Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

ModifiedElephant

Also known asModifiedElephant

ModifiedElephant is a threat actor tracked by SentinelLabs that has operated since at least 2012 and was still active at the time of reporting. SentinelLabs attributed roughly a decade of targeted activity to the group, primarily against human rights activists, human rights defenders, academics, journalists, and lawyers across India. The reported objective was long-term surveillance and, in some cases, planting incriminating digital evidence on victim systems. SentinelLabs linked the actor to targeted attacks associated with the Bhima Koregaon case and assessed that its activity aligns sharply with Indian state interests, while stopping short of definitive attribution. ModifiedElephant primarily used spearphishing emails sent from free webmail providers such as Gmail and Yahoo, often repeatedly targeting the same individuals over extended periods. Delivery methods included malicious attachments and externally hosted files, with lures themed around activism, climate change, politics, and public service. The actor used executable attachments with fake double extensions in earlier activity and later shifted to less obvious file types including .doc, .pps, .docx, .rar, and password-protected .rar archives. Reported exploit use included CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, and CVE-2015-1641. The primary malware families associated with ModifiedElephant were the commodity RATs NetWire and DarkComet. The actor also used Visual Basic keyloggers and, in some campaigns, an unidentified Android commodity trojan delivered as an APK alongside NetWire payloads. SentinelLabs reported that the group often used new malware samples for individual infection attempts, though some payloads were reused across targets. A forensic report cited by SentinelLabs found that the file "Ltr_1804_to_cc.pdf" was delivered via a NetWire remote session associated with the actor, and SentinelLabs observed nearly identical evidence creation and organization across multiple unrelated victim systems within a short time window. Reported overlaps include infrastructure overlap via new-agency[.]us with Operation Hangover, and some victims were also targeted by other surveillance clusters, including SideWinder phishing and NSO Group Pegasus. Known alias in the provided content: modifiedelephant.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Academia & Research
  • Non-Governmental Organizations

Where they target

Geographies tied to known operations.

  • 🇮🇳 India
MITRE ATT&CK

Tradecraft

12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics18 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
2 techniques
T1203
Exploitation for Client Execution
T1204
User Execution
T1204.002
Malicious File
TA0005
Stealth
2 techniques
T1036
Masquerading
T1070
Indicator Removal
T1070.004
File Deletion
TA0006
Credential Access
1 technique
T1056
Input Capture
T1056.001
Keylogging
TA0009
Collection
2 techniques
T1056
Input Capture
T1056.001
Keylogging
T1560
Archive Collected Data
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1105
Ingress Tool Transfer
T1219
Remote Access Tools
TA0040
Impact
1 technique
T1565
Data Manipulation
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
DarkCometThe threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).1Jun 14, 2026
NETWIREThe threat actor uses spearphishing with malicious documents to deliver malware, such as NetWire, DarkComet, and simple keyloggers... The primary malware families deployed were NetWire and DarkComet remote access trojans (RATs).1Jun 14, 2026
WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2012-0158MSCOMCTL.OCX ActiveX Controls Remote Code ExecutionIn the wildEvidence1

Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice.

CVE-2013-3906Remote Code Execution in Microsoft GDI+ TIFF ParsingIn the wildEvidence1

Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice.

CVE-2014-1761Remote Code Execution in Microsoft Word via Crafted RTF DataIn the wildEvidence1

Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice.

CVE-2015-1641Microsoft Office RTF Memory Corruption RCEIn the wildEvidence1

Observed lure documents repeatedly made use of CVE-2012-0158, CVE-2014-1761, CVE-2013-3906, CVE-2015-1641 exploits to drop and execute their malware of choice.

IOCS

Observables

5 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

5 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
sentinelone labsNews
Apr 11, 2025
Decoding the Past, Securing the Future | Enhancing Cyber Defense with Historical Threat Intelligence | SentinelOne

Conducts targeted attacks against civil society and legal/academic individuals in India, with the objective of planting incriminating digital evidence; active since at least 2012.

Read more
sentinelone labsNews
Jan 9, 2025
ModifiedElephant APT and a Decade of Fabricating Evidence | SentinelOne

Conducts long-term surveillance and spearphishing campaigns against activists, human rights defenders, journalists, academics, and lawyers in India, using commodity RATs and keyloggers to compromise systems and plant incriminating digital evidence prior to arrests.

Read more
sentinelone labsNews
Nov 16, 2023
Elephant Hunting | Inside an Indian Hack-For-Hire Group - SentinelOne

Referenced as a separate APT that later targeted an Indian individual also seen in Appin-related activity; no further detail is provided here.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping12

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables5

Domains, IPs, and hashes tied to this actor, refreshed continuously.