement across compromised defense networks.
The identified code contains heavily obfuscated variable names and base64-encoded command structures, complicating manual analysis by incident response teams. The implementation suggests well-resourced operators with significant development capabilities.
Organizations in the defense sector should implement enhanced monitoring for suspicious MSBuild.exe executions, particularly instances spawned by unexpected parent processes or executing code from unusual locations. Security teams should baseline normal scheduled task creation patterns and investigate new tasks with names mimicking legitimate Microsoft services.
Additionally, organizations should implement application allowlisting to prevent unauthorized Python interpreters from executing on endpoints, monitor for unusual Python runtime deployments in system directories, and detect outbound connections to newly registered or suspicious domains. Robust email security controls remain essential for blocking spear-phishing attempts containing malicious attachments before they reach end users.