Operation Sea Elephant: The Dying Walrus Wandering the Indian Ocean

April 10, 2025, 8:12 p.m.

Description

The CNC group, with South Asian origins, has been targeting domestic teachers, students, and research institutions. Their operation, named 'sea elephant', aims to spy on scientific research achievements in the ocean field. The group employs various tactics, including spear-phishing emails, IM software exploitation, and customized plug-ins. Their malware includes remote command execution backdoors, USB flash drive propagation tools, keyloggers, and file stealers. The attackers use GitHub APIs and steganographic techniques to avoid detection. The operation's focus on ocean-related research suggests a nation's determination to dominate the Indian Ocean region. Additionally, a related campaign, UTG-Q-011, targets areas such as laser science and aerospace.

External References

https://ti.qianxin.com/blog/articles/operation-sea-elephant-the-dying-walrus-wandering-the-indian-ocean-en
https://otx.alienvault.com/pulse/67f8130ae540cbf2f4076329
Tags
steganography
keylogging
south asia
usb propagation
file stealing
2025-04-10
sogou_pinyinupdater.exe
scientific espionage
tericerit.exe
srclogsys.exe
cachestore.exe
github api
konlinesetupupdate_xa.exe
ocean research
windowassistance.exe
huaweihisuiteservice64.exe
filecoauthx86.exe
aliyun_updater64.exe
youdaogui.exe
mscleanup64.exe
windowsfilters.exe
qaxreporter.exe

Date

  • Created: April 10, 2025, 6:50 p.m.
  • Published: April 10, 2025, 6:50 p.m.
  • Modified: April 10, 2025, 8:12 p.m.

Attack Patterns

  • CacheStore.exe
  • aliyun_updater64.exe
  • tericerit.exe
  • filecoauthx86.exe
  • sogou_pinyinupdater.exe
  • srclogsys.exe
  • YoudaoGui.exe
  • windowsfilters.exe
  • konlinesetupupdate_xa.exe
  • mscleanup64.exe
  • HuaweiHiSuiteService64.exe
  • windowassistance.exe
  • qaxreporter.exe
  • CNC

Additional Informations

  • Education
  • Government
  • British Indian Ocean Territory
  • India